Using LDAP in Windows

Active Directory Authentication via LDAP - for win32. This document needs updating to reflect use of PlonePAS instead of GRUF with Plone 2.5.x

Active Directory Authentication via LDAP - for !win32

NOTE: Apparently there may be a glitch in this for cases where the AD is on a Windows 2000 system. It is guaranteed to work on Windows Server 2003 AD systems, however...stay tuned!

So you want to use your Active Directory server to authenticate users for your Plone site, hmm? Well, this is the spot. I'm assuming you're running a Plone/Zope server on a !Win32 box, I personally used Windows Server 2003, but it won't make a difference one way or the other. One word of warning, however - I'm assuming this is a pristine installation of Plone over a Zope install (not the Plone Win32 installer), and/or you don't have any users you need to save inside your Plone site's acl_users. Your mileage may vary!

The way we're going to do this is by using something called !LDAPUserFolder, which will replace the default acl-users folder of Plone. !LDAPUserFolder will talk to your Active Directory server using LDAP, or Lightweight Directory Access Protocol, a standard method of sharing directory service data between systems. Now, Plone/Zope doesn't talk LDAP by default, so we'll have to go ahead and enable that first using a little tool called Python-LDAP...

As far as my adventures are concerned, Python doesn't play well with Windows systems as easily as one would hope. Thus, some kind folks have provided users such as ourselves with a fairly recent binary (pre-compiled, just plug and chug files) distribution. So as your first step to getting all of this working, go ahead and download the Python-LDAP binaries....

So now you have this Zip file. Go ahead and unzip that first (it might be easiest if you stick it on the Desktop). Then, pull up your Zope directory, and go to lib, then python. You should see a folder chock full of various folders and python scripts - these are all modules used by Zope, so don't poke at anything. Set that window aside for now. Next, you'll want to select everything in the PYTHON21 directory inside the Python-LDAP folder, copy it, then paste it into the lib/python directory you have open in the other window (don't close the /lib/python/ window, we'll use it later). That's it for getting Zope ready to talk LDAP. Next, we'll go ahead and install !LDAPUserFolder so that we can start authorizing your AD users.

First things first, you need to grab !LDAPUserFolder from the good folks over at dataflake.org...

It's a !GZipped tarball, so this means you'll have you use a program such as WinAce Archiver to go ahead and decompress the files (I use !WinAce, it works, I recommend it). Next, you'll need to pull up the /lib/python window again, and now open up the Products directory in there. You should see a whole bunch of folders, and very few python files. Inside the now decompressed tarball, you will find a folder named !LDAPUserFolder. Copy that into the Products directory.

Go into the Zope Management Interface (http://yoursite:8080/manage/) and restart the Zope server (Control Panel -> Restart) to complete the !LDAPUserFolder installation.

Using the ZMI which is still open, go to your Plone site's root folder. Select your existing acl_users folder (check the box on the left), then scroll down and hit Delete. Now you want to add a !LDAPUserFolder using the "Add" listbox at the top.

Assuming everything up to here has gone peachy, you should be presented with the Configure page of your new acl_users folder, courtesy of !LDAPUserFolder. I'll run down the whole gamut of options:

