Esempio n. 1
0
 def setUp(self):
     from Products.LDAPUserFolder.SimpleCache import SimpleCache
     self.cache = SimpleCache()
     self.cache.setTimeout(0.1)
Esempio n. 2
0
 def setUp(self):
     self.cache = SimpleCache()
     self.cache.setTimeout(0.1)
Esempio n. 3
0
class TestSimpleCache(unittest.TestCase):
    def setUp(self):
        from Products.LDAPUserFolder.SimpleCache import SimpleCache
        self.cache = SimpleCache()
        self.cache.setTimeout(0.1)

    def testInstantiation(self):
        self.assertEqual(len(self.cache.getCache()), 0)

    def testCaching(self):
        nonauth_ob = CacheObject('nonauth')
        self.cache.set('TestId', nonauth_ob)
        self.assertEqual(len(self.cache.getCache()), 1)
        self.assertEqual(self.cache.get('testid', password=None), nonauth_ob)
        time.sleep(0.5)
        self.assertEqual(self.cache.get('testid', password=None), None)
        self.assertEqual(len(self.cache.getCache()), 0)
        auth_ob = CacheObject('auth')
        self.cache.set('NewId', auth_ob)
        self.assertEqual(len(self.cache.getCache()), 1)
        self.assertEqual(self.cache.get('newid', password=TESTPWD), auth_ob)
        time.sleep(0.5)
        self.assertEqual(self.cache.get('newid', password=TESTPWD), None)
        self.assertEqual(len(self.cache.getCache()), 0)

    def testRemove(self):
        nonauth_ob = CacheObject('nonauth')
        self.cache.set('TestId', nonauth_ob)
        self.cache.remove('testid')
        self.assertEqual(len(self.cache.getCache()), 0)
        auth_ob = CacheObject('auth')
        self.cache.set('NewId', auth_ob)
        self.cache.remove('newid')
        self.assertEqual(len(self.cache.getCache()), 0)

    def testClear(self):
        nonauth_ob = CacheObject('nonauth')
        self.cache.set('TestId', nonauth_ob)
        auth_ob = CacheObject('auth')
        self.cache.set('NewId', auth_ob)
        self.cache.clear()
        self.assertEqual(len(self.cache.getCache()), 0)
        self.assertEqual(len(self.cache.getCache()), 0)
class TestSimpleCache(unittest.TestCase):

    def setUp(self):
        self.cache = SimpleCache()
        self.cache.setTimeout(0.1)

    def testInstantiation(self):
        self.assertEqual(len(self.cache.getCache()), 0)

    def testCaching(self):
        nonauth_ob = CacheObject('nonauth')
        self.cache.set('TestId', nonauth_ob)
        self.assertEqual(len(self.cache.getCache()), 1)
        self.assertEqual( self.cache.get('testid', password=None)
                        , nonauth_ob
                        )
        time.sleep(0.5)
        self.assertEqual( self.cache.get('testid', password=None)
                        , None
                        )
        self.assertEqual(len(self.cache.getCache()), 0)
        auth_ob = CacheObject('auth')
        self.cache.set('NewId', auth_ob)
        self.assertEqual(len(self.cache.getCache()), 1)
        self.assertEqual( self.cache.get('newid', password=TESTPWD)
                        , auth_ob
                        )
        time.sleep(0.5)
        self.assertEqual( self.cache.get('newid', password=TESTPWD)
                        , None
                        )
        self.assertEqual(len(self.cache.getCache()), 0)

    def testRemove(self):
        nonauth_ob = CacheObject('nonauth')
        self.cache.set('TestId', nonauth_ob)
        self.cache.remove('testid')
        self.assertEqual(len(self.cache.getCache()), 0)
        auth_ob = CacheObject('auth')
        self.cache.set('NewId', auth_ob)
        self.cache.remove('newid')
        self.assertEqual(len(self.cache.getCache()), 0)

    def testClear(self):
        nonauth_ob = CacheObject('nonauth')
        self.cache.set('TestId', nonauth_ob)
        auth_ob = CacheObject('auth')
        self.cache.set('NewId', auth_ob)
        self.cache.clear()
        self.assertEqual(len(self.cache.getCache()), 0)
        self.assertEqual(len(self.cache.getCache()), 0)
 def setUp(self):
     self.cache = SimpleCache()
     self.cache.setTimeout(0.1)
 def __setstate__(self, v):
     """ """
     LDAPGroupFolder.inheritedAttribute('__setstate__')(self, v)
     self._cache = SimpleCache()
     self._cache.setTimeout(600)
     self._cache.clear()
 def __init__(self, title, luf=''):
     """ """
     self._luf = luf
     self._cache = SimpleCache()
     self._cache.setTimeout(600)
     self._cache.clear()
class LDAPGroupFolder(SimpleItem):
    """ """
    security = ClassSecurityInfo()

