Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

1

Share

Download to read offline

Plone pas.plugins.ldap user/group search

Download to read offline

Presentation given at PloneConf 2017, how to set up pas.plugins.ldap with in Plone with your ldap directory service

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Plone pas.plugins.ldap user/group search

  1. 1. LDAP integration with user/group search (in pas.plugins.ldap) Fred van Dijk - Zest Software)
  2. 2. Welcome • About you • Integrator • Developer • How do I connect Plone to an LDAP user directory? • What’s new in pas.plugins.ldap? • About me • Fred van Dijk • Zest Software • Rotterdam - NL • Using Plone since 2002 • From user to integrator, dev, consultant, trainer
  3. 3. Agenda • Quick: what’s LDAP? • LDAP and organisations • Users/Groups in Plone • LDAP integration in Plone • pas.plugins.ldap • Install & setup • sharing users/groups • Advanced setup • Wrap up • Questions
  4. 4. Why LDAP • Centralised database of users and groups inside organisations • old school: copy the users and groups file to different pc’s • On UNIX this goes back a long way in the 80’s 90’s
 NIS, network information service, X.500 • PC’s: Windows: Lan manager, Novell Netware 2/3
  5. 5. From flat to hierarchical user databases • Organisational units, departments, mirror org. structure • Some Implementations • UNIX: SLAPD - Netscape Directory server • Windows: NDS: Novell Directory Services • Windows: Microsoft Active Directory • LDAP: Lightweight Directory Access Protocol • Protocol becomes server, becomes protocol
  6. 6. Users in Plone • Plone has its own user database • Works fine, but with larger organisations and/or many services you don’t want to maintain many user/group lists for every service. • Connect to central directory service maintaining user, groups • Authentication vs Authorisation • who you are - which groups you belong to. ID - LDAP • What is the ID allowed to do: in the the separate services
  7. 7. What’s the problem for us? • Us being Plone users and integrators trying to set up LDAP • Multiple moving parts, LDAP is protocol, data depends on the directory service (LDAP implementations, AD)
 Zope, PAS, Plone Config • You only set this up once for a project, until it works, then you don’t look back … • Everything is always (a bit) different
  8. 8. Authentication in Zope • Plone is built on top of Zope. - Zope is ‘mature’ • acl_users folder - Zope Simple user folder (1996?)
 • Products.LDAPUserFolder, replacement for acl_users (1.0beta2 from 2001)
 • Pluggable Authentication Service - Products.PlonePAS (version 2.3 from 2007) • PAS -> Products.LDAPMultiplugins -> (LDAPUserFolder)
  9. 9. On top of Zope in Plone • Webmaster facing configuration and support in Plone & controlpanel: • Products.PloneLDAP • plone.app.ldap • wrapping the stuff on the
 previous page • That’s a a lot of history and stack…
  10. 10. pas.plugins.ldap • “New” implementation without depending on the existing plugins • developed by BlueDynamics Alliance • based on node and node.ext.ldap, virtual node tree • Version 1.1.0 - 2014 • upgraded from bda.ldap - 2007 - so not that new • Can/should cache results in memcached - speed vs freshness • Not totally feature equivalent with plone.app.ldap • underlying node.ext.ldap can also work with Pyramid
  11. 11. And so it goes (with add’ons for Plone) • People start using and improving • Open source, on branches, sometimes specifics for their organisation. • 2016 - fundraising to implement pagination in pas.plugins.ldap • Fixes and improvements by Asko Soukka from & for University of Jyväskylä • Speed optimisations for huge (university) directories • User search • Not yet merged to master, needs more testing
  12. 12. Our ‘quest’ with pas.plugins.ldap • Have setups at different customers with plone.app.ldap stack. Very stable, fire and forget, but old. • pagination and unicode issues • Let’s test this pas.plugins.ldap stuff (on Plone 4) • Did fixes in main branch and dependent packages, fork Asko’s branch for search fixes • Not yet merged to master either. Is this generic and stable enough?
  13. 13. There’s some work to be done • Our versions available at • https://github.com/zestsoftware/pas.plugins.ldap & node.ext.ldap • http://pypi.zestsoftware.nl/public/ • Sprint this saturday / sunday? • More documentation • check changes and prepare merge back
