Has anyone run through the installation and setup of pas.plugins.ldap with Plone 6.1 yet? The docs are a bit out of date as they don't reflect current installation methods for Plone.
Yes I did.
These are my pinnings:
node.ext.ldap==1.2
node==1.2.2
odict==1.9.0
pas.plugins.ldap==1.8.4
yafowil==3.1.1
yafowil.plone==5.0.0a2
yafowil.bootstrap==2.0.0a2
yafowil.widget.array==2.0a1
yafowil.widget.dict==2.0a1
yafowil.yaml==2.0
node.ext.ugm1.1
passlib==1.7.4
plumber==1.7
pyasn1==0.6.1
pyasn1_modules==0.4.2
PyYAML==6.0.2
python-memcached==1.62
bda.cache==1.3.0
BUT: I ended up not using it. Because it was very slow and, as the readme mentions, you have to implement/configure a caching service.
I ended up using Keycloak with an LDAP source and then using OIDC as an authentication method.
2 Likes
Did you use buildout?
Here's what I did:
- set up a new cookieplone project with
uvx cookieplone project - edit
pyproject.tomlto addpas.plugins.ldapto thedependencies
dependencies = [
"Products.CMFPlone==6.1.3",
"plone.api",
"plone.restapi",
"plone.volto",
"pas.plugins.ldap==1.8.4",
]
- edit
instance.yamlto add it tozcml_package_includes:
default_context:
initial_user_password: 'admin'
zcml_package_includes: 'pas.plugins.ldap.test', 'pas.plugins.ldap'
- Ran
make install
==> Generate constraints file
###############################################################################
# Load configuration
###############################################################################
# Read infiles
Read [r]: requirements.txt
Read [c]: https://dist.plone.org/release/6.1.3/constraints.txt
###############################################################################
# No sources configured!
###############################################################################
# Write outfiles
Write [c]: constraints-mxdev.txt
Write [r]: requirements-mxdev.txt
🎂 You are now ready for: pip install -r requirements-mxdev.txt
(path to pip may vary dependent on your installation method)
==> Install environment
Using CPython 3.12.6 interpreter at: /opt/homebrew/opt/python@3.12/bin/python3.12
Creating virtual environment at: .venv
Activate with: source .venv/bin/activate
× No solution found when resolving dependencies:
╰─▶ Because only yafowil-bootstrap<2.0.0a1 is available and
pas-plugins-ldap==1.8.4 depends on yafowil-bootstrap>=2.0.0a1, we can
conclude that pas-plugins-ldap==1.8.4 cannot be used.
And because pas-plugins-ldap-test==1.0.0a0 depends
on pas-plugins-ldap==1.8.4, we can conclude that
pas-plugins-ldap-test==1.0.0a0 cannot be used.
And because only pas-plugins-ldap-test[test]==1.0.0a0 is available
and you require pas-plugins-ldap-test[test], we can conclude that your
requirements are unsatisfiable.
hint: `yafowil-bootstrap` was requested with a pre-release marker (e.g.,
yafowil-bootstrap>=2.0.0a1), but pre-releases weren't enabled (try:
`--prerelease=allow`)
...which makes sense.
To be continued...
Yes, we have several setups with LDAP and Plone 6. The installations use version specification via mx.ini.
my mx.ini:
[settings]
version-overrides =
yafowil == 3.1.1
yafowil.bootstrap==2.0.0a1
yafowil.widget.array==2.0a1
yafowil.widget.dict==2.0a1
thats all, it works.
Update, i checked my installation today. but i run in an error with the latest version of yafowil == 3.1.2
I downgrade to yafowil == 3.1.1 and the rendering error is gone. I update the mx.ini above.
1 Like
Do you really need this: pas.plugins.ldap.test?
What happens if you remove that?
No buildout.
I really would recommend keykloak with ldap source. It’s as easy or as complicated to configure as the ldap plugin. Plus, you do not install 15 new dependencies. Obviously you introduce a new service, but thats IMHO still the better solution.
When
What do you mean ‘with ldap source’, that keycloak syncs with an external ldap service and imports users into the keycloak database?
To my understanding, you can use SSO / OIDC for autentication, and you can pass in the OIDC login extra attributes for authorisation purposes.
But if you want to configure authorisation in Plone itself (add users/groups to roles) you will need the ‘central’ users and groups also available on the Plone site. If you restrict yourself to users, and users are created when they first login, those users will be available in Plone.
but for general permission assigment you would need acess to a directory in Plone to show all available users/groups to assign, not only those who were imported/created on SSO/OIDC login. Groups don’t login, so you need to create them manually on the Plone side.
Sorry, I was not specific enough: I mean under “user federation” you can add an LDAP service provider, which syncs users/groups.
Ah, pas.plugins.ldap.test is the name of the project I created with cookieplone... false alarm (or alert, heh)
Continuing the saga, I did take that out of zcml_package_includes and reran pip install -r requirements-mxdev.txt and eventually got the error
ERROR: Package 'pas-plugins-ldap-test' requires a different Python: 3.11.4 not in '>=3.12'
so I switched to using Python 3.12:
% pyenv local
3.11.4
% pyenv local 3.12
% pyenv local
3.12
% pip install -r requirements-mxdev.txt
and, miraculously, it finished the build successfully. Now to test it...
1 Like
make at the top level complained about zconsole missing... I tried a couple of ways to create it but no luck.
Started fresh, with uvx cookieplone project, and make completed successfully.
When I edited backend/pyproject.toml and backend/instance.yaml to add pas.plugins.ldap to dependencies and to zcml_package_includes, then ran make again, I was prompted to replace the .venv virtual environment:
% make
Install Backend & Frontend
==> Generate constraints file
###############################################################################
# Load configuration
###############################################################################
# Read infiles
Read [r]: requirements.txt
Read [c]: https://dist.plone.org/release/6.1.3/constraints.txt
###############################################################################
# No sources configured!
###############################################################################
# Write outfiles
Write [c]: constraints-mxdev.txt
Write [r]: requirements-mxdev.txt
🎂 You are now ready for: pip install -r requirements-mxdev.txt
(path to pip may vary dependent on your installation method)
==> Install environment
Using CPython 3.12.2 interpreter at: /Users/bubba/.pyenv/versions/3.12.2/bin/python3.12
Creating virtual environment at: .venv
✔ A virtual environment already exists at `.venv`. Do you want to replace it?
If I answer n, everything stops with
error: Failed to create virtual environment
Caused by: A virtual environment already exists at: .venv
hint: Use the `--clear` flag or set `UV_VENV_CLEAR=1` to replace the existing virtual environment
If I answer y or press Enter, I am back to
× No solution found when resolving dependencies:
╰─▶ Because only yafowil-bootstrap<2.0.0a1 is available and pas-plugins-ldap==1.8.4 depends on yafowil-bootstrap>=2.0.0a1, we can
conclude that pas-plugins-ldap==1.8.4 cannot be used.
And because triangle-ldap==1.0.0a0 depends on pas-plugins-ldap==1.8.4, we can conclude that triangle-ldap==1.0.0a0 cannot be used.
And because only triangle-ldap[test]==1.0.0a0 is available and you require triangle-ldap[test], we can conclude that your
requirements are unsatisfiable.
hint: `yafowil-bootstrap` was requested with a pre-release marker (e.g., yafowil-bootstrap>=2.0.0a1), but pre-releases weren't
enabled (try: `--prerelease=allow`)
So this time I will rerun uvx cookieplone project and when it asks if it should use pre-release packages, I will answer "yes"...