LDAP and Active Directory Authentication in Plone

download LDAP and Active Directory Authentication in Plone

If you can't read please download the document

  • date post

  • Category


  • view

  • download


Embed Size (px)


In this presentation, we will discuss the benefits of having Plone authenticate against a directory server. We will explore which tools are available to make this authentication option successful as well as how to configure them. Finally, disadvantages and possible problems with such a setup will be discussed.

Transcript of LDAP and Active Directory Authentication in Plone

  • 1.Clayton Parker, Senior Developer LDAP and Active Directory Authentication in Plone PLONE CONFERENCE 2010 Wednesday, October 27, 2010

2. PLONE CONFERENCE 2010Who Am I? claytron Python dev since 2003 Plone Core Committer Foundation Member Wednesday, October 27, 2010 3. PLONE CONFERENCE 2010What Will We Learn? What is LDAP Why we use it Integration with Plone Wednesday, October 27, 2010 4. PLONE CONFERENCE 2010What is LDAP? Lightweight Directory Access Protocol Telephone Book X.500 Wednesday, October 27, 2010 5. PLONE CONFERENCE 2010Why LDAP? Existing tool Consistency Wednesday, October 27, 2010 6. PLONE CONFERENCE 2010Plone + LDAP Excellent integration Plone layer Wednesday, October 27, 2010 7. PLONE CONFERENCE 2010Installing LDAP OpenLDAP Dev headers python-ldap Wednesday, October 27, 2010 8. PLONE CONFERENCE 2010Plone Pieces [instance] recipe = plone.recipe.zope2instance eggs = ... plone.app.ldap zcml = ... plone.app.ldap [plonesite] recipe = collective.recipe.plonesite profiles = plone.app.ldap:ldap Wednesday, October 27, 2010 9. PLONE CONFERENCE 2010 Thats It! Wednesday, October 27, 2010 10. PLONE CONFERENCE 2010What is Installed? plone.app.ldap PloneLDAP LDAPMultiPlugins LDAPUserFolder python-ldap Wednesday, October 27, 2010 11. PLONE CONFERENCE 2010PAS Adapters Authentication (authenticateCredentials) Group_Enumeration (enumerateGroups) Group_Introspection (getGroupById) Groups (getGroupsForPrincipal) Properties (getPropertiesForUser) User_Enumeration (enumerateUsers) Wednesday, October 27, 2010 12. PLONE CONFERENCE 2010Example LDIF dn: dc=bluthcompany,dc=com dc: bluthcompany description: The best company in the whole world objectClass: dcObject objectClass: organization o: Bluth Company dn: ou=people, dc=bluthcompany,dc=com ou: people description: All the people in the organization objectClass: organizationalUnit dn: ou=groups,dc=bluthcompany,dc=com ou: group description: Groups of people objectClass: organizationalUnit Wednesday, October 27, 2010 13. PLONE CONFERENCE 2010Users dn: uid=ksanchez,ou=people,dc=bluthcompany,dc=com objectclass: inetOrgPerson objectclass: person cn: Kitty Sanchez givenName: Kitty sn: Sanchez uid: ksanchez mail: [email protected] userPassword: ksanchez dn: uid=bbluth,ou=people,dc=bluthcompany,dc=com objectclass: inetOrgPerson objectclass: person cn: Byron Bluth givenName: Byron sn: Bluth uid: bbluth mail: [email protected] userPassword: bbluth Wednesday, October 27, 2010 14. PLONE CONFERENCE 2010Groups dn: cn=bluthcompany,ou=groups,dc=bluthcompany,dc=com objectclass: groupOfUniqueNames objectclass: top cn: bluthcompany uniqueMember: uid=mbluth,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=gbluth,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=lbluth,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=ksanchez,ou=people,dc=bluthcompany,dc=com dn: cn=family,ou=groups,dc=bluthcompany,dc=com objectclass: groupOfUniqueNames objectclass: top cn: family uniqueMember: uid=bbluth,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=tfunke,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=lfunke,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=sholt,ou=people,dc=bluthcompany,dc=com dn: uid=lbluth,ou=people,dc=bluthcompany,dc=com Wednesday, October 27, 2010 15. PLONE CONFERENCE 2010Schema include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema Wednesday, October 27, 2010 16. PLONE CONFERENCE 2010Add Info $ ldapadd -H ldap://localhost -D cn=Manager,dc=bluthcompany,dc=com -w secret -f bluth.ldif Wednesday, October 27, 2010 17. PLONE CONFERENCE 2010Plone Setup Wednesday, October 27, 2010 18. PLONE CONFERENCE 2010Users Wednesday, October 27, 2010 19. PLONE CONFERENCE 2010Groups Wednesday, October 27, 2010 20. PLONE CONFERENCE 2010Map Groups to Roles Wednesday, October 27, 2010 21. PLONE CONFERENCE 2010Map LDAP Attributes into Plone Wednesday, October 27, 2010 22. PLONE CONFERENCE 2010Active Directory Alternate port that speaks LDAP on 3268 sAMAccountName groupid_attr property to "name" Group recursion may not work Wednesday, October 27, 2010 23. PLONE CONFERENCE 2010Running Without LDAP Local instance Protected LDAP Wednesday, October 27, 2010 24. PLONE CONFERENCE 2010Plonesite part [plonesite] recipe = collective.recipe.plonesite pre-extras = ${buildout:directory}/bin/disable_ldap.py Wednesday, October 27, 2010 25. PLONE CONFERENCE 2010 # id of the ldap plugin the PloneSite/acl_users ldap_plugin_id = "ldap-plugin" # turn off the ldap plugin for local testing interfaces = [ "IAuthenticationPlugin", "ICredentialsResetPlugin", "IGroupEnumerationPlugin", "IGroupsPlugin", "IPropertiesPlugin", "IRoleEnumerationPlugin", "IRolesPlugin", "IUserEnumerationPlugin" ] # this code is mostly taken from # Products.PluggableAuthService.plugins.BasePlugin.manage_activateInterfaces ldap_plugin = portal.acl_users[ldap_plugin_id] pas_instance = ldap_plugin._getPAS() plugins = pas_instance._getOb('plugins') active_interfaces = [] for iface_name in interfaces: active_interfaces.append(plugins._getInterfaceFromName(iface_name )) for iface in active_interfaces: try: plugins.deactivatePlugin(iface, ldap_plugin_id) except KeyError: print "%s plugin already disabled for %s" % (iface, ldap_plugin_id) Wednesday, October 27, 2010 26. PLONE CONFERENCE 2010Debugging Issues Set log-level to debug User search in ZMI Wednesday, October 27, 2010 27. PLONE CONFERENCE 2010Links plone.app.ldap http://pypi.python.org/pypi/plone.app.ldap Apache Directory Studio http://directory.apache.org/studio/ disable_ldap.py http://gist.github.com/648864 Wednesday, October 27, 2010 28. Check out sixfeetup.com/demos Wednesday, October 27, 2010