AD/LDAP authentication on Plone 5.0.4 on CentOS7

I've been running a small corporate intranet site for our local office for some time using Plone 3, recently upgraded to Plone 5. However, all of our content was "public", so we simply created logins for editors. Now, head office wants to develop an intranet (on a very tight schedule) and roll ours in. However, a requirement for them is that all content be secured, with users logging in using their Active Directory credentials. They're considering various platforms, of which Plone is one. They've set up a development server to test it on and installed Plone by using the unified installer and selecting a dev configuration. It has the following versions:

  • Plone 5.0.4 (5015)
  • CMF 2.2.10
  • Zope 2.13.24
  • Python 2.7.5 (default, Aug 7 2019, 00:51:29) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
  • PIL 3.1.1 (Pillow)

This server is running CentOS 7.

I've attempted to install pas.plugins.ldap by simply adding pas.plugins.ldap to the eggs list in buildout.cfg, but when I run the buildout, I receive the following error:

Couldn't find index page for 'pas.plugins.ldap' (maybe misspelled?)
Getting distribution for 'pas.plugins.ldap'.
Couldn't find index page for 'pas.plugins.ldap' (maybe misspelled?)
While:
Installing instance.
Getting distribution for 'pas.plugins.ldap'.
Error: Couldn't find a distribution for 'pas.plugins.ldap'.

I've also installed pip, and attempted to install pas.plugins.ldap there, but without success. I'm not sure how relevant that is.

Even though I've been running Plone here for some time, I'm very new at this aspect, so any help would be very welcome.

Is pas.plugin.ldap the correct egg that I should be using? Do I have to do more than simply add it to the eggs list and run buildout?

If you get the error "Error: Couldn't find a distribution for 'pas.plugins.ldap'." then the package cannot be download and installed in your Plone setup, so that is quite relevant. Could it be that your server on which Plone runs doesn't have access to the outside Internet? Can you log in to the server where the site is running and download the package manually to the server with for example wget or curl command line downloaders? (https://pypi.org/project/pas.plugins.ldap/#files has direct url's to the package file)

Testing this doesn't install the package in Plone but would help you debugging the cause and ruling out network problems.

You describe that you are using a Plone site as intranet which was upgraded from plone 3 to plone 5, but 5.0.4 is already quite old. If you want to test add'on packages like pas.plugins.ldap you could try to use the latest 5.1.6 Plone version (5.0 and 5.1 are quite similar).

There have been some upgrades and changes to the central Python packaging infrastructure (pypi.org) in the last 1-2 years, you might need a recent Plone distribution to get add'on download from pypi.org working again.

Maybe too early (the plugins should download, install and be activated first in Plone): if you want some more information on setting up and configuring pas.plugins.ldap, there's a recording of a talk I gave in Barcelona in 2017 on using pas.plugins.ldap. Ignore the part on using custom releases to get wildcard search working: the latest official pas.plugins.ldap release supports wildcard search.

Thank you for the reply! The information about upgrading from 3 to 5 was for a different site -- I should have been clearer. This is a new site set up by our head office, so I didn't choose the installation version. I can look into upgrading it, though.

Downloading the pas.plugins.ldap-1.6.2.tar.gz from the site that you linked to the server in question using curl worked fine.

Okay, updated versioning information:

  • Plone 5.1.6 (5116)
  • CMF 2.2.13
  • Zope 2.13.29
  • Python 2.7.14 (default, Nov 11 2019, 09:55:37) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
  • PIL 6.1.0 (Pillow)

Can confirm that I continue to experience the same buildout results:

Uninstalling precompiler.
Uninstalling zopepy.
Uninstalling instance.
Installing instance.
Couldn't find index page for 'pas.plone.ldap' (maybe misspelled?)
Getting distribution for 'pas.plone.ldap'.
Couldn't find index page for 'pas.plone.ldap' (maybe misspelled?)
While:
Installing instance.
Getting distribution for 'pas.plone.ldap'.
Error: Couldn't find a distribution for 'pas.plone.ldap'.

Note from message above that getting the software manually via curl works properly.

Ah, now the problem could be different but more clear: the package name is pas.plugins.ldap, not pas.plone.ldap.

I feel like this is a Captain-Picard-With-His-Head-in-his-Hands moment. :slight_smile:

Thank you! There were a couple of other hiccups but it seems to now be installed. At least this gave me time to review your video!

if you have ADFS installed I'd look at using SAML2 to integrate with your AD instead of LDAP as your users won't have to sign in twice.

@djay do you know of any tutorial/manual/talk which showcases integrating ADFS with Plone? I've got an upcoming project for this and have seen quite a few 'low level' questions and answers here, but not a setup tutorial and recommanded packages.

And a related question: integrating with ADFS means you don't need an ldap/ad plugin anymore in Plone to query users/groups for managing for example the user lists for the @@sharing tab in Plone?

We have not explicitly set up ADFS. SSO would be a wonderful plus, but I don't know anything about this space, so I'd likely need very explicit instructions on setting it up, especially with Plone as nobody in our organization is exactly a Plone "expert". The LDAP setup is currently working, but I'm interested in this as an alternative option if there are such instructions available.

I haven't yet done an ADFS integration yet with collective.saml2 but I believe someone did it with Office365. @lewy company I think.

The readme for https://github.com/collective/collective.saml2 is the closest tutorial and it would be good to have that updated for an extra steps required for ADFS.

You don't get groups. I think you can have an option get it to add users on Auth but I'd have look at it again. Without adding users you can't look them up in sharing.

I've thought about how to get groups as well and you have two possibilities.

a) Use both ldap and SAML2 together. PAS lets you mix and match like this however currently collective.saml2/dm.saml2 is done in such a way that the userids won't match ldap userids so they can't be used together. If that was fixed then in theory this could work. SAML2 does auth and ldap would handle user properties, user searches and group lookups. The downside is then you have to setup both integrations and you lose the nice feature of SAML2 of not requiring a direct connection from your web server to your AD.

b) Update groups on login. In Saml2 everything you know about a user is transferred only once during authentication. dm.saml2 can be setup to bring over custom properties if available. In theory you could bring over data about all the groups the user is a member of and have a special plugin that creates and updates local groups in Plone. Listing members of a group would become less meaningful but sharing based on group membership for the current user should still be useful. collective.saml2 would be a good place to put this code.

I'd love to get this stuff to work but I'm still waiting on a client with ADFS and these requirements be able to test it.

I'd also love to fund a plone control panel to make configuring dm.saml2 easier in plone (currently it's done in the ZMI) and to ease the process for usecases like ADFS. For example dm.saml2 requires a web available source for the key exchange but not all SAML2 systems use this. Some require you to cut and paste them into your own system. It would be nice to have collective.saml2 support this.

Plone Foundation Code of Conduct