0
Clayton Parker, Senior Developer
LDAP and Active
Directory
Authentication in Plone
PLONE CONFERENCE 2010
Wednesday, Octobe...
PLONE CONFERENCE 2010Who Am I?
• claytron
• Python dev since 2003
• Plone Core Committer
• Foundation Member
Wednesday, Oc...
PLONE CONFERENCE 2010What Will We
Learn?
• What is LDAP
• Why we use it
• Integration with Plone
Wednesday, October 27, 20...
PLONE CONFERENCE 2010What is LDAP?
• Lightweight Directory Access Protocol
• Telephone Book
• X.500
Wednesday, October 27,...
PLONE CONFERENCE 2010Why LDAP?
• Existing tool
• Consistency
Wednesday, October 27, 2010
PLONE CONFERENCE 2010Plone + LDAP
• Excellent integration
• Plone layer
Wednesday, October 27, 2010
PLONE CONFERENCE 2010Installing LDAP
• OpenLDAP
• Dev headers
• python-ldap
Wednesday, October 27, 2010
PLONE CONFERENCE 2010Plone Pieces
[instance]
recipe = plone.recipe.zope2instance
eggs =
...
plone.app.ldap
zcml =
...
plon...
PLONE CONFERENCE 2010
That’s It!
Wednesday, October 27, 2010
PLONE CONFERENCE 2010What is Installed?
• plone.app.ldap
• PloneLDAP
• LDAPMultiPlugins
• LDAPUserFolder
• python-ldap
Wed...
PLONE CONFERENCE 2010PAS Adapters
• Authentication (authenticateCredentials)
• Group_Enumeration (enumerateGroups)
• Group...
PLONE CONFERENCE 2010Example LDIF
dn: dc=bluthcompany,dc=com
dc: bluthcompany
description: The best company in the whole w...
PLONE CONFERENCE 2010Users
dn: uid=ksanchez,ou=people,dc=bluthcompany,dc=com
objectclass: inetOrgPerson
objectclass: perso...
PLONE CONFERENCE 2010Groups
dn: cn=bluthcompany,ou=groups,dc=bluthcompany,dc=com
objectclass: groupOfUniqueNames
objectcla...
PLONE CONFERENCE 2010Schema
include		 /usr/local/etc/openldap/schema/core.schema
include		 /usr/local/etc/openldap/schema/...
PLONE CONFERENCE 2010Add Info
$ ldapadd -H ldap://localhost -D cn=Manager,dc=bluthcompany,dc=com -w secret -f bluth.ldif
W...
PLONE CONFERENCE 2010Plone Setup
Wednesday, October 27, 2010
PLONE CONFERENCE 2010Users
Wednesday, October 27, 2010
PLONE CONFERENCE 2010Groups
Wednesday, October 27, 2010
PLONE CONFERENCE 2010Map Groups to
Roles
Wednesday, October 27, 2010
PLONE CONFERENCE 2010Map LDAP
Attributes into Plone
Wednesday, October 27, 2010
PLONE CONFERENCE 2010Active Directory
• Alternate port that speaks LDAP on 3268
• sAMAccountName
• groupid_attr property t...
PLONE CONFERENCE 2010Running Without
LDAP
• Local instance
• Protected LDAP
Wednesday, October 27, 2010
PLONE CONFERENCE 2010Plonesite part
[plonesite]
recipe = collective.recipe.plonesite
pre-extras = ${buildout:directory}/bi...
PLONE CONFERENCE 2010
# id of the ldap plugin the PloneSite/acl_users
ldap_plugin_id = "ldap-plugin"
# turn off the ldap p...
PLONE CONFERENCE 2010Debugging Issues
• Set log-level to ‘debug’
• User search in ZMI
Wednesday, October 27, 2010
PLONE CONFERENCE 2010Links
• plone.app.ldap
http://pypi.python.org/pypi/plone.app.ldap
• Apache Directory Studio
http://di...
Check out
sixfeetup.com/demos
Wednesday, October 27, 2010
Upcoming SlideShare
Loading in...5
×

LDAP and Active Directory Authentication in Plone

5,323

Published on

In this presentation, we will discuss the benefits of having Plone authenticate
against a directory server. We will explore which tools are available to make
this authentication option successful as well as how to configure them.
Finally, disadvantages and possible problems with such a setup will be
discussed.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,323
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
77
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "LDAP and Active Directory Authentication in Plone"

