LDAP and Active Directory Authentication in Plone

LDAP and Active Directory Authentication in Plone Clayton Parker, Senior Developer PLONE CONFERENCE 2010 Wednesday, October 27, 2010

Who Am I? PLONE CONFERENCE 2010 • claytron • Python dev since 2003 • Plone Core Committer • Foundation Member Wednesday, October 27, 2010

What Will We PLONE CONFERENCE 2010 Learn? • What is LDAP • Why we use it • Integration with Plone Wednesday, October 27, 2010

What is LDAP? PLONE CONFERENCE 2010 • Lightweight Directory Access Protocol • Telephone Book • X.500 Wednesday, October 27, 2010

Why LDAP? PLONE CONFERENCE 2010 • Existing tool • Consistency Wednesday, October 27, 2010

Plone + LDAP PLONE CONFERENCE 2010 • Excellent integration • Plone layer Wednesday, October 27, 2010

Installing LDAP PLONE CONFERENCE 2010 • OpenLDAP • Dev headers • python-ldap Wednesday, October 27, 2010

Plone Pieces PLONE CONFERENCE 2010 [instance] recipe = plone.recipe.zope2instance eggs = ... plone.app.ldap zcml = ... plone.app.ldap [plonesite] recipe = collective.recipe.plonesite profiles = plone.app.ldap:ldap Wednesday, October 27, 2010

PLONE CONFERENCE 2010 That’s It! Wednesday, October 27, 2010

What is Installed? PLONE CONFERENCE 2010 • plone.app.ldap • PloneLDAP • LDAPMultiPlugins • LDAPUserFolder • python-ldap Wednesday, October 27, 2010

PAS Adapters PLONE CONFERENCE 2010 • Authentication (authenticateCredentials) • Group_Enumeration (enumerateGroups) • Group_Introspection (getGroupById) • Groups (getGroupsForPrincipal) • Properties (getPropertiesForUser) • User_Enumeration (enumerateUsers) Wednesday, October 27, 2010

Example LDIF PLONE CONFERENCE 2010 dn: dc=bluthcompany,dc=com dc: bluthcompany description: The best company in the whole world objectClass: dcObject objectClass: organization o: Bluth Company dn: ou=people, dc=bluthcompany,dc=com ou: people description: All the people in the organization objectClass: organizationalUnit dn: ou=groups,dc=bluthcompany,dc=com ou: group description: Groups of people objectClass: organizationalUnit Wednesday, October 27, 2010

Users PLONE CONFERENCE 2010 dn: uid=ksanchez,ou=people,dc=bluthcompany,dc=com objectclass: inetOrgPerson objectclass: person cn: Kitty Sanchez givenName: Kitty sn: Sanchez uid: ksanchez mail: ksanchez@example.com userPassword: ksanchez dn: uid=bbluth,ou=people,dc=bluthcompany,dc=com objectclass: inetOrgPerson objectclass: person cn: Byron Bluth givenName: Byron sn: Bluth uid: bbluth mail: bbluth@example.com userPassword: bbluth Wednesday, October 27, 2010

Groups PLONE CONFERENCE 2010 dn: cn=bluthcompany,ou=groups,dc=bluthcompany,dc=com objectclass: groupOfUniqueNames objectclass: top cn: bluthcompany uniqueMember: uid=mbluth,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=gbluth,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=lbluth,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=ksanchez,ou=people,dc=bluthcompany,dc=com dn: cn=family,ou=groups,dc=bluthcompany,dc=com objectclass: groupOfUniqueNames objectclass: top cn: family uniqueMember: uid=bbluth,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=tfunke,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=lfunke,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=sholt,ou=people,dc=bluthcompany,dc=com dn: uid=lbluth,ou=people,dc=bluthcompany,dc=com Wednesday, October 27, 2010

Schema PLONE CONFERENCE 2010 include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema Wednesday, October 27, 2010

Add Info PLONE CONFERENCE 2010 $ ldapadd -H ldap://localhost -D cn=Manager,dc=bluthcompany,dc=com -w secret -f bluth.ldif Wednesday, October 27, 2010

Plone Setup PLONE CONFERENCE 2010 Wednesday, October 27, 2010

Users PLONE CONFERENCE 2010 Wednesday, October 27, 2010

Groups PLONE CONFERENCE 2010 Wednesday, October 27, 2010

Map Groups to PLONE CONFERENCE 2010 Roles Wednesday, October 27, 2010

Map LDAP PLONE CONFERENCE 2010 Attributes into Plone Wednesday, October 27, 2010

Active Directory PLONE CONFERENCE 2010 • Alternate port that speaks LDAP on 3268 • sAMAccountName • groupid_attr property to "name" • Group recursion “may not work” Wednesday, October 27, 2010

Running Without PLONE CONFERENCE 2010 LDAP • Local instance • Protected LDAP Wednesday, October 27, 2010

Plonesite part PLONE CONFERENCE 2010 [plonesite] recipe = collective.recipe.plonesite pre-extras = ${buildout:directory}/bin/disable_ldap.py Wednesday, October 27, 2010

# id of the ldap plugin the PloneSite/acl_users PLONE CONFERENCE 2010 ldap_plugin_id = "ldap-plugin" # turn off the ldap plugin for local testing interfaces = [ "IAuthenticationPlugin", "ICredentialsResetPlugin", "IGroupEnumerationPlugin", "IGroupsPlugin", "IPropertiesPlugin", "IRoleEnumerationPlugin", "IRolesPlugin", "IUserEnumerationPlugin" ] # this code is mostly taken from # Products.PluggableAuthService.plugins.BasePlugin.manage_activateInterfaces ldap_plugin = portal.acl_users[ldap_plugin_id] pas_instance = ldap_plugin._getPAS() plugins = pas_instance._getOb('plugins') active_interfaces = [] for iface_name in interfaces: active_interfaces.append(plugins._getInterfaceFromName(iface_name )) for iface in active_interfaces: try: plugins.deactivatePlugin(iface, ldap_plugin_id) except KeyError: print "%s plugin already disabled for %s" % (iface, ldap_plugin_id) Wednesday, October 27, 2010

Debugging Issues PLONE CONFERENCE 2010 • Set log-level to ‘debug’ • User search in ZMI Wednesday, October 27, 2010

Links PLONE CONFERENCE 2010 • plone.app.ldap http://pypi.python.org/pypi/plone.app.ldap • Apache Directory Studio http://directory.apache.org/studio/ • disable_ldap.py http://gist.github.com/648864 Wednesday, October 27, 2010

Check out .co m/d emos s ixfeetup Wednesday, October 27, 2010

LDAP and Active Directory Authentication in Plone

by Clayton Parker on Oct 27, 2010

Accessibility

Categories

Upload Details

Usage Rights

2 Embeds 3

Statistics

LDAP and Active Directory Authentication in Plone Presentation Transcript

http://coderwall.com	2
http://www.superiorjv.edu.ec	1