    meta_type = 'LDAPGroupFolder'
    id = 'acl_users'

    isPrincipiaFolderish = 1
    isAUserFolder = 1

    manage_options = (({
        'label': 'Groups',
        'action': 'manage_main',
    }, ) + SimpleItem.manage_options)

    security.declareProtected(view_management_screens, 'manage_main')
    manage_main = DTMLFile('dtml/groups', globals())

    def __setstate__(self, v):
        """ """
        LDAPGroupFolder.inheritedAttribute('__setstate__')(self, v)
        self._cache = SimpleCache()
        self._cache.setTimeout(600)
        self._cache.clear()

    def __init__(self, title, luf=''):
        """ """
        self._luf = luf
        self._cache = SimpleCache()
        self._cache.setTimeout(600)
        self._cache.clear()

    security.declarePrivate(manage_users, 'getGRUF')

    def getGRUF(self):
        """ """
        return self.aq_parent.aq_parent

    security.declareProtected(manage_users, 'getLUF')

    def getLUF(self):
        """ """
        s = self.getGRUF().getUserSource(self._luf)
        if getattr(s, 'meta_type', None) != "LDAPUserFolder":
            # whoops, we moved LDAPUF... let's try to find it back
            Log(LOG_WARNING, "LDAPUserFolder moved. Trying to find it back.")
            s = None
            for src in self.getGRUF().listUserSources():
                if src.meta_type == "LDAPUserFolder":
                    self._luf = src.getPhysicalPath()[-2]
                    s = src
                    break
            if not s:
                raise RuntimeError, "You must change your groups source in GRUF if you do not have a LDAPUserFolder as a users source."
        return s

    security.declareProtected(manage_users, 'getGroups')

    def getGroups(self, dn='*', attr=None, pwd=''):
        """ """
        return self.getLUF().getGroups(dn, attr, pwd)

    security.declareProtected(manage_users, 'getGroupType')

    def getGroupType(self, group_dn):
        """ """
        return self.getLUF().getGroupType(group_dn)

    security.declareProtected(manage_users, 'getGroupMappings')

    def getGroupMappings(self):
        """ """
        return self.getLUF().getGroupMappings()

    security.declareProtected(manage_users, 'manage_addGroupMapping')

    def manage_addGroupMapping(self, group_name, role_name, REQUEST=None):
        """ """
        self._cache.remove(group_name)
        self.getLUF().manage_addGroupMapping(group_name, role_name, None)

        if REQUEST:
            msg = 'Added LDAP group to Zope role mapping: %s -> %s' % (
                group_name, role_name)
            return self.manage_main(manage_tabs_message=msg)

    manage_addGroupMapping = postonly(manage_addGroupMapping)

    security.declareProtected(manage_users, 'manage_deleteGroupMappings')

    def manage_deleteGroupMappings(self, group_names, REQUEST=None):
        """ Delete mappings from LDAP group to Zope role """
        self._cache.clear()
        self.getLUF().manage_deleteGroupMappings(group_names, None)
        if REQUEST:
            msg = 'Deleted LDAP group to Zope role mapping for: %s' % (
                ', '.join(group_names))
            return self.manage_main(manage_tabs_message=msg)

    manage_deleteGroupMappings = postonly(manage_deleteGroupMappings)

    security.declareProtected(manage_users, 'manage_addGroup')

    def manage_addGroup(self,
                        newgroup_name,
                        newgroup_type='groupOfUniqueNames',
                        REQUEST=None):
        """Add a new group in groups_base.
        """
        self.getLUF().manage_addGroup(newgroup_name, newgroup_type, None)

        if REQUEST:
            msg = 'Added new group %s' % (newgroup_name)
            return self.manage_main(manage_tabs_message=msg)

    manage_addGroup = postonly(manage_addGroup)

    security.declareProtected(manage_users, 'manage_deleteGroups')

    def manage_deleteGroups(self, dns=[], REQUEST=None):
        """ Delete groups from groups_base """
        self.getLUF().manage_deleteGroups(dns, None)
        self._cache.clear()

        if REQUEST:
            msg = 'Deleted group(s):<br> %s' % '<br>'.join(dns)
            return self.manage_main(manage_tabs_message=msg)

    manage_deleteGroups = postonly(manage_deleteGroups)

    security.declareProtected(manage_users, 'getUser')

    def getUser(self, name):
        """ """
        # Prevent locally stored groups
        luf = self.getLUF()
        if luf._local_groups:
            return []

