LDAP Authentication with Plone (versions 2.1.x and 2.0.x only and NOT 2.5 or later)

by FarcePest — last modified Dec 30, 2008 03:02 PM

Here are some general tips on how to get Plone versions 2.1.x or earlier working with LDAP authentication. This is NOT RELEVANT to Plone 2.5 or later (using PlonePAS)

Prerequisites

LDAPUserFolder-2.4 or newer
GroupUserFolder-2.0.1 or newer; 3.1.1 also seems to work
LDAPUserFolderExt is in general not needed unless you run older GroupUserFolders or have very particular requirements.
Warning! This HOWTO applies to Plone 2.1.x and earlier. For 2.5 or later, LDAP authentication is done with PlonePAS, which works differently, and is described at http://plone.org/documentation/how-to/plone-2-5-and-openldap-integration-for-users-and-groups

Users

It is assumed that Plone is not the root of your Zope site, i.e. there is a higher-level acl_users which has a user with Manager role. You will use this user to configure the acl_users in your Plone site.

Through the Zope Management Interface (ZMI), enter the acl_users of your Plone site. Click on the Sources tab. You should see that both the Group source and Users source are a User Folder; this is the Plone default. Replace the Users source with an LDAPUserFolder; you must check the "I'm sure" box for this to work. NOTE: Do not replace the Group source; leave it as a User Folder. If your pre-existing User Folder has users in it, you can probably just add the LDAPUserFolder as an additional Users source.

Once you have done this, you should be in the setup for the LDAPUserFolder. Most of these settings require some knowledge of LDAP to set correctly, and every LDAP installation is different; if it is not immediately obvious what most of the settings should be, consult your LDAP directory administrator. I recommend that you use the LDAP server read-only (at least initially), and that you configure it for Groups Stored on LDAP Server. If you want to use the LDAP bind for authentication, set the encryption to clear.

Save your changes, and test your settings on the Users and Groups tabs. You should be able to search for users and list your groups.

Groups

Even though you may have set LDAPUserFolder to use LDAP groups, these will not automatically correspond to Plone's groups; a little more work is required.

Go into Plone's interface (do this in a separate window to save time later), and enter the plone setup area, and select Users and Groups Administration. Here you can add your Plone groups.

Once you've added some Plone groups, switch back to the ZMI for the LDAPUserFolder, and click on the Groups tab. This will have a listing of all your LDAP groups. At the bottom of the page, you can map LDAP groups to Zope roles. The Plone groups are really Zope roles, but they all start with group_. Create any required mappings.

If you want all users in your LDAP directory to be Members of the site, it is probably sufficient to add Member to the Default User Roles field in the LDAPUserFolder configuration. Since all users need the Anonymous role, this would be Anonymous,Member. You should also add the LDAP objectclass that is used by all your users to User object classes; this will help narrow your search and make it a bit faster in most cases.

An alternative is to map one or more groups to the Member or Reviewer role.

Why to manually set up the Plone groups

Contributed by paulr

It may seem tedious to manually set up the "Groups" folder in Plone, especially when they are already setup in LDAP anyway. But there are definite advantages:

if you use your LDAP as single sign-on, you'll probably have all kinds of "administrative" groups in there, that should not appear in Plone (Printmanagers, Samba stuff, DomainAdmins, whatever...)
often LDAP groupnames are named by system administrators. This gives you a chance to map short, mnemonic names in LDAP into something more user-friendly on-screen in Plone
The biggest drawback of the current Plone-LDAP integration status is that you can only search for users in the cache, not in the complete LDAP. With your groups as "normal" Plone groups, at least all group names will appear on the "sharing" tab.

Options

With contributions from paulr

If you first create extra properties in portal_memberdata in the ZMI, you can then map those to LDAP attributes. This can be handy to get telephone numbers, departments, etcetera into Plone, to then use this for instance in a company roster.

Furthermore: don't set the "multi-valued" checkbox on the LDAPUserFolder Schema tab for email, not even if your users actually have more aliases in LDAP. If you don't check it, LDAPUserFolder will simply map it to the first email value it finds for that entry, making it much easier to use this as an actual mailto: link.

You can use the Schema tab in the LDAPUserFolder to map certain LDAP attributes to Zope attributes. Some useful ones:

cn to fullname (on most LDAP servers)
fullName to fullname (on Novell Directory Server)
mail to email

Caveats

LDAPUserFolder-2.4 requires that your LDAP group objectclass refer to it's members by their DN. If you are using the posixGroup schema, you are currently out of luck, since this stores its members by their uid (in memberUid). A very experimental patch to correct this issue is available here.

You will almost certainly be using an existing LDAP directory, which implies you already have some means of doing user management. For this reason, you probably want to leave your LDAPUserFolder to access the directory in read-only mode.

If you are using Active Directory for the LDAP server, you may have better luck using port 3268, instead of the standard port 389.

Attention