Pas.plugin.ldap for authentication only

Hi everyone.

I've setup Plone 5, and added pas.plugins.ldap.

I wish to use LDAP strictly for authentication on an external LDAP server. So, I'll be creating and managing users locally on Plone (With same user names as in the LDAP server, of course), and will only use LDAP to authenticate these users. I do not wish to create/modify users on the LDAP server in any way, or retrieve from the server any other information about the user or groups...

I have that system working on an old Plone3 instance with LDAPMultiPlugins, using a LDApUserFolder.

But I cannot do it on Plone5. I don't know where I 'tell' Plone to only authenticate...

  • Plone 5.1.5 (5115)
  • CMF 2.2.12
  • Zope 2.13.27
  • Python 2.7.15+ (default, Jul 9 2019, 16:51:35) [GCC 7.4.0]
  • PIL 5.4.1 (Pillow)

So where do you see the option then to create or modify LDAP users in Plone? AFAIK pas.plugins.ldap doesn't support modifying/creating users, as per the README on pypi (, 7th line):

You can still create users in the Plone user/group control panel, but these will be created locally, not in LDAP.

For now users and groups can’t be added or deleted. Properties on both are read/write.

On a lower level (Pluggable Authentication Services) all different operations are separated in different plugins. You can access these as a manager under /manage in the ZMI in the acl_users folder. pas.plugins.ldap is also installing plugins in there and you can turn of the modification plugins.

Also: you have to provide an ldap user in the pas.plugins.ldap settings to connect to the LDAP/AD directory, if that user only has read permissions, nothing can be changed in the LDAP/AD from within Plone. I have been using that set up for years. Both with and pas.plugins.ldap

Attributes from 'through ldap' authenticated users can be modified on for example the personal preferences, but will be stored in a separate object in the Plone site root (portal_memberdata) and these properties are merged with data you configure coming from LDAP.

Thank you Fred.
I found the plugin config on acl_users as you mentionned. Indeed I can now select Auhtentication only, and disable all other fonctionnality...Gonna try how it works...

I just wanted to make sure that the plugin only does the bind, and doesn't try to get any more data from/into the LDAP server because the directory iself is huge (over 8.000 people), although I just use a small subset of those...

Make sure you configure the correct base DN's for users/groups if the hierarchy of the directory support it. And set the objectClass correctly to filter out unwanted users.

And don't forget to add memcached as well to speed up search/results from ldap significantly for larger directories.