Toolbar does not display for LDAP users

Hi,

I'm trying to setup a few plone 5.0.8 sites, all of which need to have LDAP authentication.

I've always used plone.app.ldap to connect to our university LDAP servers with plone 3/4. The current plone 5 LDAP advice seems to point towards using pas.plugins.ldap, but I can't get that to work with my ldap servers.

I have managed to get plone.app.ldap working. I can authenticate users, I can search for LDAP users and assign them permissions in folders. However when I login as an LDAP user I do not see any user toolbar, even when I have assigned edit permissions to that user. For all LDAP users the UI shifts over to the right and there is a blank column on the left where the toolbar should be.

All my experiments seem to result in the toollbar only appearing for local plone accounts.

I have tried updating to plone 5.1 and this doesn't change this behaviour.

Any ideas on what the issue is here?

Any help would be appreciated!

Check the permission role mapping for the Show Toolbar permission...likely LDAP users belong to a group or whatever that is not assigned to this permission.

I remember to have seen several threads in this forum concerning integration with LDAP. When I remember right, all have finally reported success (even though it might have been a long process). I think, there are related threads for Plone 5, too. Maybe, searching for those threads can give you some hints (though, I do not remember your concrete problem).

Thanks for the response.

Is the Show Toolbar permission a new 5.1 feature?

I don't see this permission available on any of my 5.0.8 sites or on my test 5.1 site. Am I looking in the wrong place (Security Tab in ZMI)?

It is at least in Plone 5.1..no idea about 5.0.

I can see the permission on plone-demo.info in the ZMI under security.

-aj

from PKG-INFO it seems a Plone 5.1 only permission

Name: plone.app.layout
Compatibility
-------------

    - the 2.2.x series is for use in Plone 4.2
    - the 2.3.x series is for use in Plone 4.3 (versions below 2.3.2 may also work with Plone 4.2)
    - the 2.5.x series is for use in Plone 5.0
    - the 2.6.x series (currently master branch) is for use in Plone 5.1

    Using other combinations *might* work, but you may find getting support for that harder.

    If you are using Plone < 4.3.5 and you are using dexterity items and plone.app.contenttypes, you might want to pin the latest 2.3.x version of this package.

(...)
2.7.3 (2017-08-27)
------------------
New features:

    - Added ``Show Toolbar`` permission.

seems difficult to explain your problems on Plone 5.0 by a non existing permission

I've managed to find the problem, not sure if it's a plone issue, I suspect its probably a plone.app.ldap issue.

The configuration form for plone.app.ldap allows you to set the the "Default Roles" assigned to users. This is a multi value field separated by comma's. When I had a few roles defined in this field, with "Authenticated" as the last role, I did not see the toolbar. Changing this field to have the single role "Authenticated" causes the toolbar to appear as expected.

Thanks for all your help.

and if you add roles after 'Authenticated, does it still work ?

I am pretty sure this is a CSS issue, my guess is that a diazo rule or CSS hides or does not include the toolbar 'if not role is for example 'Authenticated' (so maybe if you have TWO or more roles things are different.

The blank left column probably comes from some CSS (coming from plone-logged-in-compiled.css):

.plone-toolbar-left-expanded: padding-left: 120px;