Ticket #8538 (new Bug)

Opened 3 years ago

Last modified 3 years ago

TTP view of group membership differs from ZMI view

Reported by: grahamperrin Owned by:
Priority: major Milestone: 3.3.x
Component: Infrastructure Keywords:
Cc: ajgoesele, gabdavhp

Description

Maybe consider this symptom alongside User | Group Memberships | select then remove group | removal fails; site manager is silently misdirected to the wrong user

Through the Plone, I:

  1. browsed a group Freeman Centre seminars
  2. sought perrin
  3. found two LDAP users, selected the required gjp22
  4. added the user to the group.

Wondering whether TTP addition was successful, I took a look through the ZMI.

Contradiction

ZMI view of groups shows that gjp22 is a member of Freeman Centre seminars and two other groups.

TTP view of memberships for gjp22 shows two groups not including Freeman Centre seminars.

Observation

For  plone.app.ldap at the time of writing, documentation may be lacking. I'm intentionally not reading materials relating to precdecessor product(s) — I shouldn't make summary guesses about differences between products — and so to some degree, it's learning through discovery.

I wonder whether the ZMI list of functions at
/acl_users/ldap/manage_activateInterfacesForm
must be altered to suit our situation (access to this particular LDAP service is read-only). In any case, the contradiction between Plone and ZMI is unexpected/unexplained and certainly

  • without warning to the manager at the time of supposed membership.

Regards
Graham

Attachments

contradiction.png Download (182.2 KB) - added by grahamperrin 3 years ago.
group can be found but not successfully added TTP.png Download (39.3 KB) - added by grahamperrin 3 years ago.
Repeated attempts to add the group through the Plone do not succeed.
modified preferences in ZMI view of LDAP acl_users.png Download (139.6 KB) - added by grahamperrin 3 years ago.
modified preferences in ZMI view of Plone managed LDAP.png Download (111.1 KB) - added by grahamperrin 3 years ago.

Change History

Changed 3 years ago by grahamperrin

Changed 3 years ago by grahamperrin

Repeated attempts to add the group through the Plone do not succeed.

comment:1 Changed 3 years ago by grahamperrin

Now, compare the preceding screen shot and observation

  • can not add group to user, I tried two or three times TTP

with an earlier observation, separate ticket

I wonder whether there is some relationship.

comment:2 Changed 3 years ago by grahamperrin

Since those attempts/experiments I have used ZMI to modify some preferences relating to LDAP. I wonder whether behaviour will improve.

My sense at the moment is that Plone and/or plone.app.ldap might be improved to

  • at least, detect errors as they occur, and warn managers
  • ideally, prevent errors
  • probably, refer from the TTP LDAP control panel to (a) the ZMI and/or (b) documentation.

Changed 3 years ago by grahamperrin

Changed 3 years ago by grahamperrin

comment:3 Changed 3 years ago by garbas

  • Owner set to garbas

comment:4 Changed 3 years ago by garbas

  • Owner garbas deleted

comment:5 Changed 3 years ago by grahamperrin

Incidentally, whilst

  1.  LDAP: how best to work around duplicate ID issues? remains unanswered in the support forum, and
  1. I use LDAP

it may be impossible for me to /acl_users/source_groups/manage_groups without encountering tracebacks such as this:  http://pastebin.ca/1231168

comment:6 Changed 3 years ago by grahamperrin

Repeated attempts to add the group through the Plone do not succeed

That symptom is reaffirmed in Plone 3.1.6.

comment:7 Changed 3 years ago by grahamperrin

See also

ticket:7297, Adding user to group works, adding group to user doesn't.

comment:8 Changed 3 years ago by grahamperrin

See also

ticket:8710, Changes saved is a false statement when a group addition fails without explanation.

comment:9 Changed 3 years ago by grahamperrin

See also

ticket:8557, Nested groups are not shown in prefs_group_members.

Critically

ZMI might suggest that group CENTRIM is a member of group Freeman Centre, but as a member of CENTRIM I am unable to edit in a folder where privileges have been granted to Freeman Centre.

From that observation I assume that group membership must be true through the Plone for membership to be effective.

comment:10 Changed 3 years ago by grahamperrin

  • Milestone changed from 3.x to 3.2

comment:11 Changed 3 years ago by hannosch

  • Priority changed from critical to major
  • Milestone changed from 3.2 to 3.x

comment:12 in reply to: ↑ description Changed 3 years ago by grahamperrin

LDAP users

Elsewhere I find issues that occur only when plone.app.ldap is introduced to the mix.

comment:13 Changed 3 years ago by grahamperrin

Possible workaround

In the following areas of ZMI:

  • /acl_users/ZCacheable_manage
  • /acl_users/ldap/ZCacheable_manage

— where Pluggable Auth Service apparently defaults to RAMCache

and

— where Plone LDAP plugin apparently defaults to RAMCache

change both to (None).

comment:14 Changed 3 years ago by grahamperrin

The other changes made today, maybe relevant, are at /acl_users/ldap/manage_activateInterfacesForm: 

[√] Authentication (authenticateCredentials)
[ ] Reset Credentials (resetCredentials)
[√] Group_Enumeration (enumerateGroups)
[√] Group_Introspection (getGroupById)
[√] Group_Management (removePrincipalFromGroup)
[√] Groups (getGroupsForPrincipal)
[√] Properties (getPropertiesForUser)
[√] Role_Enumeration (enumerateRoles)
[√] Roles (getRolesForPrincipal)
[√] User_Adder (doAddUser)
[√] User_Enumeration (enumerateUsers)
[√] User_Management (doChangeUser)

(To a degree, without documentation: guesswork.)

comment:15 Changed 3 years ago by hannosch

  • Component changed from Users/Groups to Infrastructure
Note: See TracTickets for help on using tickets.