Plone Login with LDAP and Recaptcha

Hi Guys,

I have been using Plone 4 for a number of years, implementing intranets for our customer base. One of our customers now wants to move to Plone 5(.2) and create an Intranet / Extranet, to allow satellite users access to the intranet without having to VPN onto the HQ network.

We have been using LDAP to authenticate users. However this has security implications unless we secure with Captcha (Recaptcha) or 2FA. Potentially, I could persuade the customer to implement 2FA, however, for the moment I believe that recaptcha will serve my purpose.

I have Plone 5.2 installed on an Ubuntu 18.04 (VM) server, with plone.formwidget.recaptcha, Products.PluggableAuthService, pas.plugins.ldap and collective.easyform in my buildout.

(If I install collective.recaptcha, the client daemons fall over continually which has been frustrating).

So my current buildout compiles and the plone site comes up. I have configured LDAP and the captcha keys (it has been quite painful just getting to this point).

However I cannot see where to insert the recaptcha widget code, to provide a level of security and reduce the possibility of a robotic hack on the /login form ... or am I navigating myself along a dark, dead-end tunnel?

Thanks in anticipation.


Instead of a captcha, you might want to use Products.LoginLockout which also protects from brute force attempts. I have tested it in Plone 5.1.4. It may work with 5.2.

I think 5.2 uses plone.login or z3cform-based login forms. You may want to use collective.z3cform.norobots as a captcha solution.

Thanks h2o ... wasn't aware of those addons. I will investigate further.

Hi h2o,

Tried rebuilding with Products.LoginLockout and collective.z3cform.norobots ... 5.2 does not appear to like either add-on. The builds complete, the daemons start, but they either fall over and restart continuously or simply start and fall over. I cannot see any (missing) dependencies in the documentation.

So I guess it's back to the drawing board. :confused:

Thanks for your input.

You can see the work hasn't been done yet to get it working with 5.2 by looking at its tests.

Pull requests accepted to get it working.