Authenticating with Active Directory

How to make Plone authenticate against Active Directory. (document needs updating because Plone 2.5.x uses PlonePAS instead of GRUF)

Introduction

This document shows you how to authenticate against Active Directory with Plone. It also works with normal LDAP servers, although the parameters in the examples are are for AD. These directions assume you are working on RedHat 8.0, so some minor changes will be needed for other systems. Also, since your DN's are probably not "adolor.com" you'll need to change that as well.

If you want to authenticate against a non-AD domain, you can't use LDAP, so you will want to look at HowToexUserFolder. This would be a good thing to read even if you can use LDAP.

Install LDAP for Zope

  • install the openLDAP RPM's
    • openldap-2.0.27-2.8.0
    • openldap-devel-2.0.27-2.8.0

Install python-ldap

  • wget http://www.open-it.org/download/redhat7.2/RPMS/python-ldap-2.0.0pre05-1.i386.rpm
  • rpm -i python-ldap-2.0.0pre05-1.i386.rpm
  • cd $ZOPEBASE/lib/python2.1
  • ln -s /usr/lib/python2.1/site-packages/_ldap.so .

Test Python/LDAP integration

  • $ZOPEBASE/bin/python (to make sure you get the same copy of python that Zope runs)
  • import _ldap (no errors is good)

Install LDAPUserFolder

  • wget http://www.dataflake.org/software/ldapuserfolder/LDAPUserFolder-2_1beta2.tgz
  • cd $ZOPEBASE/lib/python/Products
  • tar xvzf LDAPUserFolder-2_1beta2.tgz
  • chmod -R zope:zope LDAPUserFolder
  • restart Zope and verify that the LDAPUserFolder is not broken

Create acl_user object

  • go into the ZMI and go into the desired folder
  • remove the existing acl_users folder, if needed
  • add a LDAPUserFolder object with these parameters:
    • Title: Adolor Employees
    • LDAP Server: servername
    • Read-only: (checked)
    • Users Base DN: cn=users,dc=adolor,dc=com
    • Groups Base DN: cn=users,dc=adolor,dc=com
    • Manager DN: cn=administrator,cn=users,dc=adolor,dc=com
    • Password: (current domain administrator password)

Test authentication

  • in the ZMI, navigate to the new acl_user object
  • click on the users tab
  • enter a user's login id that exists in the AD
  • it should display the DN record for that user
  • create a folder in the same folder as the acl_user object (check to create a public interface)
  • change the security on the folder to disallow view by anonymous
  • test the access into that folder for valid and invalid userid/password combinations

Notes:

  • Once you have a working LDAP-enabled acl_users object, it's tempting to use the ZMI's copy/paste to put it into another portal folder. Don't do it. Build the new one from scratch, to avoid much wierd behavior.
  • If you're using Community Enabler, you will also need to go to portal_skins/plone_forms/logged_in and "customize".

More advice

Posted by James Neville at Aug 05, 2005 09:14 AM
I found this article quite helpful, but could not get it to work following your instructions to the letter.
For future reference, I hope that the following helps other people.
I am assuming here that you have a recent Python/Zope/Plone installation.

Prior ur initial Plone system consisted of the following:-
Python 2.4.1 (fresh install for Zope - not the bundled rpm)
Zope 2.7.6
Plone 2.0.5

1. Install OpenLDAP
I used RH EL 3, but the OpenLDAP libraries seemed out of date. To eliminate this from being a possible issue, we uninstalled the rpms provided, and built a new version from source, adding the path to the new libraries to /etc/ld.so.conf and the binaries to our environment path.

2.

More advice

Posted by James Neville at Aug 05, 2005 09:56 AM
I found this article quite helpful, but could not get it to work following your instructions to the letter.
For future reference, I hope that the following helps other people.
I am assuming here that you have a recent Python/Zope/Plone installation.

Prior to the LDAP config, our initial Plone system consisted of the following:-
Python 2.4.1 (fresh install for Zope - not the bundled rpm)
Zope 2.7.6
Plone 2.0.5

1. Install OpenLDAP
http://www.openldap.org/software/download/

I used RH EL 3, but the OpenLDAP libraries seemed out of date. To eliminate this from being a possible issue, I uninstalled the rpms provided, and built a new version from source, adding the path to the new libraries to /etc/ld.so.conf and the binaries to our environment path.

I used 2.2.26, which was the most recent stable build at the time of writing.

2. Install GroupUserFolder (GRUF)
http://plone.org/products/GroupUserFolder/releases/

Remove the GRUF that ships with Plone 2.0.5.
It lives in $ZOPE_HOME/products.
Replace it with a recent version.
I installed 3.3.