        # Get the group from the cache
        user = self._cache.get(name, '')
        if user:
            return user

        # Scan groups to find the proper user.
        # THIS MAY BE EXPENSIVE AND HAS TO BE OPTIMIZED...
        grps = self.getLUF().getGroups()
        valid_roles = self.userFolderGetRoles()
        dn = None
        for n, g_dn in grps:
            if n == name:
                dn = g_dn
                break
        if not dn:
            return None

        # Current mapping
        roles = self.getLUF()._mapRoles([name])

        # Nested groups
        groups = list(self.getLUF().getGroups(
            dn=dn,
            attr='cn',
        ))
        roles.extend(self.getLUF()._mapRoles(groups))

        # !!! start test
        Log(LOG_DEBUG, name, "roles", groups, roles)
        Log(LOG_DEBUG, name, "mapping",
            getattr(self.getLUF(), '_groups_mappings', {}))
        # !!! end test

        actual_roles = []
        for r in roles:
            if r in valid_roles:
                actual_roles.append(r)
            elif "%s%s" % (GROUP_PREFIX, r) in valid_roles:
                actual_roles.append("%s%s" % (GROUP_PREFIX, r))
        Log(LOG_DEBUG, name, "actual roles", actual_roles)
        user = GroupUser(n, '', actual_roles, [])
        self._cache.set(name, user)
        return user

    security.declareProtected(manage_users, 'getUserNames')

    def getUserNames(self):
        """ """
        Log(
            LOG_DEBUG,
            "getUserNames",
        )
        LogCallStack(LOG_DEBUG)
        # Prevent locally stored groups
        luf = self.getLUF()
        if luf._local_groups:
            return []
        return [g[0] for g in luf.getGroups()]

    security.declareProtected(manage_users, 'getUsers')

    def getUsers(self, authenticated=1):
        """ """
        # Prevent locally stored groups
        luf = self.getLUF()
        if luf._local_groups:
            return []

        data = []

        grps = self.getLUF().getGroups()
        valid_roles = self.userFolderGetRoles()
        for n, dn in grps:
            # Group mapping
            roles = self.getLUF()._mapRoles([n])

            # computation
            actual_roles = []
            for r in roles:
                if r in valid_roles:
                    actual_roles.append(r)
                elif "%s%s" % (GROUP_PREFIX, r) in valid_roles:
                    actual_roles.append("%s%s" % (GROUP_PREFIX, r))
            user = GroupUser(n, '', actual_roles, [])
            data.append(user)

        return data

    security.declarePrivate('_doAddUser')

    def _doAddUser(self, name, password, roles, domains, **kw):
        """WARNING: If a role with exists with the same name as the group, we do not add
        the group mapping for it, but we create it as if it were a Zope ROLE.
        Ie. it's not possible to have a GRUF Group name = a Zope role name, BUT,
        with this system, it's possible to differenciate between LDAP groups and LDAP roles.
        """
        self.getLUF().manage_addGroup(name)
        self.manage_addGroupMapping(
            name,
            "group_" + name,
            None,
        )
        self._doChangeUser(name, password, roles, domains, **kw)

    security.declarePrivate('_doDelUsers')

    def _doDelUsers(self, names):
        dns = []
        luf = self.getLUF()
        for g_name, dn in luf.getGroups():
            if g_name in names:
                dns.append(dn)
        self._cache.clear()
        return luf.manage_deleteGroups(dns)

    security.declarePrivate('_doChangeUser')

    def _doChangeUser(self, name, password, roles, domains, **kw):
        """
        This is used to change the groups (especially their roles).

