LDAP users as Plone content; can dexterity.membrane help?

I've been looking at ways to index pas.plugins.ldap users so they can be searched like any other Plone content types (from the Plone search box).

It seems that Plone users can't be indexed with the portal_catalog, but members created using dexterity.membrane can be indexed.

My ideal would be to have a dexterity.member object for each LDAP user. It is possible to have a dexterity.membrane object to complement an LDAP user, so that user information specific to Plone can be added to an LDAP user and searched? Or can a dexterity.membrane be identified (and authenticated) using the pas.plugins.ldap? Or can pas.plugins.ldap be extended to use dexterity.membrane?

So far my impressions is that pas.plugins.ldap and dexterity.membrane are mutually exclusive... I wish to be very wrong. Any pointer would be appreciated.

N.B. I asked a similar question : Multilingual members, from LDAP directory, with custom multilingual listings of members and groups

It is possible to have a dexterity.membrane object to complement an LDAP user, so that user information specific to Plone can be added to an LDAP user and searched?

It seems you need to sync (periodically) your users to membrane objects.
This is something we do in Ploneintranet, check out:

Or can a dexterity.membrane be identified (and authenticated) using the pas.plugins.ldap?

Of course, that just depends on the enabled "Authentication plugins"!

Or can pas.plugins.ldap be extended to use dexterity.membrane?

They can be used together for sure, but it is not really clear to me what your proposition is.

Note, the two plugins were part of my presentation in Ferrara:


Hi Alessandro, and thanks for you reply. I just watched your presentation.

Last week I tried PloneIntranet in a VM. It's impressive, does much more than what I need, and its source code is a bit complex (to say the least); your presentation is about the challenges of PloneIntranet (and similar Plone based systems), but my use case is a lot simpler: I just want to manage simple Plone objects, one per member defined in a LDAP server (no more than a thousand), with no more than 10 groups (also defined in the same LDAP server). Also, one member does not appear in more than 3 groups. So it's not a complex scenario (that would require patching PAS, use NetworkX, etc).

I think that in your presentation you mentioned the plugins used by PloneIntranet, but not pas.plugins.ldap (the only one I was able to use with some success). I develop using Plone 5.2 and Python 3.7; PloneIntranet does not work with this configuration, at least not its LDAP addons.

My first intent was to use only pas.plugins.ldap, and display member lists and profiles with simple custom templates. I realized how slow pas.plugins.ldap can be, and how caching can help; at some point I hacked a simple memcached query engine, but I was asked for members to be searchable like normal Plone objects, and that many years ago there was a way to index anything for the default Plone search engine; my impression is that with newer versions of Plone, only Plone objects can be indexed and searched... If anyone knows how to index "anything" in the newest Plone versions (like in the good old days of Plone 2), please let me know, that could make my life easier; if it's not possible, then I would conclude that users/members should exists as Plone objects (even if synchronization is required between LDAP and Plone, maybe several times a day). I suspect it can be done with or without dexterity.membrane, and that there's probably advantages at using membrane (but I'm not sure what exactly). Also, because the web site is multilingual, I would certainly need dexterity to create a multilingual member type.

What I'd like is some up-to-date example(s) at how to make dexterity.membrane use pas.plugins.ldap, or how to create a (non-membrane) "member data" dexterity type that could interact with pas.plugins.ldap,

@marclava Do you have the requirement that the membrane users be there before they login?

Then you would need less moving parts if you create an independent script to query ldap and create/update membrane users in the Plone site

I had the requirement to fetch phone numbers from user objects in an ldap/ad directory a few weeks ago. That was much easier than I thought. And it takes 2 seconds to run And extract attributes for 3000 entries.

Authenticating the membrane users could still be done over pas.plugins.ldap as usual.

(I didn’t see @alert ‘s presentation yet, maybe I’m stating the obvious)

You are right in the presentation the old Products.PloneLDAP was still mentioned. Anyway we later switched to pas.ldap.plugins and not much as changed.

Anyway the baseline does not change: replicate ldap objects into dexterity ones and those ones are searchable. I think this is your goal, right?

How to make dexterity.membrane use pas.plugins.ldap

I believe this is not what you want.
dexterity.membrane uses dexterity objects, pas.plugins.ldap uses ldap calls.
If you want something hybrid you are basically creating a new thing :slight_smile:

Yes, membrane users (or simple dexterity objects) could be created before first login, or at first login. What I don't get is how to authenticate membrane users using pas.plugins.ldap; I guess some adapter code must be added in the mix. The example provided with dexterity.membrane can be installed as a plugin named dexterity.membrane.content; adapting this example so it can use pas.plugins.ldap is what I'm looking for. Looking at https://docs.ploneintranet.org/development/components/userprofiles.html doesn't help much, so the answer must be hiding somewhere in the multiple layers of the ploneintranet code.

Using dexterity.membrane, I want what was done in PloneIntranet, but with pas.plugins.ldap. How much of a "new thing" this hybrid content type would be is yet to be discovered... You did it, in the context of PloneIntranet.

This is a snapshot from one of our current sites:

As you can see pasldap is the first plugin checked (and it is actually active only for authentication).
I still have membrane_users because I might have users that are in the site but not in ldap.
If a user is authenticated by ldap, a membrane user is automatically created using this code: https://github.com/ploneintranet/ploneintranet/blob/368bd6d8d404bdf3a9bc7d984c0c942993b2c97c/src/ploneintranet/userprofile/subscribers.py#L12-L22

I do know that membrane.users can be authenticated using PAS plugins, but I'd like to learn how.

@alert : Something works. First I ported a section of PloneIntranet to Plone 5.2 with Python3.7. Then I adapted the LDAP related code to use pas.plugins.ldap, and I provisioned the code for PloneIntranet user profiles. At first login of a LDAP user its membrane profile got created.

I was not understanding the relation between membrane and PAS... Now I get it, so thanks for your help.

1 Like

I created a archetype product, FacultyCV product 10 years ago (and still in use today) that uses the member information (from AD pas.plugins.ldap or what ever you want to use) to populate a bunch of fields in the Faculty Object. I have a daily script that will updated all faculty objects, create new objects if a new AD account is created, as well as making the faculty objects private if the AD accounts is disable. (it will also update if the object is modified directly).

you can search using the portal catalog just like every other object in your site.

Directory (portal catalog search)
https://www.york.cuny.edu/portal_college

Faculty object (contact info is updated from AD, everything else is edited by the faculty)
https://www.york.cuny.edu/portal_college/fsalek

Faculty Editing
https://www.york.cuny.edu/video-repository/editing-your-cv.mp4/view
https://www.york.cuny.edu/video-repository/p-b.mp4/view

we started rewriting it is as dexterity

You are welcome, I am glad you could do something with that code.
Unluckily the Python3.7/pas.plugins.ldap code version of ploneintranet is not yet released to the public.
Also there is this annoying issue https://github.com/collective/pas.plugins.ldap/issues/104 which I plan to fix soon,

1 Like

Plone Foundation Code of Conduct