LDAP Integration

Plone 4.3.3
LDAP support 1.3.1

I am having some difficulty with the using LDAP Connection for user credentials. First, most attributes are not being extracted from the LDAP database, no display name, no email despite having these set up under LDAP Schema. Then, when a user request a password change, this apparently takes effect, but this does not get back to the database. My LDAP database serves for single-signon for all services here and I want to enalbe user-managed password changes. Plone would work great for this except that only the Plone-based password is changed.

How can I make the above real? Alternatively, here could I find the code behind ldap connection so I can wrench it into a shape that I need?

I've got more or less the same setup running. But it took some careful nudging of the permissions on the LDAP side of things. It does sound suspiciously like a permissions issue.

Without knowing more details of your LDAP it's hard to debug. But if you have some testing machines/instances, do try setting OpenLDAP (or whatever you are using) to 'bordering on criminal' non-secure settings, and if that works crank up security again step by step.

(needless to say, only do this with a copy of your LDAP, behind a firewall...)

Even with setting the LDAP credentials to manager level, I am unable to get more than uid and password into Plone's awareness. Are you at a point where the Personal Information page is populated with LDAP data?
As a sync-repl LDAP instance, the password will not be changeable, but that is another issue. I guess for now I am happy that users can log in at all. I do want to get to a place where people can manage their accounts for all our services through our web site, but until I can use the data from LDAP, I am not confident I can make this happen.

Yes, I'm reading several personal info details from LDAP. (in our case tradeunion affiliation, country, voting/nonvoting, etcetera...)

Double-check that each LDAP property you're reading has a corresponding one set up in ZMI -> portal_memberdata -> properties, including the usual gotchas with spelling and capitalization.

And of course you'll have to adapt the author/profile page to actually show them in a nice or useful way, but at least Plone should be aware of them.

Thanks, Paul, I may be making headway. I have added mail and displayName to the portal_memberdata properties, but still no luck with getting these values into the Personal Information page. I feel like I should not have to go here, but I've resorted to using my root powers to parse the ldap system log on my server. I'm still quite vexed by how plone is put together, pardon my rudimentary questions.

How should I approach adapting the Personal Information page to show ldap properties?

So I'm thinking that the LDAP Connection add-on needs to be more configurable. In looking at my slapd log, I find search filters like the following that will never work with my schema as nowhere is there an objectClass of type group or univentionGroup. Moreover, the question mark (?objectClass) causes any query to fail with "Bad search filter (-7)"

If I could get at the source code, I may be able to fix this add-on for my installation, or at least understand it better.


Oh yeah. Sorry, should have thought about that before... (LDAP is very much a "once it works, don't touch it again" kind of thing, so had forgotten the patch)

  • the ?objectClass is an openLDAP artifact when it encounters an unknown objectClass.

  • real root of the problem is probably that you're using posixGroup as groups and uid as identifier within that. Now, for some rather pedantic reason, the Products.LDAPUserFolder does not allow that possiblity. Technically that is correct, as it is not exactly a guarantee of uniqueness. And it is against some strict interpretation of the RFC rules. However, in practical terms, it's what most setups run, without problems.

So the "all RFC fundamentalists look away in horror now" solution is to simply patch it and allow your objectclass (usually posixGroup). See https://gist.github.com/witsch/7580331 for example (depending on your setup you may have to edit slightly)

You may want to try using pas.plugins.ldap instead. It has some advantages over the old PloneLDAP stack which has some evolutionary introduced problems. Also pas.plugins.ldap is not perfect in all places (show me code that is), but it is perfect enough to be used in production of a bunch of critical sites for some years. Some performance problems if it comes over 10k users+groups will be solved soon (there is a performance branch for testing if youre not afraid of beta quality software).

Sorry, neither solution worked for me. The first could not patch the files in place, so I patched them manually, but got no change in behavior. pas.plugins.ldap rendered my Plone unreachable with a variety of warnings in instance.log:

2015-07-13T13:04:09 WARNING SecurityInfo Conflicting security declarations for     "<AccessControl.SecurityInfo.ClassSecurityInfo object at 0x67b4fd0>"
2015-07-13T13:04:09 WARNING SecurityInfo Conflicting security declarations for "<AccessControl.SecurityInfo.ClassSecurityInfo object at 0x67b4fd0>"
2015-07-13T13:04:09 WARNING SecurityInfo Class "LDAPPlugin" had conflicting security declarations

The warnings are just warnings, nothing serious which stops Plone from working.

Unreachable is indeed strange, i never saw this. If Plone starts in foreground, are there any error messages?

Starting Plone in the foreground, I get no error messages. Plone does start as a process, but raises no network listener on 8080. After fixing permissions on blobstorage, I get nothing but INFO messages in var/log/instance.log, so I should be happy. Still, the 503 is not pleasing.

That said, I am grateful to the Plone community for the help I've gotten so far.

I must be missing something here. If Plone doesn't begin listening on port 8080, your problem isn't with LDAP integration at all... Could you post a pastie.org link to the entirety of your instance.log?