LDAP Authentication with Plone (versions 2.1.x and 2.0.x only and NOT 2.5 or later)

Here are some general tips on how to get Plone versions 2.1.x or earlier working with LDAP authentication. This is NOT RELEVANT to Plone 2.5 or later (using PlonePAS)

Prerequisites

Users

It is assumed that Plone is not the root of your Zope site, i.e. there is a higher-level acl_users which has a user with Manager role. You will use this user to configure the acl_users in your Plone site.

Through the Zope Management Interface (ZMI), enter the acl_users of your Plone site. Click on the Sources tab. You should see that both the Group source and Users source are a User Folder; this is the Plone default. Replace the Users source with an LDAPUserFolder; you must check the "I'm sure" box for this to work. NOTE:Do not replace the Group source; leave it as a User Folder. If your pre-existing User Folder has users in it, you can probably just add the LDAPUserFolder as an additional Users source.

Once you have done this, you should be in the setup for the LDAPUserFolder. Most of these settings require some knowledge of LDAP to set correctly, and every LDAP installation is different; if it is not immediately obvious what most of the settings should be, consult your LDAP directory administrator. I recommend that you use the LDAP server read-only (at least initially), and that you configure it for GroupsStoredonLDAPServer. If you want to use the LDAP bind for authentication, set the encryption to clear.

Save your changes, and test your settings on the Users and Groups tabs. You should be able to search for users and list your groups.

Groups

Even though you may have set LDAPUserFolder to use LDAP groups, these will not automatically correspond to Plone's groups; a little more work is required.

Go into Plone's interface (do this in a separate window to save time later), and enter the plonesetup area, and select UsersandGroupsAdministration. Here you can add your Plone groups.

Once you've added some Plone groups, switch back to the ZMI for the LDAPUserFolder, and click on the Groups tab. This will have a listing of all your LDAP groups. At the bottom of the page, you can map LDAP groups to Zope roles. The Plone groups are really Zope roles, but they all start with group_. Create any required mappings.

If you want all users in your LDAP directory to be Members of the site, it is probably sufficient to add Member to the DefaultUserRoles field in the LDAPUserFolder configuration. Since all users need the Anonymous role, this would be Anonymous,Member. You should also add the LDAP objectclass that is used by all your users to Userobjectclasses; this will help narrow your search and make it a bit faster in most cases.

An alternative is to map one or more groups to the Member or Reviewer role.

Why to manually set up the Plone groups

Contributed by paulr

It may seem tedious to manually set up the "Groups" folder in Plone, especially when they are already setup in LDAP anyway. But there are definite advantages:

  • if you use your LDAP as single sign-on, you'll probably have all kinds of "administrative" groups in there, that should not appear in Plone (Printmanagers, Samba stuff, DomainAdmins, whatever...)
  • often LDAP groupnames are named by system administrators. This gives you a chance to map short, mnemonic names in LDAP into something more user-friendly on-screen in Plone
  • The biggest drawback of the current Plone-LDAP integration status is that you can only search for users in the cache, not in the complete LDAP. With your groups as "normal" Plone groups, at least all group names will appear on the "sharing" tab.

Options

With contributions from paulr

If you first create extra properties in portal_memberdata in the ZMI, you can then map those to LDAP attributes. This can be handy to get telephone numbers, departments, etcetera into Plone, to then use this for instance in a company roster.

Furthermore: don't set the "multi-valued" checkbox on the LDAPUserFolder Schema tab for email, not even if your users actually have more aliases in LDAP. If you don't check it, LDAPUserFolder will simply map it to the first email value it finds for that entry, making it much easier to use this as an actual mailto: link.

You can use the Schema tab in the LDAPUserFolder to map certain LDAP attributes to Zope attributes. Some useful ones:

  • cn to fullname (on most LDAP servers)
  • fullName to fullname (on Novell Directory Server)
  • mail to email

Caveats

LDAPUserFolder-2.4 requires that your LDAP group objectclass refer to it's members by their DN. If you are using the posixGroup schema, you are currently out of luck, since this stores its members by their uid (in memberUid). A very experimental patch to correct this issue is available here.

You will almost certainly be using an existing LDAP directory, which implies you already have some means of doing user management. For this reason, you probably want to leave your LDAPUserFolder to access the directory in read-only mode.

If you are using Active Directory for the LDAP server, you may have better luck using port 3268, instead of the standard port 389.

Attached files

Tips on mappings

Posted by Paul Roeland at Dec 15, 2004 09:42 AM
If you first create extra properties in portal_memberdata in the ZMI, you can then map those to LDAP attributes. This can be handy to get telephone numbers, departments, etcetera into Plone, to then use this for instance in a company roster.

Furthermore: don't set the "multi-valued" checkbox on the LDAPUserFolder Schema tab for email, not even if your users actually have more aliases in LDAP. If you don't check it, LDAPUserFolder will simply map it to the first email value it finds for that entry, making it much easier to use this as an actual mailto: link.

Mapping schema to NT username

Posted by Sean Semone at Dec 16, 2004 08:05 PM
I found these instructions from a comment at http://plone.org/documentation-old/howto/LdapInWindows quite helpful as well.

