Hello. I'm in a team of new Plone developers in a federal institution and we're currently learning the ins and outs of Plone 5.
We can't seem to find a way to integrate LDAP. We are not the only ones. See plone.app.ldap issue #24 - Plone 5 compatibility and Plone 5 plone.app.ldap install issue (stackoverflow).
Can someone point us in the right direction?
All the very best,
Gabriel Antunes
My co-worker Veit Schiele (kontakt@veit-schiele.de) claims having Plone 5 + LDAP support working.
-aj
I'm using pas.plugins.ldap on Plone 5 without problems. Because of many users, I use the performance branches:
But you can also use plone.app.ldap. As mentioned in the stackoverflow answer from tisto, you can try to add zope.formlib as a dependency to make it work. Otherwise you have to configure the pas plugin it through the ZMI in Plone site roots acl_users folder.
Today I worked a bit on pas.plugins.ldap in order to get a new release of the underlying node.ext.ldap out. Since we are perfectionists this will be an 1.0alpha1 - but its really stable and already in production for a bunch of large installations with thousands of users.
pas.plugins.ldap itself is already very stable. I just checked for Plone 5. Test had one failure, some import changed from Plone 4.3 to 5.0. I fixed that https://travis-ci.org/collective/pas.plugins.ldap/branches A new release is pending, expect it in the next days.
Continuing the discussion from Using LDAP with Plone 5:
Thank you. I didn't get any responses, though.
EDIT: I finally got an answer. Here's the summary for anyone with the same problem:
For the LDAP connection to Plone 5 you
can either use plone.app.ldap or pas.plugins.ldap.
For plone.app.ldap you need the following dependencies:
Products.CMFDefault 2.2.4
Products.LDAPMultiPlugins 1.14
Products.PloneLDAP 1.2
dataflake.fakeldap 1.1
five.formlib 1.0.4
plone.app.form 2.3.2
python-ldap 2.4.22
Thank Veit for that.
Great! We will study this option.
Those are great news. Thank you for the reply.
Hi all, those plugins are installed by buildout or in another way?
I tried to install by buildout pas.plugin.ldpa. The install went correctly, but when i restart the zeoserver and all the clients nothing start because of this error:
File "/opt/plone/zeocluster/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1728, in _get with open(path, 'rb') as stream: zope.configuration.xmlconfig.ZopeXMLConfigurationError: File "/opt/plone/zeocluster/parts/client1/etc/site.zcml", line 12.2-12.39 ZopeXMLConfigurationError: File "/opt/plone/buildout-cache/eggs/Products.CMFPlone-5.0-py2.7.egg/Products/CMFPlone/meta.zcml", line 46.4-50.10 IOError: [Errno 13] Permission denied: '/opt/plone/buildout-cache/eggs/yafowil.widget.dict-1.5-py2.7.egg/EGG-INFO/entry_points.txt
Any idea about this?
Yes, use buildout only to add these add-ons.
Check who owns those files. If you've used the Plone unified installer you should run buildout like this:
sudo -u plone_buildout bin/buildout
otherwise (for example) the plone_daemon user may not be able to read files in an add-on that was installed by (say) root.
Hi @tkimnguyen, i've done the buildout as you said.
Can you confirm that the only packet required is "pas.plugins.ldap" ?
Here are my packets in the buildout.cfg file.
eggs =
Plone
Pillow
pas.plugins.ldap
quintagroup.theme.sunrain
zcml =
pas.plugins.ldap
quintagroup.theme.sunrainThis looks fine and works here with Plone 5.
I do not think the problem is releated to the addon package.
According to your log output:
IOError: [Errno 13] Permission denied: '/opt/plone/buildout-cache/eggs/yafowil.widget.dict-1.5-py2.7.egg/EGG-INFO/entry_points.txt
Your Plone daemon user has no read access to the given package (a dependency of pas.plugins.ldap). You need to fix the access permissions on your file system using chmod. This happens if you forget to run buildout prefixed with sudo -u plone_buildout .... Once forgotten it wont get fixed on subsequent runs, so manual intervention is needed.
I will try to change manually the permission on that file, however the command was correct, in fact there is also the sanity check that prevent to make the buildout with root (see text below).
buildout.sanitycheck:
`***********************************************************
Buildout should not be run while superuser. Doing so allows
untrusted code to be run as root.
Instead, you probably wish to do something like:
sudo -u plone_buildout bin/buildout
If you have a good reason to bypass this restriction,
remove the buildout.sanitycheck extension from your buildout.
`***********************************************************
While:
Installing.
Loading extensions.