  14. 14. Demonstration • To test and demo this stuff: get your own ldap-server • Local setup of openldap on my Mac (quick show) > slapd -d1 -f slapd.conf -h "ldap://127.0.0.1:8389/" • Import users/groups with ldapadd and an ldif file • querying locally on the command line: > ldapsearch -D "cn=root,dc=ldapdemo,dc=com" -w secret -p 8389 -h localhost -b "dc=ldapdemo,dc=com" -s sub “(objectclass=inetOrgPerson)"
  15. 15. Browsing your LDAP • Apache Directory Studio • cross platform • Big Java Tool, has LDAP browser but also built in LDAP server, maybe useful on Windows? • http://directory.apache.org/studio • Demo
  16. 16. Configuring Plone • Demo in plone 5.0.8 • Buildout • pas.plugins.ldap in eggs sections of plone.rezipe.zope2instance • Some version pinnings - You always pin your versions, right? • Show config in editor # pas.plugins.ldap pas.plugins.ldap = 1.5.2+zest1 node.ext.ldap = 1.0b4+zest1 bda.cache = 1.2.0 pylibmc = 1.5.1 node = 0.9.16 plumber = 1.3.1 yafowil = 2.2 yafowil.plone = 2.3.1 PyYAML = 3.11 loremipsum = 1.0.5 node.ext.ugm = 0.9.8 odict = 1.5.2 python-memcached = 1.57 smbpasswd = 1.0.2 yafowil.widget.array = 1.4 yafowil.widget.dict = 1.6 yafowil.yaml = 1.2 python-ldap = 2.4.45
  17. 17. configuring the Plug-in • Activate Add’on • Configuration panel. A lot of options • Server Settings • User Settings • Group Settings
  18. 18. Server settings • Use SSL in production • The manager user can/should be read only for safety in production setups • ignore certificate check option for nasty in company introspecting firewalls • Page size: fundraising option to not overquery a large ldap
  19. 19. User settings • Where are your users coming from? • Path in the directory • Can and sometimes should be recursive depending on the structure • Limit your search, Limit objects returned for consideration • Same query language as ldapsearch on the command line • keep objectClass on iNetOrgPerson for now, not finished option yet
  20. 20. User settings • User attribute Aliases: which required Plone user attributes map to the attributes found on your objects in LDAP? • for my local LDAP it’s uid, but Active Directory often uses sAMAccountName • User Property Sheet: extra attributes coming into the Plone user object, full name, email, etc.
  21. 21. Group support • Same drill as with users, inspect your directory first • Different options support for different LDAP backends: memberOf support on User objects default activated in Active Directory
  22. 22. mapping ldap fields to user fields • There’s no one size fits all • Trial and error is very much that: a lot of trial, please don’t • Inspect your directory through an ldap browser
  23. 23. actual objects in my local slapd demo server
  24. 24. Demo of adding users on the sharing menu • Add users to sharing tab • Add groups to sharing tab • search parts of name with * syntax at the moment. • Also searches in other attributes like location or email • Should also work in global sharing tab, but bug in Plone 5.0.8,will investigate • hierarchical searching - One Level - Subtree
  25. 25. Example of LDAP object in Active Directory
  26. 26. Better performance • ALWAYS use memcached with pas.plugins.ldap in production, use system supplied memcached or install with buildout [memcached] recipe = zc.recipe.cmmi url = http://www.memcached.org/files/memcached-1.5.2.tar.gz [supervisor] recipe = collective.recipe.supervisor ….. programs = 80 memcached (stderr_logfile=NONE stdout_logfile=${buildout:directory}/var/log/ memcached-stdout.log) ${memcached:location}/bin/memcached [ -m ${conf:memcached-size} - l localhost -p ${conf:memcached} -U ${conf:memcached} ] true
  27. 27. Automatic configuration • Generic Setup: • ldap_settings.xml • Configure and export with portal_setup • Don’t forget registry.xml with the memcached settings • Demo of ldapdemo.policy product • show config in editor • demo
  28. 28. Final thoughts • This is not plug and play easy stuff • Know your directory, don’t trial and error attributes, use Apache Directory Studio to find them • Production: • SSL communication with LDAP • Read only admin user • Add’on still needs more polishment • Plone 5 / Plone 4
  29. 29. Thank You • Questions ? • Sprint on pas.plugins.ldap improvements?
  • zahernourredine

    Dec. 16, 2018

Presentation given at PloneConf 2017, how to set up pas.plugins.ldap with in Plone with your ldap directory service

Views

Total views

738

On Slideshare

0

From embeds

0

Number of embeds

55

Actions

Downloads

2

Shares

0

Comments

0

Likes

1

×