If you leave the "Login Name Attribute" as "Canonical Name(cn)", users will have to log in using their full name (most likely first name and last name). If you want the user to log in using their NT username, you need to go to the LDAP Schema tab in your LDAPUserFolder object, and add "sAMAccountName". Then on the Configure tab, select "sAMAccountName" as the "Login Name Attribute". This will then use the old-style NT login name.

GRUF 3.1 and Plone 2.0

Posted by Adam Theo at Dec 25, 2004 02:57 AM
Users should note that use of Plone 2.0 with GRUF 3.1 is not fully functional. The problem is the API's change from Plone 1.x to Plone 2.0, and GRUF is mostly built for Plone 1.x still. But don't worry, most GRUF 3.1 functionality will still work with Plone 2.0. Authentication, User Creation/Modification, and Group Creation/Modification do work. The only thing I have confirmed that does not work is being able to view a LDAP user's properties from the ZMI (such as when listing all users, and clicking on a user expecting to see their details). You receive an "AttributeError: <username>" error instead.

From what I can tell, this will be mostly fixed with Plone 2.1, so we just have to wait it out until that is released. But as I said, all basic functionalty such as authentication and creation does work.

LDAPGroupFolder

Posted by Adam Theo at Dec 25, 2004 03:04 AM
I have confirmed that with Zope 2.7.3, Plone 2.0.4, LDAPUserFolder (LDAPUF) 2.4, and GroupUserFolder (GRUF) 3.1.1, it is possible to directly use your LDAP groups instead of defining them locally in Zope.

In the GRUF acl_users "Sources" tab, replace the "User Folder" for "Groups" with a "LDAPGroupFolder". After the brief configuration, make sure your "LDAPUserFolder" source has the base DN of your LDAP groups defined. Then you can list all groups you have in LDAP, change their memberships and associated roles.

I know this how-to did not say you could not use LDAPGroupFolder, but I thought I'd just post this to confirm with future LDAPUserFolder users that my setup and version numbers work with this.

posixGroup missing

Posted by Bernhard Snizek at Mar 09, 2005 09:24 AM
In order that your patches really work on an openLDAP server pls change utils.py from line 35 onwards:

GROUP_MEMBER_MAP = { 'groupOfUniqueNames' : 'uniqueMember'
                   , 'groupOfNames' : 'member'
                   , 'accessGroup' : 'member'
                   , 'group' : 'member'
                   # remember to add the posixGroup !!!!
                   , 'posixGroup' : 'member'
                   }

regards

Ole, Alcides & Bernhard, djh.dk

installing python-ldap on suse linux

Posted by Peter Fraterdeus at Nov 10, 2005 04:16 AM
I had trouble getting python-ldap to install.
Finally had to reinstall openldap in order to get all the libs and includes in the right place.
This also required disabling the Berkeley DBs, which for some reason were not available in SuSE 9.
(I know I could have built BDB... will this break openldap??)

here's the steps I took to get python-ldap working:


cd /usr/local/src/

sudo lynx http://www.openldap.org/software/download/ (using version 2.3.11)

sudo tar xzf openldap-2.3.11.tgz

cd openldap-2.3.11/

sudo ./configure --disable-bdb --disable-hdb (hopefully ldap found some other db to use!)

sudo make depend

sudo make

sudo make install

-------------------------------------------------------------

get most recent version of python-ldap from CVS

cd /usr/local/plone/varplone/

 sudo cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/python-ldap login

 cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/python-ldap co -P python-ldap

cd /usr/local/plone/varplone/python-ldap/ (or whereever the package is)

vi setup.cfg

      # edit setup.cfg

    #add /usr/local/lib and /usr/local/include

    library_dirs = /usr/lib/sasl2 /usr/local/lib

    include_dirs = /usr/include/sasl /usr/local/include

    



    # comment out following line which requires a bunch of other libs for high-security

    # libs = ldap_r lber sasl2 ssl crypto

python setup.py build

sudo python setup.py install

python Tests/Lib/test_ldapurl.py

 
>>>>>>>>>>>>>>>>>>>

Testing function isLDAPUrl():


Testing class LDAPUrl:

########################################################################

ldap://root.openldap.org/dc%3Dopenldap%2Cdc%3Dorg???

Parsing ok


Unparsing ok

etc...

Searching Broken in Plone 2.5/PlonePAS 2.0.1

Posted by Nick Couchman at Aug 16, 2006 03:49 PM
Searching for LDAP users in Plone 2.5 with PlonePAS 2.0.1 doesn't seem to work. Sharing folders with users becomes pretty useless when you can't locate the users because the search tool won't find them. Also, in the portal_memberdata tool, all of my LDAP users are listed as "orphaned" users. Hopefully this will get fixed, soon.

Article is outdated

Posted by Big Foot at Feb 28, 2007 04:00 PM
This article needs to be updated. I took me a long time to discover that I needed the LdapMultiPlugins product in order to effectively use the LdapUserFolder. The instructions in this article tripped me up right away because the description of the user interface is not correct. There isn't any "sources" tab in the Zope Management Interface (ver. 2.9). Unfortunately, the install docs for LdapUserFolder aren't very helpful since they don't even suggest the LdapMultiPlugins. Bottom line: For plone 2.5 (zope 2.9) install LdapUserFolder, LdapMultiPlugins and the GroupUserFolder products. Then, in the acl_users for the site, add the "LDAP Multi Plugins."