Authenticating with Active Directory

by Alan Runyan last modified Dec 30, 2008 03:01 PM
— filed under:

How to make Plone authenticate against Active Directory. (document needs updating because Plone 2.5.x uses PlonePAS instead of GRUF)

Introduction

This document shows you how to authenticate against Active Directory with Plone. It also works with normal LDAP servers, although the parameters in the examples are are for AD. These directions assume you are working on RedHat 8.0, so some minor changes will be needed for other systems. Also, since your DN's are probably not "adolor.com" you'll need to change that as well.

If you want to authenticate against a non-AD domain, you can't use LDAP, so you will want to look at HowToexUserFolder. This would be a good thing to read even if you can use LDAP.

Install LDAP for Zope

  • install the openLDAP RPM's
    • openldap-2.0.27-2.8.0
    • openldap-devel-2.0.27-2.8.0

Install python-ldap

  • wget http://www.open-it.org/download/redhat7.2/RPMS/python-ldap-2.0.0pre05-1.i386.rpm
  • rpm -i python-ldap-2.0.0pre05-1.i386.rpm
  • cd $ZOPEBASE/lib/python2.1
  • ln -s /usr/lib/python2.1/site-packages/_ldap.so .

Test Python/LDAP integration

  • $ZOPEBASE/bin/python (to make sure you get the same copy of python that Zope runs)
  • import _ldap (no errors is good)

Install LDAPUserFolder

  • wget http://www.dataflake.org/software/ldapuserfolder/LDAPUserFolder-2_1beta2.tgz
  • cd $ZOPEBASE/lib/python/Products
  • tar xvzf LDAPUserFolder-2_1beta2.tgz
  • chmod -R zope:zope LDAPUserFolder
  • restart Zope and verify that the LDAPUserFolder is not broken

Create acl_user object

  • go into the ZMI and go into the desired folder
  • remove the existing acl_users folder, if needed
  • add a LDAPUserFolder object with these parameters:
    • Title: Adolor Employees
    • LDAP Server: servername
    • Read-only: (checked)
    • Users Base DN: cn=users,dc=adolor,dc=com
    • Groups Base DN: cn=users,dc=adolor,dc=com
    • Manager DN: cn=administrator,cn=users,dc=adolor,dc=com
    • Password: (current domain administrator password)

Test authentication

  • in the ZMI, navigate to the new acl_user object
  • click on the users tab
  • enter a user's login id that exists in the AD
  • it should display the DN record for that user
  • create a folder in the same folder as the acl_user object (check to create a public interface)
  • change the security on the folder to disallow view by anonymous
  • test the access into that folder for valid and invalid userid/password combinations

Notes:

  • Once you have a working LDAP-enabled acl_users object, it's tempting to use the ZMI's copy/paste to put it into another portal folder. Don't do it. Build the new one from scratch, to avoid much wierd behavior.
  • If you're using Community Enabler, you will also need to go to portal_skins/plone_forms/logged_in and "customize".