Insufficient privileges to edit page when using inherited permissions and LDAP accounts

I've come across a strange issue with plone 5.2.4. We have a site that uses the LDAP add on (pas.plugins.ldap 1.8.0) for user authentication. We have a few LDAP accounts that have been granted write access at the top level of the site and those permissions are inherited to all folders. This works as expected.

If I go into one of the sub folders and give another LDAP account all available permissions from the sharing UI, the permissions for this account do not work properly. The new account sees the editing UI in this folder, but when you click on the Edit button you are presented with an error about "insufficient permissions". The accounts that have edit access from the folder above can still edit content in the sub folder.

In the sub folder sharing UI, if I turn off the "Inherit permissions from higher levels" check box and add local permissions for each of the LDAP accounts, this problem goes away and everyone can edit.

Is this a bug with Plone, the LDAP add on, or am I misunderstanding how the inherited permissions should work in Plone?

This is strange: that you see the "editing UI" means that Plone recognized an editing permission. Thus, editing should not fail due to insufficient privileges.

I at your place would configure for verbose-security. It usually gives precious hints concerning authorization problems. You may need to reconfigure your error_log object (not to ignore Unauthorized); you can then find the verbose-secutity information there.

I doubt it is an LDAP plugin problem. We use it in several places, I know it is used in many larger organizations. Access on deeper navigation levels is a standard use case and it usually just works.

I would first check the roles and permissions in ZMI Security tab to see what really happens. There you can view the roles and permissions of a specific user too.

Plone Foundation Code of Conduct