        [ THIS TEXT IS OUTDATED :
          WARNING: If a ZOPE role with the same name as the GRUF group exists,
          we do not add the group mapping for it, but we create it as if it were a Zope ROLE.
          Ie. it's not possible to have a GRUF Group name = a Zope role name, BUT,
          with this system, it's possible to differenciate between LDAP groups and LDAP roles.
        ]
        """
        luf = self.getLUF()
        self._cache.remove(name)

        # Get group DN
        dn = None
        for g_name, g_dn in luf.getGroups():
            if g_name == name:
                dn = g_dn
                break
        if not dn:
            raise ValueError, "Invalid LDAP group: '%s'" % (name, )

        # Edit group mappings


##        if name in self.aq_parent.valid_roles():
##            # This is, in fact, a role
##            self.getLUF().manage_addGroupMapping(name, name)
##        else:
##            # This is a group -> we set it as a group
##            self.getLUF().manage_addGroupMapping(name, self.getGroupPrefix() + name)

# Change roles
        if luf._local_groups:
            luf.manage_editUserRoles(dn, roles)
        else:
            # We have to transform roles into group dns: transform them as a dict
            role_dns = []
            all_groups = luf.getGroups()
            all_roles = luf.valid_roles()
            groups = {}
            for g in all_groups:
                groups[g[0]] = g[1]

            # LDAPUF < 2.4Beta3 adds possibly invalid roles to the user roles
            # (for example, adding the cn of a group additionnaly to the mapped zope role).
            # So we must remove from our 'roles' list all roles which are prefixed by group prefix
            # but are not actually groups.
            # If a group has the same name as a role, we assume that it should be a _role_.
            # We should check against group/role mapping here, but... well... XXX TODO !
            # See "HERE IT IS" comment below.

            # Scan roles we are asking for to manage groups correctly
            for role in roles:
                if not role in all_roles:
                    continue  # Do not allow propagation of invalid roles
                if role.startswith(GROUP_PREFIX):
                    role = role[
                        GROUP_PREFIX_LEN:]  # Remove group prefix : groups are stored WITHOUT prefix in LDAP
                    if role in all_roles:
                        continue  # HERE IT IS
                r = groups.get(role, None)
                if not r:
                    Log(
                        LOG_WARNING,
                        "LDAP Server doesn't provide a '%s' group (asked for user '%s')."
                        % (
                            role,
                            name,
                        ))
                    continue
                role_dns.append(r)

            # Perform the change
            luf.manage_editGroupRoles(dn, role_dns)
Esempio n. 9
0
 def setUp(self):
     from Products.LDAPUserFolder.SimpleCache import SimpleCache
     self.cache = SimpleCache()
     self.cache.setTimeout(0.1)
Esempio n. 10
0
 def __init__( self, title, luf=''):
     """ """
     self._luf = luf
     self._cache = SimpleCache()
     self._cache.setTimeout(600)
     self._cache.clear()
Esempio n. 11
0
 def __setstate__(self, v):
     """ """
     LDAPGroupFolder.inheritedAttribute('__setstate__')(self, v)
     self._cache = SimpleCache()
     self._cache.setTimeout(600)
     self._cache.clear()
Esempio n. 12
0
class LDAPGroupFolder(SimpleItem):
    """ """
    security = ClassSecurityInfo()

    meta_type = 'LDAPGroupFolder'
    id = 'acl_users'

    isPrincipiaFolderish=1
    isAUserFolder=1

    manage_options=(
        ({'label' : 'Groups', 'action' : 'manage_main',},)
        + SimpleItem.manage_options
        )

    security.declareProtected(view_management_screens, 'manage_main')
    manage_main = DTMLFile('dtml/groups', globals())
    
    
    def __setstate__(self, v):
        """ """
        LDAPGroupFolder.inheritedAttribute('__setstate__')(self, v)
        self._cache = SimpleCache()
        self._cache.setTimeout(600)
        self._cache.clear()

    def __init__( self, title, luf=''):
        """ """
        self._luf = luf
        self._cache = SimpleCache()
        self._cache.setTimeout(600)
        self._cache.clear()

    security.declarePrivate(manage_users, 'getGRUF')
    def getGRUF(self):
        """ """
        return self.aq_parent.aq_parent


    security.declareProtected(manage_users, 'getLUF')
    def getLUF(self):
        """ """
        s = self.getGRUF().getUserSource(self._luf)
        if getattr(s, 'meta_type', None) != "LDAPUserFolder":
            # whoops, we moved LDAPUF... let's try to find it back
            Log(LOG_WARNING, "LDAPUserFolder moved. Trying to find it back.")
            s = None
            for src in self.getGRUF().listUserSources():
                if src.meta_type == "LDAPUserFolder":
                    self._luf = src.getPhysicalPath()[-2]
                    s = src
                    break
            if not s:
                raise RuntimeError, "You must change your groups source in GRUF if you do not have a LDAPUserFolder as a users source."
        return s


