Cannot add or delete LDAP user through Plone 5

Plone Support Add-on Development
1

I can no longer add or delete LDAP users via Plone. I can do so without any issues through ZMI. Even though I can search and find an LDAP user, I cannot add the LDAP user to Plone or to a User Group.

To delete an LDAP user via Plone:

Traceback (innermost last):
Module ZPublisher.Publish, line 138, in publish
Module ZPublisher.mapply, line 77, in mapply
Module ZPublisher.Publish, line 48, in call_object
Module Products.CMFPlone.controlpanel.browser.usergroups_groupmembership, line 76, in call
Module Products.CMFPlone.controlpanel.browser.usergroups_groupmembership, line 46, in update
Module , line 3, in addPrincipalToGroup
Module plone.protect.utils, line 58, in _curried
Module , line 3, in addPrincipalToGroup
Module AccessControl.requestmethod, line 70, in _curried
Module Products.PlonePAS.tools.groups, line 200, in addPrincipalToGroup
Module Products.PloneLDAP.mixins.groupmgmt, line 35, in addPrincipalToGroup
Module Products.LDAPUserFolder.LDAPUserFolder, line 1723, in manage_editUserRoles
Module Products.LDAPUserFolder.LDAPUserFolder, line 1291, in getGroupType
Module Products.LDAPUserFolder.LDAPDelegate, line 363, in search
Module Products.LDAPUserFolder.LDAPDelegate, line 631, in _clean_dn
Module Products.LDAPUserFolder.LDAPDelegate, line 638, in explode_dn
Module ldap.dn, line 79, in explode_dn
Module ldap.dn, line 53, in str2dn
Module ldap.functions, line 66, in _ldap_function_call
DECODING_ERROR

To delete an LDAP user from a group called DSS-Editors:

Traceback (innermost last):

Module ZPublisher.Publish, line 138, in publish
Module ZPublisher.mapply, line 77, in mapply
Module ZPublisher.Publish, line 48, in call_object
Module Products.CMFPlone.controlpanel.browser.usergroups_groupmembership, line 76, in __call__
Module Products.CMFPlone.controlpanel.browser.usergroups_groupmembership, line 53, in update
Module <string>, line 3, in removePrincipalFromGroup
Module plone.protect.utils, line 58, in _curried
Module <string>, line 3, in removePrincipalFromGroup
Module AccessControl.requestmethod, line 70, in _curried
Module Products.PlonePAS.tools.groups, line 211, in removePrincipalFromGroup
Module Products.PloneLDAP.mixins.groupmgmt, line 68, in removePrincipalFromGroup

KeyError: 'DSS-Editors'

I have the following in my buildout:

plone.app.ldap
five.formlib
plone.app.form

Plone version:

Plone 5.0.7 (5017)
CMF 2.2.10
Zope 2.13.26
Python 2.7.12 (default, Nov 19 2016, 06:48:10) [GCC 5.4.0 20160609]
PIL 3.4.2 (Pillow)

There are no issues through the ZMI, just in Plone 5. Any help would be most appreciated. Thanks.

2

This looks like an error message from the LDAP server. I would look at the code for verification. If this is indeed the case, then upper call levels likely have chosen an encoding incompatible with what the LDAP server expects.

Some time ago, I have seen a report in this forum suggesting that the Plone->LDAP-integration might be sensible regarding special characters in user/group names (in this case, the error was risen on the Python side -
a UnicodeDecodeError). Is it possible that in your case, too, user or group names can contain special characters? Have you the possibility to avoid special characters in user/group names?

The report mentioned in the previous paragraph was resolved by setting Python's defaultencoding to utf-8. Likely, this will not work in your case (at least if the error message comes from the LDAP server).

I would approach your problem as follows: install Products.PDBDebugMode. This will enter the Python debugger when an exception occurs (and your Plone/Zope runs in "development mode") and allows you to analyse the complete call chain. Look at the parameter values for non-ascii characters, starting where the exception has been risen. If there are any, verify that they are encoded in the same way as the LDAP server expects them. If the encoding is wrong, move up the call chain to check for places where you can influence the encoding.

3

Thank you so much for your help. So this is what I have discovered:

  1. User groups created by Plone automatically such as Administrators, Authenticated Users, Reviewers and Site Administrators do not allow Plone to add or delete LDAP users to these groups. They have to be added or deleted from ZMI. However, Plone can add local users to them without any problems.

  2. If one creates a user group from ZMI, one cannot add LDAP users to that group from Plone.

  3. If one creates a user group from Plone, one can add and delete LDAP users to that group without any issues.

So I don't know whether this is a bug or a feature in Plone whereby when it comes to LDAP users, if we want users and groups to be managed from Plone, user groups need to be created from the front end at the get-go and not through the ZMI.

4

Your discoveries suggest that groups automatically created by Plone or via the ZMI might not be managed by LDAP but by another group plugin. For some reason still not fully understood this plugin seems to have limitations with respect to the users it is ready to add/delete through its typical interface (this is likely a bug).

For groups automatically created by Plone, it is quite natural that they are not managed by LDAP -- they are likely created before acl_users could be configured for the LDAP integration. Likely, there are different ways to create user groups "from ZMI" - one of them will be the one to create groups by the same plugin that is responsible for the automatically created groups -- i.e. with the same restrictions. Are you sure that your "user group creation from ZMI" should create an LDAP group?

Modern versions of Products.PlonePAS have some Products.GenericSetup support. Not sure whether the ldap plugins support it. If they do, you can describe the acl_user configuration in a GenericSetup profile and thus get the LDAP integration effective before the typical Plone user groups are automatically created (during portal setup). This should ensure that those groups are managed in your LDAP.

Otherwise, there are ways (though perhaps not trivial ones) to move those groups (at least for LDAP users) to LDAP in a script (you remember the users associated with a group, delete it,
create it anew via the Plone interface (this your give you an LDAP managed user group) and add the users).

5

Thank you so much for your answer. I am learning a lot from you. It does make sense which plugin and when the plugin creates groups. I have tried using Products.PlonePAS but the set up seems more complicated than plone.app.ldap. That is why I stuck with plone.app.ldap.

We are not using or creating any LDAP groups stored in LDAP. All our groups are created and stored locally in Plone. So there are no LDAP groups. The only thing we are pulling from LDAP are usernames.

It seems like just so long as we manage our local groups and LDAP users from the frontend and not through ZMI, everything works great. Problems occur when we create groups from the backend and try to use them with LDAP users on the front-end. That's when Plone throws a "hissy-fit" (a very technical term, if I may add, LOL!).

If I come across any more anomalies, I will add to this thread. Thank you again, dieter, for all your help. Cheers.

6

I am almost sure that you are using Products.PlonePAS -- it contains the generic implemention for acl_users with its plugin based architecture. plone.app.ldap likely provides LDAP plugins for this architecture.

7

You are absolutely, right. I meant pas.plugins.ldap. I just could not get the hang of it.