  • Title - An arbitrary name for your !LDAPUserFolder. I chose "wavelengths Staff", you can choose whatever works for you.
  • LDAP Server - This is where you stick either the IP address of FQDN of your Active Directory server.
  • Use SSL - Leave this unchecked, it works well that way.
  • Read-only - You're better off checking this box. That way any user won't be able to change accounts in your Active Directory from your Plone site. If you don't check it, users can change their passwords and various pulled AD schema through !LDAPUserFolder, but so can folks that don't really belong there (security is a must, people!).
  • Login Name Attribute - By default, this should read "Canonical Name (cn)". Leave it that way.
  • RDN Attribute - By default, this should also read "Canonical Name (cn)". Leave this alone, too.
  • Users Base DN - This looks complicated, doesn't it? Well no worries, it's pretty simple. Right now, wavelengths' Active Directory setup has all the user and group accounts in a folder called Users (most of you will, too - check by using Active Directory Users and Computers from your server), and the wavelengths domain in the newer DNS format is "wlj.wavelengthsjournal.com" (it'll be yourdomain.yourcompanywebsite.com most likely, just like this). This means that this field for my site looks like "cn=users,dc=wlj,dc=wavelengthsjournal,dc=com".
    • So to recap, cn= wherever you have your users and groups located, usually a folder named users in Active Directory
    • Also, instead of being one string separated by periods, your domain's sections are each in dc= bits. i.e. if your domain is conglomo.weownyou.com, it would look like "dc=conglomo,dc=weownyou,dc=com" in LDAP
    • If your company stores your users and/or groups in a folder called Users and your domain is enron.sec.gov, your entry here would look like "cn=users,dc=enron,dc=sec,dc=gov".
  • Users Base DN - Scope - This is "SUBTREE" by default, and that will do just fine - leave it that way.
  • Groups Storage - This defaults to "Groups stored on LDAP server" - once again, this will do fine for most purposes. If you have any business changing this, you probably don't have any business in this howto!
  • Groups Base DN - Okay, pretty much the same deal as Users Base DN. In fact, if you keep your groups and users in the same folder in your Active Directory, you can just copy the entry in Users Base DN over here. Otherwise, simply replace "cn=users" or whatever you had for where you keep your users to "cn=[where you keep your groups]".
  • Groups Base DN - Scope - As with Users Base DN, leave this at "SUBTREE", its default.
  • Manager DN - This can get a bit tricky if your organization did something funky with your default Administrator. However, I'm going to assume that you are in possession of the password for the domain account Administrator at this moment in time (if you aren't, you should be). What you want to do is type in "cn=administrator", then a comma, then copy-and-paste your entry from Users Base DN.
    • This step should look a bit like "cn=administrator,cn=users,dc=wlj,dc=wavelengthsjournal,dc=com", but customized to your situation of course.
    • Also, please note that if you use an account other than Administrator, it MUST be a Domain Admin. No guarantees it'll work, as I just used my good ole default Administrator account, but it just has to be somebody who has permissions to mess with the AD domain, hence a Domain Admin should do the trick.
  • Manager DN - Password - Self explanatory. Type in the password to the Administrator (or other account you decided to use) account here.
  • User password encryption - Defaults to SHA, that encryption method will work just fine for you, don't mess with it.
  • Default User Roles - This defaults to Anonymous, but you might find it best to set it to Authenticated. This setting defines how your Active Directory groups will be treated by Zope/Plone's roles if it doesn't have a record of what that group should be otherwise. So if a user logs in with a valid Active Directory account but belongs to a group that you didn't say belongs to Role X, that user will be treated as a member of the role provided here. Authenticated should work for most people here - no special permissions, but a step above Anonymous.

Now hit Add, and you're done! Since I'm running out of Wiki room, most of you folks can deduce the rest. Good luck, and enjoy your !LDAPUserFolder!

A few notes using LDAP with Zope on Windows 2000

Installing the software

At first I tried SMB with XUF, but I could not browse the users (maybe just me?) so I decided to go with LDAP.

I got most of my information from the other page LdapInWindows. But here are a few things that I needed to do get things working. I repeat some of what is on the other page which helped me understand things.

You need python libraries to get access to LDAP, and then a Zope product that uses those libraries do the authentication. The python libraries are provided by the python-ldap project at sourceforge which provides a wrapper around the OpenLDAP C library . Unfortunately, Windows is not a priority for either of those project groups, and the only win32 binaries I could find are those by volderw at zope.org

The zope product is pure python (does not need win32 compilation) and is available at dataflake . Volderw's binaries are recent, so you can ignore the warning on the download page.

Although the versions and the links (updated above) are a little out of date, everything else about installing LdapInWindows worked really well, so I won't duplicate it.

Setting up the LDAP User Folder

I found the instructions in LdapInWindows excellent but our AD server has got users in different OUs. In order to find out where I needed to look I used an LDAP browser. There is a java browser floating around, but I used the Windows ldp.exe. To get this you may need to install the windows support tools.

The most important thing I found out was that it is the bindDN and bindPassword that you need to set to get access to the server. This is the real name of the ManagerDN and ManagerPassword that LDAP User Folder calls it. The instructions on LdapInWindows for Manger DN and password worked perfectly for getting my bind DN and password.

Once I got the LDAP browser working, all I needed to do was find the appropriate OU that contained my groups users, copy the DN and paste it into the Users/Groups Base DN on the LDAP User Folder configuration screen. From there it was dead easy to get everything working.

Options for using LDAP User Folder in Plone

You can replace the Plone user folder or replace the user folder in GRUF with the LDAP user folder. If you replace the Plone user folder, all you need to do is map LDAP groups to whichever zope roles you want them to have. You can then assign local roles to groups by using LDAP satellite user folders. Each satellite lets you map LDAP groups to whichever roles you want to give them in that folder. I like this better than using normal local roles. It is easier to manage and more explicit.

