![Better performance
• ALWAYS use memcached with pas.plugins.ldap in
production, use system supplied memcached or install
with buildout
[memcached]
recipe = zc.recipe.cmmi
url = http://www.memcached.org/files/memcached-1.5.2.tar.gz
[supervisor]
recipe = collective.recipe.supervisor
…..
programs =
80 memcached (stderr_logfile=NONE stdout_logfile=${buildout:directory}/var/log/
memcached-stdout.log) ${memcached:location}/bin/memcached [ -m ${conf:memcached-size} -
l localhost -p ${conf:memcached} -U ${conf:memcached} ] true](https://image.slidesharecdn.com/plonepas-171030124116/85/Plone-pas-plugins-ldap-user-group-search-26-320.jpg)
Plone pas.plugins.ldap user/group search
- 1. LDAP integration with user/group search (in pas.plugins.ldap) Fred van Dijk - Zest Software)
- 2. Welcome • About you • Integrator • Developer • How do I connect Plone to an LDAP user directory? • What’s new in pas.plugins.ldap? • About me • Fred van Dijk • Zest Software • Rotterdam - NL • Using Plone since 2002 • From user to integrator, dev, consultant, trainer
- 3. Agenda • Quick: what’s LDAP? • LDAP and organisations • Users/Groups in Plone • LDAP integration in Plone • pas.plugins.ldap • Install & setup • sharing users/groups • Advanced setup • Wrap up • Questions
- 4. Why LDAP • Centralised database of users and groups inside organisations • old school: copy the users and groups file to different pc’s • On UNIX this goes back a long way in the 80’s 90’s NIS, network information service, X.500 • PC’s: Windows: Lan manager, Novell Netware 2/3
- 5. From flat to hierarchical user databases • Organisational units, departments, mirror org. structure • Some Implementations • UNIX: SLAPD - Netscape Directory server • Windows: NDS: Novell Directory Services • Windows: Microsoft Active Directory • LDAP: Lightweight Directory Access Protocol • Protocol becomes server, becomes protocol
- 6. Users in Plone • Plone has its own user database • Works fine, but with larger organisations and/or many services you don’t want to maintain many user/group lists for every service. • Connect to central directory service maintaining user, groups • Authentication vs Authorisation • who you are - which groups you belong to. ID - LDAP • What is the ID allowed to do: in the the separate services
- 7. What’s the problem for us? • Us being Plone users and integrators trying to set up LDAP • Multiple moving parts, LDAP is protocol, data depends on the directory service (LDAP implementations, AD) Zope, PAS, Plone Config • You only set this up once for a project, until it works, then you don’t look back … • Everything is always (a bit) different
- 8. Authentication in Zope • Plone is built on top of Zope. - Zope is ‘mature’ • acl_users folder - Zope Simple user folder (1996?) • Products.LDAPUserFolder, replacement for acl_users (1.0beta2 from 2001) • Pluggable Authentication Service - Products.PlonePAS (version 2.3 from 2007) • PAS -> Products.LDAPMultiplugins -> (LDAPUserFolder)
- 9. On top of Zope in Plone • Webmaster facing configuration and support in Plone & controlpanel: • Products.PloneLDAP • plone.app.ldap • wrapping the stuff on the previous page • That’s a a lot of history and stack…
- 10. pas.plugins.ldap • “New” implementation without depending on the existing plugins • developed by BlueDynamics Alliance • based on node and node.ext.ldap, virtual node tree • Version 1.1.0 - 2014 • upgraded from bda.ldap - 2007 - so not that new • Can/should cache results in memcached - speed vs freshness • Not totally feature equivalent with plone.app.ldap • underlying node.ext.ldap can also work with Pyramid
- 11. And so it goes (with add’ons for Plone) • People start using and improving • Open source, on branches, sometimes specifics for their organisation. • 2016 - fundraising to implement pagination in pas.plugins.ldap • Fixes and improvements by Asko Soukka from & for University of Jyväskylä • Speed optimisations for huge (university) directories • User search • Not yet merged to master, needs more testing
- 12. Our ‘quest’ with pas.plugins.ldap • Have setups at different customers with plone.app.ldap stack. Very stable, fire and forget, but old. • pagination and unicode issues • Let’s test this pas.plugins.ldap stuff (on Plone 4) • Did fixes in main branch and dependent packages, fork Asko’s branch for search fixes • Not yet merged to master either. Is this generic and stable enough?