3. Install Python-LDAP
http://python-ldap.sourceforge.net/

I had problems with *all* the release builds of this. (2.0.9) at time of writing.
I pulled the latest sources from CVS, and edited the set.cfg file as follows.

--------- setup.cfg -------------
# You need to edit the setup.cfg to point to your LDAP/Cyrus libs.
library_dirs = /apps/pkg/openldap/lib /usr/local/cyrus-sasl/lib
include_dirs = /apps/pkg/openldap/lib/include /usr/local/cyrus-sasl/include

# Some Linux systems might need explicitly linking with -lresolv
libs = ldap lber resolv
---------------------------------
Then, build python-ldap with the Python binary you are using with Zope.

localhost# $PYTHON_HOME/bin/python ./setup.py build
localhost# $PYTHON_HOME/bin/python ./setup.py install

Make a symbolic link in the ZOPE_HOME python libraries directory.
localhost# cd $ZOPE_HOME/lib/python-2.4
localhost# ln -s $PYTHON_HOME/lib/python-2.4/site-packages/_ldap.so .
 
Next, test that python-ldap is working for your Zope Python install.

localhost# $PYTHON_HOME/bin/python
[GCC 3.2.3 20030502 (Red Hat Linux 3.2.3-49)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ldap
>>>

If you see any errors after attempting to import the ldap module, then something went wrong, and the LDAPUserFolder is not going to work.

Moreso, if there is a problem here and you install LDAPUserFolder into $ZOPE_HOME/products, your server is likely to fail to start.
Make sure you test this before you proceed, just to preserve your sanity ;)

I was getting unresolved symbol errors for 'ber_flatten', which I *think* is related to older OpenLDAP libs.
Also, I had other unresolved errors at this stage until I tried the CVS version of python-ldap. I am not 100% on what really caused this, just how I got it to stop!
If you're keen, have a Google around and read up in the OpenLDAP lists. Its dark in there ;)

4. Install LDAPUserFolder
http://plone.org/products/ldapuserfolder

I downloaded v2.5, and extracted it into $ZOPE_HOME/products
Restart Zope.

5. Site Config

Contrary to the instructions here, I did the following steps.

Note: Backup your Plone site *FIRST*.

In your Plone site instance's folder:-

i) Delete the original acl_users folder.
Note that if you're migrating a production Plone instance, this may not be so wise, but seeing as our user base reflects the AD directory, this was not a problem.

ii) Add a GroupUserFolder.
Note that if you do do not do this, the group options and the sharing tab in your Plone instance will break. This article needs ammending to reflect that.

iii) Select the new acl_users folder, then click on the 'sources' tab.

iv) Add a new LDAPUserFolder

v) Configure the LDAP atttributes.
Note that for AD, we found using the sAMAccountName attribute to be the most useful attribute for the Login Name.

From here, refer to the help file in the ZMI (its actually very good), and the document here, as that's pretty comprehensive.

I think thats all, hope it helps someone as it took me a couple of painful days in a shell to fix this up right ;)


NOTE: Can an admin remove the unfinished comment above? Cheers :)




uid attribute

Posted by James Neville at Aug 05, 2005 10:39 AM
User ID Attribute should map to sAMAccountName; otherwise, following an AD login, there will be type errors.

What I had to do

Posted by Ben Roberts at Oct 31, 2005 06:28 PM
In order to make this work, I had to set "Manager DN Usage" to Always. Otherwise I got the error "a successful bind must be completed in order to ..."

I hope this helps someone; I spent days trying to figure that out!

Ben

installing python-ldap on suse linux

Posted by Peter Fraterdeus at Nov 10, 2005 04:19 AM
See my comments here

http://members.plone.org/[…]/howto_view

regarding hassles installing and resolving these!

Why mention openldap?

Posted by Nick Davis at Feb 15, 2006 11:38 AM
To someone unfamiliar with LDAP, its confusing to mention OpenLDAP here. The title of this HOWTO is Authenticating with Active Directory. To do that you don't need OpenLDAP at all, yet this document appears to instruct the reader to install OpenLDAP.

I wasted some time wondering whether for some mysterious reason I needed OpenLDAP, even though it didn't seem like it. ;-)

This appears to be out of date

Posted by Brian Johnson at May 14, 2007 05:49 PM
There's lots of valid information here still, but I think the most current way of setting this up is to use PlonePAS/LDAPMultiPlugin to authenticate against Active Directory.