Error: User attempt to give system ownership to Internet
Finally i have run all successfully, the eggs with wrong permissions are:
In particular in the EGG-INFO folder of the eggs above, the files have the correct group/owner (respectively plone_group and plone_buildout), but they are saved with this permissions: -rw-------, while all other eggs have: -rw-r--r--.
Thank you all for the responses 
Today I spent hours trying to make pas.plugins.ldap working on a Plone 4.3.7.
I tested this one instead of plone.app.ldap because with the latter we find issues with groups on a customer LDAP and I was trying if the new package can help.
I'm a little astonished because I was not able to make it work: just installing it leave my site in a broken state. After fixing the issue found (ticket opened) I'm still not able to make it work: groups are found, but not users... remember that this LDAP is working with p.a.ldap so I have a working configuration.
It's 90% an issue on my side, but the lack of documentation, inline help on forms, or example sometimes depress me
I would like to mention that your solution for Products.PloneLDAP worked well for me on Plone 5. Thanks for providing that answer.
I also made pas.plugins.ldap work, but it attempts to download and cache the entire user tree from LDAP. That didn't work for me because our LDAP server requires pagination for more than 1000 results, which causes an error in the plugin. I don't think I'd like to have to keep a cache of all that data anyway since we only need to authenticate a small subset of users.
indeed pas.plugins.ldap had this problem. we fixed it already, but release is waiting until we field tested the new code more in our projects. thanks for the reminder 
FYI: I'am preparing a beta release with the performance improvements. We have it already in production w/o problems. Travis CI is red at the moment, mainly because of download timeouts while buildout. If this goes green I'll release asap.
Hi.
My apologies for dredging this up from March 2nd, but I'm a bit stuck :(.
I've got a vanilla Plone 5.0.4 instance that I just installed fresh.
I've tried to add:
plone.app.ldap
Many, many times now - and for some reason (even though the buildout seems to run through to completion), it always seems to break the buildout when I then try to run the instance/the instance never starts up.
What am I missing? I have been reading widely and I see a lot of conflicting information about whether plone.app.ldap vs Products.PloneLDAP are actually compatible with 5.x, which one should be used where and which PAS is older than the other.
I didn't want to start another thread, but a very basic 1-2-3 to make ActiveDirectory work out of the box with a buildout would be really appreciated. I thought it might be as simple as adding plone.app.ldap to the buildout - but that seems to be confounding me.
I found this thread:
And it suggested that I should add zope.formlib and everything should work, but it still seems to break and the instance never starts up. It then went on to say that if I used Products.PloneLDAP, it should work as normal if I plug it into the ZMI. I did that, got a fair distance, but things seem wrong and stuff isn't working as anticipated.
Then I looked at pas.plugins.ldap and it doesn't seem to work at all.
I asked on the IRC channel too, but nobody seems to respond, thus far.
Thanks for your time.
--z
What's the problem with https://pypi.python.org/pypi/pas.plugins.ldap ? Please give details (buildout.cfg, error messages, etc.) because pas.plugins.ldap is the best Plone 5 way to use LDAP.
We use plone.app.ldap on plone5 with ploneintranet for Active Directory integration, no problems. An actual traceback may be helpful.
Hi to tkimnguyen and gyst.
Thanks for replying, guys! Really appreciate it.
Is there a way I can see something more verbose?
Again, correct me if I'm wrong there, because I really want something simple that just works neatly with AD!
Here is my buildout.cfg when I try to use plone.app.ldap:
############################################
#
# Buildout Configuration File for Plone
# -------------------------------------
#
# ALWAYS back up all Plone/Zope data and components
# before changing configuration.
#
# Running "bin/buildout" will update your installation,
# installing missing components as necessary.
#
# This will update the add-on products you've added in the eggs= lines.
# This will not, however, upgrade Plone itself (or anything else you've
# pinned with a version specification). To upgrade Plone itself, see the
# comments in "Plone Component Versions".
#
# Tutorial instructions for using zc.buildout for
# configuration management are available at:
# http://plone.org/documentation/tutorial/buildout
# Full details at http://pypi.python.org/pypi/zc.buildout
#
############################################
[buildout]