    security.declareProtected(manage_users, 'getGroups')
    def getGroups(self, dn='*', attr=None, pwd=''):
        """ """
        return self.getLUF().getGroups(dn, attr, pwd)


    security.declareProtected(manage_users, 'getGroupType')
    def getGroupType(self, group_dn):
        """ """
        return self.getLUF().getGroupType(group_dn)

    security.declareProtected(manage_users, 'getGroupMappings')
    def getGroupMappings(self):
        """ """
        return self.getLUF().getGroupMappings()

    security.declareProtected(manage_users, 'manage_addGroupMapping')
    def manage_addGroupMapping(self, group_name, role_name, REQUEST=None):
        """ """
        self._cache.remove(group_name)
        self.getLUF().manage_addGroupMapping(group_name, role_name, None)

        if REQUEST:
            msg = 'Added LDAP group to Zope role mapping: %s -> %s' % (
                group_name, role_name)
            return self.manage_main(manage_tabs_message=msg)
    manage_addGroupMapping = postonly(manage_addGroupMapping)

    security.declareProtected(manage_users, 'manage_deleteGroupMappings')
    def manage_deleteGroupMappings(self, group_names, REQUEST=None):
        """ Delete mappings from LDAP group to Zope role """
        self._cache.clear()
        self.getLUF().manage_deleteGroupMappings(group_names, None)
        if REQUEST:
            msg = 'Deleted LDAP group to Zope role mapping for: %s' % (
                ', '.join(group_names))
            return self.manage_main(manage_tabs_message=msg)
    manage_deleteGroupMappings = postonly(manage_deleteGroupMappings)

    security.declareProtected(manage_users, 'manage_addGroup')
    def manage_addGroup( self
                       , newgroup_name
                       , newgroup_type='groupOfUniqueNames'
                       , REQUEST=None
                       ):
        """Add a new group in groups_base.
        """
        self.getLUF().manage_addGroup(newgroup_name, newgroup_type, None)
        
        if REQUEST:
            msg = 'Added new group %s' % (newgroup_name)
            return self.manage_main(manage_tabs_message=msg)
    manage_addGroup = postonly(manage_addGroup)

    security.declareProtected(manage_users, 'manage_deleteGroups')
    def manage_deleteGroups(self, dns=[], REQUEST=None):
        """ Delete groups from groups_base """
        self.getLUF().manage_deleteGroups(dns, None)
        self._cache.clear()
 
        if REQUEST:
            msg = 'Deleted group(s):<br> %s' % '<br>'.join(dns)
            return self.manage_main(manage_tabs_message=msg)
    manage_deleteGroups = postonly(manage_deleteGroups)

    security.declareProtected(manage_users, 'getUser')
    def getUser(self, name):
        """ """
        # Prevent locally stored groups
        luf = self.getLUF()
        if luf._local_groups:
            return []

        # Get the group from the cache
        user = self._cache.get(name, '')
        if user:
            return user

        # Scan groups to find the proper user.
        # THIS MAY BE EXPENSIVE AND HAS TO BE OPTIMIZED...
        grps = self.getLUF().getGroups()
        valid_roles = self.userFolderGetRoles()
        dn = None
        for n, g_dn in grps:
            if n == name:
                dn = g_dn
                break
        if not dn:
            return None

        # Current mapping
        roles = self.getLUF()._mapRoles([name])

        # Nested groups
        groups = list(self.getLUF().getGroups(dn=dn, attr='cn', ))
        roles.extend(self.getLUF()._mapRoles(groups))

        # !!! start test
        Log(LOG_DEBUG, name, "roles", groups, roles)
        Log(LOG_DEBUG, name, "mapping", getattr(self.getLUF(), '_groups_mappings', {}))
        # !!! end test

        actual_roles = []
        for r in roles:
            if r in valid_roles:
                actual_roles.append(r)
            elif "%s%s" % (GROUP_PREFIX, r) in valid_roles:
                actual_roles.append("%s%s" % (GROUP_PREFIX, r))
        Log(LOG_DEBUG, name, "actual roles", actual_roles)
        user = GroupUser(n, '', actual_roles, [])
        self._cache.set(name, user)
        return user
        
    security.declareProtected(manage_users, 'getUserNames')
    def getUserNames(self):
        """ """
        Log(LOG_DEBUG, "getUserNames", )
        LogCallStack(LOG_DEBUG)
        # Prevent locally stored groups
        luf = self.getLUF()
        if luf._local_groups:
            return []
        return [g[0] for g in luf.getGroups()]

    security.declareProtected(manage_users, 'getUsers')
    def getUsers(self, authenticated=1):
        """ """
        # Prevent locally stored groups
        luf = self.getLUF()
        if luf._local_groups:
            return []

        data = []
        
        grps = self.getLUF().getGroups()
        valid_roles = self.userFolderGetRoles()
        for n, dn in grps:
            # Group mapping
            roles = self.getLUF()._mapRoles([n])
            
