Authenticating With Active Directory

Get the Files

You will need:

• In plone3, if you have a simple LDAP setup where you only need one PAS plugin, you might wish to use PloneLDAP and simplon.plone.ldap instead. Use this tutorial instead if you want to understand what is going on behind the scenes, or if your LDAP structure is more complex.
  
• The python-ldap module for the python version that's running your zope instance. This must be installed with your zope instance python. There are source downloads as well as binaries for several platforms available from sourceforge. Windows users should note that there are other libraries required to build python-ldap.
  

• LDAPMultiPlugin and LDAPUserFolder. These are available separately ( LDAPMultiPlugin and LDAPUserFolder ) There is also a bundle available from plone.org as part of the PloneLDAP product. At the time of this writing, the PloneLDAP product itself is still not released, but the LDAPMultiPlugin and LDAPUserFolder provided in the bundle are released products.

Install Prerequisites

 Note: The following assumes that your plone site is installed in /Plone in the ZMI.

• Make sure ldap-python is installed and available under $ZOPEBASE. To test this, execute the python in your $ZOPEBASE directory and import the ldap module. No warnings or errors should be returned.
  

Example:

# /opt/Plone-2.5.3/Python-2.4.4/bin/python
>>> import _ldap>>>

• Extract LDAPMutiPlugin and LDAPUserFolder from the above packages. Recursively copy the resulting directories into your Products directory. (/opt/Plone-3.0/zeocluster/Products if you were to use the all-in-one installer on linux, for example)
• Ensure that these directories and all files in them are owned by the same user as your zope instance.
• Restart zope and ensure that there are no errors.

Configure ZMI to allow authenticating of plone users

• Navigate to "your plone site"/acl_users in ZMI (Do NOT confuse this with the acl_users under the Root Zope Instance)
• In the upper right, select 'ActiveDirectory Multi Plugin', and click the 'Add' button. Fill out the form with the information below. 

If ActiveDirectory Multi Plugin is not in the list, there may have been an error in the previous steps. You will have to check your server logs to find the cause.

ID

A name for this PlonePAS plugin

Title

Name for this plugin, I use the same as ID

 LDAP Server[:port]

Hostname and port of your LDAP Server. For Active Directory, this is usually a windows domain controller. Normally port 389, but 3268 may be used to access the global directory port. Using port 3268 will allow you to use multiple OUs from a single PlonePAS plugin.

 Login Name Attribute

Attribute to use as a username to authenticate against. sAMAccountName should be correct.

User ID Attribute

This is what shows up as "Full Name" for this user in Plone.  cn is usually correct, as it is the person's full name.

RDN Attribute

'Relative Distinguished Name' attribute cn is usually correct.

Users Base DN

This is the subtree under which your users reside.

Group Storage

Whether or not your groups are stored on your LDAP server, or stored locally. If you have control over the AD,  you may want to store your groups there, otherwise local groups can insulate you from AD changes but mean additional maintenance on the Plone side for changes.

Manager DN

 This is the authentication information used to perform LDAP bind (log into ldap). You can use login information in the form: user@example.com

 User Object Classes

In addition to specifying the tree of your LDAP users, you can use LDAP Object Classes to differentiate them from other objects in your LDAP Schema. The defaults are probably sufficient.

 User Password Encryption

Level of encryption you want to use. SHA should be sufficient to make it operate, check your local security policies.

Default User Roles

This is the zope role a user authenticating with this PlonePAS plugin will be given by default. Anonymous may be sufficient, but Authenticated will give them more access, especially if you choose to lock down your site.  

Scope Boxes

This tells this PlonePAS plugin how much of the tree should be used to authenticate users or set groups. 

Read Only Checkbox

Check this if you do not want to alter LDAP data from Plone. One of the side affects of setting this is that your users will not be able to set their own preferences from the Member preferences page. 

After the form is filled out proplerly, click 'Add'. It should save without errors. To test to make sure you are communicating, click the 'Users' tab and search for a user known to exist under the Active Directory hierarchy you specified. The easiest way at this point is to select sAMAccountName from the dropdown and search for a username. If results are returned properly, zope is able to communicate with your Active Directory.

Enable Authentication for Plone Users

In ZMI, Navigate to Plone/acl_users/ADNAME.  ADNAME is what you specified for Title and ID above. On the Activate tab, you should see a number of checkboxes. To enable user authentication in Plone, you should select:

Authentication(authenticateCredentials)

Properties(getPropertiesForUser)

User Enumeration(enumerateUsers)

Then click 'Update' to save the changes. At this point, you should be able to log in using Active Directory credentials.

You may need additional boxes checked if you are using Active Directory to manage plone groups as well. There is documentation for each field if you navigate to Plone/acl_users/plugins in the ZMI.

Mapping Additional Attributes

You may have noticed at this point that you are able to authenticate, but other Active Directory properties, such as full name or email address are not visible in plone. To get these to show up, you need to perform additional mappings from plone user properties to LDAP user properties.

In ZMI, navigate to Plone/acl_users/ADNAME. ADNAME is what you specified for Title and ID above. Navigate to the LDAP Schema tab.

To map email address in plone to the user's Active Directory email, add an LDAP schema item.

Ldap Attribute Name: mail
Friendly Name: e-mail address
Don't check Multi-valued
Map to Name: email

This will set the plone users' email to their email from LDAP automatically.

Also common is to map fullname to the CN attribute.
To do this. delete the cn mapping from the top of the screen. Add a new LDAP Schema Item withe the following attributes.

Ldap Attribute Name: cn
Friendly Name: Full Name
Don't check Multi-valued
Map to Name: fullname

To make these properties take effect, you must set your plugin order so that PAS looks at the LDAP values first. To do so:

In ZMI, navigate to Plone/acl_users/plugins. Click 'Properties Plugins'. On the right you should see your Active Directory Multiplugin. Highlight it and move it to the top.

Notes

• You can add several Active Directory plugins as described above, if you need multiple trees from your Active Directory schema. You should make sure that usernames won't be duplicated, however. There is some dicussion of the topic in this howto. Also see the note on port 3268 above.
• simplon.plone.ldap and PloneLDAP together provide a simple interface and configlet if you only have one LDAP source
• There is a patch for LDAPMultiPlugins needed to enable certain interfaces. You may need it depending on what you ultimately want to do with your LDAP integration.
  
• If you are sourcing your groups from LDAP, be certain that you are not using ObjectGUID as your group identifier in the properties tab for your
  ADMultiPLugin object in zmi. ObjectGUID is a binary value and will cause an error where groups are used.