############################################
# Plone Component Versions
# ------------------------
# This version of the Unified Installer has the components of Plone 5
# preloaded so that it can install without an Internet connection.
# If you want to update, uncomment the "http://..." line below,
# edit it to point to the current version URL, comment out the
# "versions.cfg" line and run "bin/buildout" while attached to the
# Internet. Generally, you only want to do that as part of a planned migration.
# Note that if you are updating components, you should also check the versions
# section at the end of this file, since recipes or components other than
# those of Zope and Plone may need updating at the same time.
#
extends =
base.cfg
versions.cfg
# http://dist.plone.org/release/5.0.4/versions.cfg
# If you change your Plone version, you'll also need to update
# the repository link below.
find-links +=
http://dist.plone.org/release/5.0.4
# If you try to start Zope as root, it will change user id to run as
# the effective user specified here. This user id must own the var directory
# of your buildout.
effective-user = plone_daemon
# This user will own the rest of the installation, and should be used to
# run buildout.
buildout-user = plone_buildout
# A flag to tell the Unified Installer whether or not to document sudo use.
need-sudo = yes
############################################
# Eggs
# ----
# Add an indented line to the eggs section for any Python
# eggs or packages you wish to include in your Plone instance.
#
# Note that versions may be specified here or in the [versions]
# section below. You should always specify versions that you know
# are compatible with the Plone release and at an acceptable
# development level.
#
# If you update to a later version of Plone, remove the hotfix.
#
eggs =
Plone
Pillow
plone.app.ldap
############################################
# ZCML Slugs
# ----------
# Some eggs need ZCML slugs to tell Zope to
# use them. This is increasingly rare.
zcml =
# plone.reload
############################################
# Development Eggs
# ----------------
# You can use paster to create "development eggs" to
# develop new products/themes. Put these in the src/
# directory.
# You will also need to add the egg names in the
# eggs section above, and may also need to add them
# to the zcml section.
#
# Provide the *paths* to the eggs you are developing here:
develop =
# src/my.package
############################################
# var Directory
# -------------
# Sets the target directory for the "var" components of the install such as
# database and log files.
#
var-dir=${buildout:directory}/var
############################################
# Backup Directory
# ----------------
# Sets the target directory for the bin/backup and bin/snapshotbackup
# commands. Default is inside this project's var directory, but ideally
# this should be on a separate volume or backup server.
#
backups-dir=${buildout:var-dir}
############################################
# Initial User
# ------------
# This is the user id and password that will be used to create the initial
# user id that will allow you to log in and create a Plone site. This only
# sets the initial password; it will not allow you to change an already
# existing password. If you change the admin password via the web interface,
# the one below will no longer be valid.
# If you find yourself locked out of your Zope/Python installation, you may
# add an emergency user via "bin/plonectl adduser".
user=admin:**********
############################################
# Debug Options
# -------------
# Start Zope/Plone instances in "fg" mode to turn on debug mode;
# this will dramatically slow Plone.
#
# Add-on developers should turn deprecation warnings on
deprecation-warnings = off
# change verbose-security to "on" for useful security errors while developing
verbose-security = off
############################################
# Parts Specification
#--------------------
# Specifies the components that should be included in the buildout.
# Most are defined in the base.cfg extension; you may add your
# own if you need them at the end of this file.
parts =
instance
repozo
backup
zopepy
unifiedinstaller
precompiler
setpermissions
############################################
# Major Parts
# ----------------------
# These common parts make use of sane base settings from
# base.cfg. To customize a part, just add whatever options
# you need. Read base.cfg for common settings.
[instance]
<= instance_base
recipe = plone.recipe.zope2instance
http-address = 8080
############################################
# Versions Specification
# ----------------------
# Version information supplied here will "pin" Python packages to a particular
# version number, even when you use the "newest" flag running buildout.
# Specifying versions for all packages is a good idea and can prevent
# accidental changes when you add new packages to your buildout.
# Note that versions specified here will override those specified earlier
# in the configuration, including those from the Plone and Zope version
# config files.
#
[versions]
# Use the setuptools and zc.buildout versions that are
# available in our Python environment.
setuptools =
zc.buildout =
bobtemplates.plone = 1.0.1
buildout.sanitycheck = 1.0.2
collective.checkdocs = 0.2
collective.recipe.backup = 3.0.0
colorama = 0.3.7
MarkupSafe = 0.23
mr.bob = 0.1.2
pkginfo = 1.2.1
plone.recipe.unifiedinstaller = 4.3.2
Products.DocFinderTab = 1.0.5
requests-toolbelt = 0.6.0
twine = 1.6.5
zest.pocompile = 1.4
zest.releaser = 6.6.4The university where I worked uses plone.app.ldap with ActiveDirectory configured to present an LDAP interface, but I don't know how to set that up in ActiveDirectory.
You may also have a problem in the way you've configured your Plone LDAP plugin. Difficult to say/debug from the outside.
To view what's going on, start your instance or client in the foreground, e.g.
bin/instance fg
or
bin/client1 fg
or view the logs with something like
tail -f event.log
See other debugging tips at http://docs.plone.org/manage/troubleshooting/basic.html and http://training.plone.org/5/api.html#debugging