The other option is to use LDAPuf with GRUF. It was easy to replace the GRUF user folder with LDAP uf, the interesting thing is getting the groups to work automatically. I tried replacing the group folder in GRUF as the source of the groups, with the content type set to group, but although this is supposed to work in the most recent version by setting the content type, it did not. It also looks like it should work if you have your groups logically seperated from your users in your AD server. For now, I'm manually creating the groups in the standard GRUF group folder and mapping the LDAP groups to the manually created GRUF groups. However, this gives no advantage over using plain LDAP uf with satellites. I guess the advantage would come if you want to use multiple user sources with GRUF2.

Anyway, I hope these few added note are useful to someone.

SSL: leave unchecked...

Posted by Sean Semone at Dec 06, 2004 08:34 PM
I note that the instructions mention leaving SSL unchecked when specifying the AD server If I do that, then what (if any?) encryption is happening between the AD server and my Zope/Plone instance?

Python-LDAP binaries and Win 2003 Server

Posted by ttishgar at Dec 09, 2004 01:55 PM
I noted that I had to "upgrade" from python-2.2 ldap to the python-2.3-ldap-2.0.0pre11.win32 when I installed it on my Win 2003 Server. Otherwise, the LDAPUserFolder product would break (was non-functional). Not sure if others are having this same issue.

I tried all this but did not work

Posted by prashantkhanna at May 31, 2005 02:13 PM
I did exactly what was in the article but i was not able to see ldap folder in add list

python-ldap problem

Posted by Peter Mathis at Jan 18, 2006 12:07 PM
we had the same problem with python-2.3-ldap -2.0.0pre11.win32.zip from zope.org. after we've replaced the python module with the 2.0.4 binaries from http://www.agescibs.org/mauro/ it worked

Same

Posted by Avery Coleman at Sep 06, 2006 07:34 PM
I did the same exact thing, then I figured that you just had to create another folder and name it as "LDAP" folder for users.. But I tried that and the folder's options werent the same, and there was no configuration page to intergrate it with active directory..

Active Directory Connection + Manager not Needed for Read Only/Authenticate

Posted by Elizabeth Leddy at Nov 03, 2005 12:09 AM
FYI, I set up a read only/authenticate LDAP folder with a user that had read only privileges. To do this, use all of the setting above except:
Manager DN - CN=<read only users canonical name>
Password - read only users password
Manager DN Usage - Always
User password encryption - SHA (note, my Active Directory connection would not work at all without this setting)

Login Name Attribute doesn't work

Posted by Matt Robinson at Feb 02, 2006 12:14 AM
I banged my head against a wall for quite a while before figuring this out. I got everything working to the point that only my domain admin could log in, but nobody else could even if they were in the same OU in Active Directory. In the zope management interface while I was looking at the LDAPUserFolder properties I noticed a tab up top that said LDAP schema. I've setup other apps to authenticate to my AD, namely Jive Messenger (now called wildfire), and it used sAMAccountName instead of CN for the username field. I added sAMAccountName as an LDAP schema item and set that as the Login Name attribute and walla! Everyone authenticates now! Thanks for the this tutorial. Hope this bit of info helps someone else out.

Delete acl_users?

Posted by Chris Boswell at Mar 23, 2006 08:55 PM
This will not work. The moment you delete that folder, it deletes the username you are currently logged in as. I followed these instructions and the moment I I delected my acl_users folder, I immediately could not do anything further. It kept asking me to log in and of course the folder, which contains the users, was gone so there was no way to log back in. I had to reinstall everything again.

Not Zopes acl_users

Posted by Josh Metcalfe at Mar 28, 2006 05:25 PM
Your Plone instance has it's on "acl_users" folder. That is the folder you should delete. The ZMI will still work since its "acl_users" folder is still there.

Root Folder
  + Control Panel
  - Plone
     ...
     * acl_users <-- delete this
     ...
  acl_users <-- do NOT delete this

Still confused

Posted by Chris Boswell at Mar 29, 2006 05:43 PM
Sounds like you said. Under Root Folder + Control Panel
acl_users <--- delete this
acl_users <--- do NOT delete this.
Sounds like you are saying delete the green folder but not the green folder.

When I click on the Root Folder in the left hand pane, I have 1 acl_users folder. When I click on the + by Control Panel I get a list that says
Database
Products
TranslationServices

At the same level but below Control Panel on the left hand side there is
+Plone
Below it there is
acl_users
temp_folder
@Zope Corporation Refresh.

