• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

LDAP and Active Directory Authentication in Plone

on

  • 5,251 views

In this presentation, we will discuss the benefits of having Plone authenticate ...

In this presentation, we will discuss the benefits of having Plone authenticate
against a directory server. We will explore which tools are available to make
this authentication option successful as well as how to configure them.
Finally, disadvantages and possible problems with such a setup will be
discussed.

Statistics

Views

Total Views
5,251
Views on SlideShare
5,244
Embed Views
7

Actions

Likes
3
Downloads
64
Comments
0

4 Embeds 7

http://htt.hce.edu.vn 3
http://coderwall.com 2
http://www.superiorjv.edu.ec 1
http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    LDAP and Active Directory Authentication in Plone LDAP and Active Directory Authentication in Plone Presentation Transcript

    • LDAP and Active Directory Authentication in Plone Clayton Parker, Senior Developer PLONE CONFERENCE 2010 Wednesday, October 27, 2010
    • Who Am I? PLONE CONFERENCE 2010 • claytron • Python dev since 2003 • Plone Core Committer • Foundation Member Wednesday, October 27, 2010
    • What Will We PLONE CONFERENCE 2010 Learn? • What is LDAP • Why we use it • Integration with Plone Wednesday, October 27, 2010
    • What is LDAP? PLONE CONFERENCE 2010 • Lightweight Directory Access Protocol • Telephone Book • X.500 Wednesday, October 27, 2010
    • Why LDAP? PLONE CONFERENCE 2010 • Existing tool • Consistency Wednesday, October 27, 2010
    • Plone + LDAP PLONE CONFERENCE 2010 • Excellent integration • Plone layer Wednesday, October 27, 2010
    • Installing LDAP PLONE CONFERENCE 2010 • OpenLDAP • Dev headers • python-ldap Wednesday, October 27, 2010
    • Plone Pieces PLONE CONFERENCE 2010 [instance] recipe = plone.recipe.zope2instance eggs = ... plone.app.ldap zcml = ... plone.app.ldap [plonesite] recipe = collective.recipe.plonesite profiles = plone.app.ldap:ldap Wednesday, October 27, 2010
    • PLONE CONFERENCE 2010 That’s It! Wednesday, October 27, 2010
    • What is Installed? PLONE CONFERENCE 2010 • plone.app.ldap • PloneLDAP • LDAPMultiPlugins • LDAPUserFolder • python-ldap Wednesday, October 27, 2010
    • PAS Adapters PLONE CONFERENCE 2010 • Authentication (authenticateCredentials) • Group_Enumeration (enumerateGroups) • Group_Introspection (getGroupById) • Groups (getGroupsForPrincipal) • Properties (getPropertiesForUser) • User_Enumeration (enumerateUsers) Wednesday, October 27, 2010
    • Example LDIF PLONE CONFERENCE 2010 dn: dc=bluthcompany,dc=com dc: bluthcompany description: The best company in the whole world objectClass: dcObject objectClass: organization o: Bluth Company dn: ou=people, dc=bluthcompany,dc=com ou: people description: All the people in the organization objectClass: organizationalUnit dn: ou=groups,dc=bluthcompany,dc=com ou: group description: Groups of people objectClass: organizationalUnit Wednesday, October 27, 2010
    • Users PLONE CONFERENCE 2010 dn: uid=ksanchez,ou=people,dc=bluthcompany,dc=com objectclass: inetOrgPerson objectclass: person cn: Kitty Sanchez givenName: Kitty sn: Sanchez uid: ksanchez mail: ksanchez@example.com userPassword: ksanchez dn: uid=bbluth,ou=people,dc=bluthcompany,dc=com objectclass: inetOrgPerson objectclass: person cn: Byron Bluth givenName: Byron sn: Bluth uid: bbluth mail: bbluth@example.com userPassword: bbluth Wednesday, October 27, 2010
    • Groups PLONE CONFERENCE 2010 dn: cn=bluthcompany,ou=groups,dc=bluthcompany,dc=com objectclass: groupOfUniqueNames objectclass: top cn: bluthcompany uniqueMember: uid=mbluth,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=gbluth,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=lbluth,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=ksanchez,ou=people,dc=bluthcompany,dc=com dn: cn=family,ou=groups,dc=bluthcompany,dc=com objectclass: groupOfUniqueNames objectclass: top cn: family uniqueMember: uid=bbluth,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=tfunke,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=lfunke,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=sholt,ou=people,dc=bluthcompany,dc=com dn: uid=lbluth,ou=people,dc=bluthcompany,dc=com Wednesday, October 27, 2010
    • Schema PLONE CONFERENCE 2010 include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema Wednesday, October 27, 2010
    • Add Info PLONE CONFERENCE 2010 $ ldapadd -H ldap://localhost -D cn=Manager,dc=bluthcompany,dc=com -w secret -f bluth.ldif Wednesday, October 27, 2010
    • Plone Setup PLONE CONFERENCE 2010 Wednesday, October 27, 2010
    • Users PLONE CONFERENCE 2010 Wednesday, October 27, 2010
    • Groups PLONE CONFERENCE 2010 Wednesday, October 27, 2010
    • Map Groups to PLONE CONFERENCE 2010 Roles Wednesday, October 27, 2010
    • Map LDAP PLONE CONFERENCE 2010 Attributes into Plone Wednesday, October 27, 2010
    • Active Directory PLONE CONFERENCE 2010 • Alternate port that speaks LDAP on 3268 • sAMAccountName • groupid_attr property to "name" • Group recursion “may not work” Wednesday, October 27, 2010
    • Running Without PLONE CONFERENCE 2010 LDAP • Local instance • Protected LDAP Wednesday, October 27, 2010
    • Plonesite part PLONE CONFERENCE 2010 [plonesite] recipe = collective.recipe.plonesite pre-extras = ${buildout:directory}/bin/disable_ldap.py Wednesday, October 27, 2010
    • # id of the ldap plugin the PloneSite/acl_users PLONE CONFERENCE 2010 ldap_plugin_id = "ldap-plugin" # turn off the ldap plugin for local testing interfaces = [ "IAuthenticationPlugin", "ICredentialsResetPlugin", "IGroupEnumerationPlugin", "IGroupsPlugin", "IPropertiesPlugin", "IRoleEnumerationPlugin", "IRolesPlugin", "IUserEnumerationPlugin" ] # this code is mostly taken from # Products.PluggableAuthService.plugins.BasePlugin.manage_activateInterfaces ldap_plugin = portal.acl_users[ldap_plugin_id] pas_instance = ldap_plugin._getPAS() plugins = pas_instance._getOb('plugins') active_interfaces = [] for iface_name in interfaces: active_interfaces.append(plugins._getInterfaceFromName(iface_name )) for iface in active_interfaces: try: plugins.deactivatePlugin(iface, ldap_plugin_id) except KeyError: print "%s plugin already disabled for %s" % (iface, ldap_plugin_id) Wednesday, October 27, 2010
    • Debugging Issues PLONE CONFERENCE 2010 • Set log-level to ‘debug’ • User search in ZMI Wednesday, October 27, 2010
    • Links PLONE CONFERENCE 2010 • plone.app.ldap http://pypi.python.org/pypi/plone.app.ldap • Apache Directory Studio http://directory.apache.org/studio/ • disable_ldap.py http://gist.github.com/648864 Wednesday, October 27, 2010
    • Check out .co m/d emos s ixfeetup Wednesday, October 27, 2010