In this presentation, we will discuss the benefits of having Plone authenticate
against a directory server. We will explore which tools are available to make
this authentication option successful as well as how to configure them.
Finally, disadvantages and possible problems with such a setup will be
discussed.
12. PLONE CONFERENCE 2010Example LDIF
dn: dc=bluthcompany,dc=com
dc: bluthcompany
description: The best company in the whole world
objectClass: dcObject
objectClass: organization
o: Bluth Company
dn: ou=people, dc=bluthcompany,dc=com
ou: people
description: All the people in the organization
objectClass: organizationalUnit
dn: ou=groups,dc=bluthcompany,dc=com
ou: group
description: Groups of people
objectClass: organizationalUnit
Wednesday, October 27, 2010
15. PLONE CONFERENCE 2010Schema
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
Wednesday, October 27, 2010
16. PLONE CONFERENCE 2010Add Info
$ ldapadd -H ldap://localhost -D cn=Manager,dc=bluthcompany,dc=com -w secret -f bluth.ldif
Wednesday, October 27, 2010
22. PLONE CONFERENCE 2010Active Directory
• Alternate port that speaks LDAP on 3268
• sAMAccountName
• groupid_attr property to "name"
• Group recursion “may not work”
Wednesday, October 27, 2010
24. PLONE CONFERENCE 2010Plonesite part
[plonesite]
recipe = collective.recipe.plonesite
pre-extras = ${buildout:directory}/bin/disable_ldap.py
Wednesday, October 27, 2010
25. PLONE CONFERENCE 2010
# id of the ldap plugin the PloneSite/acl_users
ldap_plugin_id = "ldap-plugin"
# turn off the ldap plugin for local testing
interfaces = [
"IAuthenticationPlugin",
"ICredentialsResetPlugin",
"IGroupEnumerationPlugin",
"IGroupsPlugin",
"IPropertiesPlugin",
"IRoleEnumerationPlugin",
"IRolesPlugin",
"IUserEnumerationPlugin"
]
# this code is mostly taken from
# Products.PluggableAuthService.plugins.BasePlugin.manage_activateInterfaces
ldap_plugin = portal.acl_users[ldap_plugin_id]
pas_instance = ldap_plugin._getPAS()
plugins = pas_instance._getOb('plugins')
active_interfaces = []
for iface_name in interfaces:
active_interfaces.append(plugins._getInterfaceFromName(iface_name ))
for iface in active_interfaces:
try:
plugins.deactivatePlugin(iface, ldap_plugin_id)
except KeyError:
print "%s plugin already disabled for %s" % (iface, ldap_plugin_id)
Wednesday, October 27, 2010