Agile Tortoise
Greg Pierce’s blog
« Sprint PCS problems RE: Plone, Active Directory authentication, Mac OS X »
Plone, Active Directory authentication, Mac OS X
There may be an easier way to do this, but this is what I just went through to setup my Panther-based Plone install to authenticate users using LDAP to connect to Active Directory.
First, the Mac OS X Plone installer (v2.0.3) does not include the python ldap modules, nor does the version of python that ships with Panther. I installed the darwinports version of py-ldap, and cp’d the ldap module files from /opt/local/lib/python2.3/site-packages into the site-packages folder in the Plone installation at /Applications/Plone2/Library/software/zope270/python. After doing this launch this python interpreter and try to “import ldap” to confirm the module.
Next, install the latest versions of LDAPUserFolder (v2.4b3) and LDAPUserFolderExt (v0.41 ) in the “Products” directory of your Plone site. Restart Zope. Check in the Control Panel in the ZMI that the products installed properly and didn’t get an errors.
Go to “acl_users” folder in your Plone instance in the ZMI, on the “sources” tab, select “LDAPUserFolderExt” as your “User source #1″, check “I’m sure”, and click OK. This will take you to the config page for the LDAP connection.
Setup the LDAP configuration appropriate to your Active Directory domain. If you want users to login with the same NT username they use, you will need to edit the “LDAP Schema” tab, adding the LDAP attribute “sAMAccountName”, friendly name “UserName” — then on the “Configure” tab select that attribute as the “Login Name Attribute”.
I recommend limiting your User Base DN as much as possible to keep only your user object from loading and showing up in user searches.
August 27th, 2004 at 8:56 am
To add to this, I was unable to store group information in Plone and have it apply properly to the LDAP authenticated users — so I setup dedicated groups in Active Directory, and changed my group source in acl_users to LDAP, then configured mapping to the Plone roles…then it all worked great!
August 27th, 2004 at 12:42 pm
One more note, go to the LDAP schema tab in the LDAPUserFolderExt and map Active Directory’s “mail” attribute to Plone’s “email” attribute so you don’t have to manually set user’s email addresses. That’s assuming, of course, you’ve bothered to enter email address in your AD.
October 26th, 2004 at 1:48 pm
Your instructions work great! I only have one question: You said that you mapped the AD groups to your Plone groups. In the LDAP Schema tape, what is the LDAP Attribute Name for the AD Groups? I tried ‘groups’ but it didn’t work.
Thanks!
October 26th, 2004 at 2:06 pm
On Oct 26, 2004, at 2:54 PM, Anthony Valentine wrote:
> Your instructions work great! I only have one question: You said
> that you mapped the AD groups to your Plone groups. In the LDAP
> Schema tape, what is the LDAP Attribute Name for the AD Groups? I
> tried ‘groups’ but it didn’t work.
I was referring to using an LDAPGroupFolder as my groups source, on the
“Sources” page of the acl_users object. Didn’t really have to do any
mappings on it, I don’t think.
g.
October 26th, 2004 at 4:35 pm
Thanks! That worked great!