Now then. Which can I safely delete according to the instructions.

line breaks not preserved

Posted by Josh Metcalfe at Mar 29, 2006 06:59 PM
For some reason only when two line breaks are entered are they preserved but single line breaks are not...

Login into the ZMI. In the outline you'll see that there are two acl_users folders (by default once Zope and Plone are installed)

Root Folder > Plone > acl_users <-- delete this

In the above case "Plone" is whatever id you gave your plone instance. If you used the Windows installer it's "Plone" by default.

Root Folder > acl_users <-- do NOT delete this

To acl_users or not to acl_users...

Posted by Andy Sibley at Apr 06, 2006 10:47 PM
I've been trying this "procedure" for several days now. I can correctly configure the /Plone/acl_users and test them against Active Directory. However after doing that and stopping and starting Plone if I then log in as "admin" into the ZMI (configured via /acl_users) I cannot then gain access to the /Plone/acl_users Groups and Users. It attempts to authenticate the user "admin" against the AD and refuses access to the Groups and Users tabs! "admin" isn't a valid user in the Windows AD.

Is there a way out of this brick wall? My head's beginning to hurt!

Commercial Product

Posted by Alan Runyan at Apr 06, 2006 11:15 PM
Enfold Server, http://enfoldsystems.com/Products/Server does LDAP/Active Directory integration out-of-the-box. To remind people that there are many aspects that can be used for LDAP: Users and Groups can be stored optionally in various datasources using PlonePAS (Upcoming in 2.5) and in Enfold Server 2.8 and above. If you want to demo this functionality without setting it up you can try the Enfold Server product on a free 30 day trial. I would suggest trying it just to see if its what you want.

No 'sources' tab

Posted by Imrahjel at Jun 21, 2006 12:27 PM
Hi,

i'm french.

I use Plone v2.5.0 with Zope v2.9 and Python v2.5.3 on a Windows XP Pro computer.
I installed everything as mentionned, the LDAP seems to be well configured, but I still have a problem.

When I go in my new 'acl_users', the one under my Plone site in the ZMI, I can't find the 'Source' tab as wanted.

I try several times to install the Plone package, and I can't resolve this problem. I can find groups and users with the LDAP tool in the ZMI.

And the last, after I restarted my Zope Server, when I try to access my Plone site, I've got a message instead of the login box saying : "Le cookie a été désactivé. La portlet permettant de s'identifier n'est pas disponible. ". Translated in english, it will be something like "The cookie is disabled. The identifying portlet is not available."

I'm lost!
Thanks in advance.
Imrahjel
Paris (France)

Re: No 'sources' tab

Posted by David L Ernstrom at Jan 23, 2007 03:38 PM
Issue #1: Source Tab
The source tab comes from adding a group-aware user folder. Instead of adding LDAPUserFolder, add a GroupUserFolder. This will have a sources tab as you expect. At this point, you can set an LDAP user folder as your Users source #1.

Issue #2: Login Portlet Not Available
When you deleted the acl_users from your plone instance, you also deleted an instance of Cookie Crumbler named credentials_cookie_auth. Within your plone instance, add an instance of Cookie Crumbler and name it credentials_cookie_auth. This will resolve that Disabled Cookies, login portlet not available message. I know I struggled with that one for a few days.

Issue #3: (If you haven't hit this one yet, you will in a bit) must_change_password
You'll end up with some error saying that a property doesn't exist called must_change_password. From what I can gather, this property is initially set to true and is what flags the system to force you to change your password upon first login. Using LDAP as the user/password database, you have no need of relying on plone for this password changing support. You can find an instance of PlonePAS MemberData Tool named portal_memberdata. Click on the properties tab and then add a new property with the following structure: Name - must_change_password, Type - boolean, Value - False. This will complete your ability to use LDAP as an authorization metnod.

-David

Almost there

Posted by Ben at Jun 12, 2007 10:23 PM
So I have followed the instrucions, including the very helpful comments, and everything is looking good, Except, Groups are being listed as users, and the users are no where to be seen. They are bothe stored at CN=Users. Anyone else run into this, and what do you think I should look at first to fix this? Tahnks you so much for your help.

Ben

Same Issue - Groups Enumerate but no Users

Posted by J Nigon at May 21, 2008 03:36 PM
I had the same issue as Ben. Could have saved a couple days if I had started with the following link instead: http://plone.org/products/ploneldap

Using LDAP UserFolder alone did not work correctly in my AD (enterprise). Adding PloneLDAP and Multiplugins corrected my enumeration problems.

Jeremy