[Setup] Re: Ldap authentication not restricting users to Plone folders

Nick Davis nd51 at leicester.ac.uk
Wed May 27 11:02:22 UTC 2009

dobrien wrote:

> • I cannot see members of ldap groups through Plone 
If you have "many groups" set , you won't be able to, so that's worth 
checking if thats set (site setup->Groups->settings tab ).

Or better still, go look at a user in Plone, from site setup->users and 
groups->users tab and look at their group memberships. Can you see that 
they're a member of the groups there that you expect from LDAP? If so 
that means things are working OK

> • On sharing tab of Staff folder I have ldap group plonestaff* who Can view 
> • Student Folder has no ldap groups who are allowed entry, only Logged-in
> users which has no  permission checks in boxes 
> • An ldap user in plonestaff* group can get into staff and student areas 
> Plonestaff* Is staff usergroup on Novell eDirectory 
> Ldap group Plonestaff does have Plone Member role. 

I will rephrase to check I understood you correctly.
You've given PloneStaff group just "can view" access in Staff folder, 
and no access in Student Folder ?
If those folders are published, everyone will be able to view it 
regardless of permissions.
ONLY if its private will it be restricted only to people with "can view" 
You say the PloneStaff group has Member role, but that is presumably 
just by virtue that all LDAP users have Member role, if you've set 
Default User roles to "Anonymous,Member" in your LDAP plugin, so that 
sounds like irrelevant info in this case.

If your folders are indeed private, it sounds like it ought to work.

I note you're using Intranet workflow, whereas its more common to stay 
with Plone's default "simple publication workflow" as public facing 
sites are more common than intranet.
More light may be shed on the situation if you tried switching a copy of 
your site to simple publication workflow and see if it works as expected 
Its possible there's some issue with the intranet workflow that most 
people don't encounter due to not using it.
Its also possible there's some issue in Plone 3.2.2, which is fairly new.

Hope this helps,

Nick Davis
Web Application Developer
University of Leicester

More information about the Setup mailing list