            # computation
            actual_roles = []
            for r in roles:
                if r in valid_roles:
                    actual_roles.append(r)
                elif "%s%s" % (GROUP_PREFIX, r) in valid_roles:
                    actual_roles.append("%s%s" % (GROUP_PREFIX, r))
            user = GroupUser(n, '', actual_roles, [])
            data.append(user)

        return data

    security.declarePrivate('_doAddUser')
    def _doAddUser(self, name, password, roles, domains, **kw):
        """WARNING: If a role with exists with the same name as the group, we do not add
        the group mapping for it, but we create it as if it were a Zope ROLE.
        Ie. it's not possible to have a GRUF Group name = a Zope role name, BUT,
        with this system, it's possible to differenciate between LDAP groups and LDAP roles.
        """
        self.getLUF().manage_addGroup(name)
        self.manage_addGroupMapping(name, "group_" + name, None, )
        self._doChangeUser(name, password, roles, domains, **kw)

    security.declarePrivate('_doDelUsers')
    def _doDelUsers(self, names):
        dns = []
        luf = self.getLUF()
        for g_name, dn in luf.getGroups():
            if g_name in names:
                dns.append(dn)
        self._cache.clear()
        return luf.manage_deleteGroups(dns)

    security.declarePrivate('_doChangeUser')
    def _doChangeUser(self, name, password, roles, domains, **kw):
        """
        This is used to change the groups (especially their roles).

        [ THIS TEXT IS OUTDATED :
          WARNING: If a ZOPE role with the same name as the GRUF group exists,
          we do not add the group mapping for it, but we create it as if it were a Zope ROLE.
          Ie. it's not possible to have a GRUF Group name = a Zope role name, BUT,
          with this system, it's possible to differenciate between LDAP groups and LDAP roles.
        ]
        """
        luf = self.getLUF()
        self._cache.remove(name)

        # Get group DN
        dn = None
        for g_name, g_dn in luf.getGroups():
            if g_name == name:
                dn = g_dn
                break
        if not dn:
            raise ValueError, "Invalid LDAP group: '%s'" % (name, )
                
        # Edit group mappings
##        if name in self.aq_parent.valid_roles():
##            # This is, in fact, a role
##            self.getLUF().manage_addGroupMapping(name, name)
##        else:
##            # This is a group -> we set it as a group
##            self.getLUF().manage_addGroupMapping(name, self.getGroupPrefix() + name)

        # Change roles
        if luf._local_groups:
            luf.manage_editUserRoles(dn, roles)
        else:
            # We have to transform roles into group dns: transform them as a dict
            role_dns = []
            all_groups = luf.getGroups()
            all_roles = luf.valid_roles()
            groups = {}
            for g in all_groups:
                groups[g[0]] = g[1]

            # LDAPUF < 2.4Beta3 adds possibly invalid roles to the user roles
            # (for example, adding the cn of a group additionnaly to the mapped zope role).
            # So we must remove from our 'roles' list all roles which are prefixed by group prefix
            # but are not actually groups.
            # If a group has the same name as a role, we assume that it should be a _role_.
            # We should check against group/role mapping here, but... well... XXX TODO !
            # See "HERE IT IS" comment below.

            # Scan roles we are asking for to manage groups correctly
            for role in roles:
                if not role in all_roles:
                    continue                        # Do not allow propagation of invalid roles
                if role.startswith(GROUP_PREFIX):
                    role = role[GROUP_PREFIX_LEN:]            # Remove group prefix : groups are stored WITHOUT prefix in LDAP
                    if role in all_roles:
                        continue                            # HERE IT IS
                r = groups.get(role, None)
                if not r:
                    Log(LOG_WARNING, "LDAP Server doesn't provide a '%s' group (asked for user '%s')." % (role, name, ))
                    continue
                role_dns.append(r)

            # Perform the change
            luf.manage_editGroupRoles(dn, role_dns)