  1. 1. Clayton Parker, Senior Developer LDAP and Active Directory Authentication in Plone PLONE CONFERENCE 2010 Wednesday, October 27, 2010
  2. 2. PLONE CONFERENCE 2010Who Am I? • claytron • Python dev since 2003 • Plone Core Committer • Foundation Member Wednesday, October 27, 2010
  3. 3. PLONE CONFERENCE 2010What Will We Learn? • What is LDAP • Why we use it • Integration with Plone Wednesday, October 27, 2010
  4. 4. PLONE CONFERENCE 2010What is LDAP? • Lightweight Directory Access Protocol • Telephone Book • X.500 Wednesday, October 27, 2010
  5. 5. PLONE CONFERENCE 2010Why LDAP? • Existing tool • Consistency Wednesday, October 27, 2010
  6. 6. PLONE CONFERENCE 2010Plone + LDAP • Excellent integration • Plone layer Wednesday, October 27, 2010
  7. 7. PLONE CONFERENCE 2010Installing LDAP • OpenLDAP • Dev headers • python-ldap Wednesday, October 27, 2010
  8. 8. PLONE CONFERENCE 2010Plone Pieces [instance] recipe = plone.recipe.zope2instance eggs = ... plone.app.ldap zcml = ... plone.app.ldap [plonesite] recipe = collective.recipe.plonesite profiles = plone.app.ldap:ldap Wednesday, October 27, 2010
  9. 9. PLONE CONFERENCE 2010 That’s It! Wednesday, October 27, 2010
  10. 10. PLONE CONFERENCE 2010What is Installed? • plone.app.ldap • PloneLDAP • LDAPMultiPlugins • LDAPUserFolder • python-ldap Wednesday, October 27, 2010
  11. 11. PLONE CONFERENCE 2010PAS Adapters • Authentication (authenticateCredentials) • Group_Enumeration (enumerateGroups) • Group_Introspection (getGroupById) • Groups (getGroupsForPrincipal) • Properties (getPropertiesForUser) • User_Enumeration (enumerateUsers) Wednesday, October 27, 2010
  12. 12. PLONE CONFERENCE 2010Example LDIF dn: dc=bluthcompany,dc=com dc: bluthcompany description: The best company in the whole world objectClass: dcObject objectClass: organization o: Bluth Company dn: ou=people, dc=bluthcompany,dc=com ou: people description: All the people in the organization objectClass: organizationalUnit dn: ou=groups,dc=bluthcompany,dc=com ou: group description: Groups of people objectClass: organizationalUnit Wednesday, October 27, 2010
  13. 13. PLONE CONFERENCE 2010Users dn: uid=ksanchez,ou=people,dc=bluthcompany,dc=com objectclass: inetOrgPerson objectclass: person cn: Kitty Sanchez givenName: Kitty sn: Sanchez uid: ksanchez mail: ksanchez@example.com userPassword: ksanchez dn: uid=bbluth,ou=people,dc=bluthcompany,dc=com objectclass: inetOrgPerson objectclass: person cn: Byron Bluth givenName: Byron sn: Bluth uid: bbluth mail: bbluth@example.com userPassword: bbluth Wednesday, October 27, 2010
  14. 14. PLONE CONFERENCE 2010Groups dn: cn=bluthcompany,ou=groups,dc=bluthcompany,dc=com objectclass: groupOfUniqueNames objectclass: top cn: bluthcompany uniqueMember: uid=mbluth,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=gbluth,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=lbluth,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=ksanchez,ou=people,dc=bluthcompany,dc=com dn: cn=family,ou=groups,dc=bluthcompany,dc=com objectclass: groupOfUniqueNames objectclass: top cn: family uniqueMember: uid=bbluth,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=tfunke,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=lfunke,ou=people,dc=bluthcompany,dc=com uniqueMember: uid=sholt,ou=people,dc=bluthcompany,dc=com dn: uid=lbluth,ou=people,dc=bluthcompany,dc=com Wednesday, October 27, 2010
  15. 15. PLONE CONFERENCE 2010Schema include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema Wednesday, October 27, 2010
  16. 16. PLONE CONFERENCE 2010Add Info $ ldapadd -H ldap://localhost -D cn=Manager,dc=bluthcompany,dc=com -w secret -f bluth.ldif Wednesday, October 27, 2010
  17. 17. PLONE CONFERENCE 2010Plone Setup Wednesday, October 27, 2010
  18. 18. PLONE CONFERENCE 2010Users Wednesday, October 27, 2010
  19. 19. PLONE CONFERENCE 2010Groups Wednesday, October 27, 2010
  20. 20. PLONE CONFERENCE 2010Map Groups to Roles Wednesday, October 27, 2010
  21. 21. PLONE CONFERENCE 2010Map LDAP Attributes into Plone Wednesday, October 27, 2010
  22. 22. PLONE CONFERENCE 2010Active Directory • Alternate port that speaks LDAP on 3268 • sAMAccountName • groupid_attr property to "name" • Group recursion “may not work” Wednesday, October 27, 2010
  23. 23. PLONE CONFERENCE 2010Running Without LDAP • Local instance • Protected LDAP Wednesday, October 27, 2010
  24. 24. PLONE CONFERENCE 2010Plonesite part [plonesite] recipe = collective.recipe.plonesite pre-extras = ${buildout:directory}/bin/disable_ldap.py Wednesday, October 27, 2010
  25. 25. PLONE CONFERENCE 2010 # id of the ldap plugin the PloneSite/acl_users ldap_plugin_id = "ldap-plugin" # turn off the ldap plugin for local testing interfaces = [ "IAuthenticationPlugin", "ICredentialsResetPlugin", "IGroupEnumerationPlugin", "IGroupsPlugin", "IPropertiesPlugin", "IRoleEnumerationPlugin", "IRolesPlugin", "IUserEnumerationPlugin" ] # this code is mostly taken from # Products.PluggableAuthService.plugins.BasePlugin.manage_activateInterfaces ldap_plugin = portal.acl_users[ldap_plugin_id] pas_instance = ldap_plugin._getPAS() plugins = pas_instance._getOb('plugins') active_interfaces = [] for iface_name in interfaces: active_interfaces.append(plugins._getInterfaceFromName(iface_name )) for iface in active_interfaces: try: plugins.deactivatePlugin(iface, ldap_plugin_id) except KeyError: print "%s plugin already disabled for %s" % (iface, ldap_plugin_id) Wednesday, October 27, 2010
  26. 26. PLONE CONFERENCE 2010Debugging Issues • Set log-level to ‘debug’ • User search in ZMI Wednesday, October 27, 2010
  27. 27. PLONE CONFERENCE 2010Links • plone.app.ldap http://pypi.python.org/pypi/plone.app.ldap • Apache Directory Studio http://directory.apache.org/studio/ • disable_ldap.py http://gist.github.com/648864 Wednesday, October 27, 2010
  28. 28. Check out sixfeetup.com/demos Wednesday, October 27, 2010
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×