- 13. There’s some work to be done • Our versions available at • https://github.com/zestsoftware/pas.plugins.ldap & node.ext.ldap • http://pypi.zestsoftware.nl/public/ • Sprint this saturday / sunday? • More documentation • check changes and prepare merge back
- 14. Demonstration • To test and demo this stuff: get your own ldap-server • Local setup of openldap on my Mac (quick show) > slapd -d1 -f slapd.conf -h "ldap://127.0.0.1:8389/" • Import users/groups with ldapadd and an ldif file • querying locally on the command line: > ldapsearch -D "cn=root,dc=ldapdemo,dc=com" -w secret -p 8389 -h localhost -b "dc=ldapdemo,dc=com" -s sub “(objectclass=inetOrgPerson)"
- 15. Browsing your LDAP • Apache Directory Studio • cross platform • Big Java Tool, has LDAP browser but also built in LDAP server, maybe useful on Windows? • http://directory.apache.org/studio • Demo
- 16. Configuring Plone • Demo in plone 5.0.8 • Buildout • pas.plugins.ldap in eggs sections of plone.rezipe.zope2instance • Some version pinnings - You always pin your versions, right? • Show config in editor # pas.plugins.ldap pas.plugins.ldap = 1.5.2+zest1 node.ext.ldap = 1.0b4+zest1 bda.cache = 1.2.0 pylibmc = 1.5.1 node = 0.9.16 plumber = 1.3.1 yafowil = 2.2 yafowil.plone = 2.3.1 PyYAML = 3.11 loremipsum = 1.0.5 node.ext.ugm = 0.9.8 odict = 1.5.2 python-memcached = 1.57 smbpasswd = 1.0.2 yafowil.widget.array = 1.4 yafowil.widget.dict = 1.6 yafowil.yaml = 1.2 python-ldap = 2.4.45
- 17. configuring the Plug-in • Activate Add’on • Configuration panel. A lot of options • Server Settings • User Settings • Group Settings
- 18. Server settings • Use SSL in production • The manager user can/should be read only for safety in production setups • ignore certificate check option for nasty in company introspecting firewalls • Page size: fundraising option to not overquery a large ldap
- 19. User settings • Where are your users coming from? • Path in the directory • Can and sometimes should be recursive depending on the structure • Limit your search, Limit objects returned for consideration • Same query language as ldapsearch on the command line • keep objectClass on iNetOrgPerson for now, not finished option yet
- 20. User settings • User attribute Aliases: which required Plone user attributes map to the attributes found on your objects in LDAP? • for my local LDAP it’s uid, but Active Directory often uses sAMAccountName • User Property Sheet: extra attributes coming into the Plone user object, full name, email, etc.
- 21. Group support • Same drill as with users, inspect your directory first • Different options support for different LDAP backends: memberOf support on User objects default activated in Active Directory
- 22. mapping ldap fields to user fields • There’s no one size fits all • Trial and error is very much that: a lot of trial, please don’t • Inspect your directory through an ldap browser
- 23. actual objects in my local slapd demo server
- 24. Demo of adding users on the sharing menu • Add users to sharing tab • Add groups to sharing tab • search parts of name with * syntax at the moment. • Also searches in other attributes like location or email • Should also work in global sharing tab, but bug in Plone 5.0.8,will investigate • hierarchical searching - One Level - Subtree
- 25. Example of LDAP object in Active Directory
- 26. Better performance • ALWAYS use memcached with pas.plugins.ldap in production, use system supplied memcached or install with buildout [memcached] recipe = zc.recipe.cmmi url = http://www.memcached.org/files/memcached-1.5.2.tar.gz [supervisor] recipe = collective.recipe.supervisor ….. programs = 80 memcached (stderr_logfile=NONE stdout_logfile=${buildout:directory}/var/log/ memcached-stdout.log) ${memcached:location}/bin/memcached [ -m ${conf:memcached-size} - l localhost -p ${conf:memcached} -U ${conf:memcached} ] true
- 27. Automatic configuration • Generic Setup: • ldap_settings.xml • Configure and export with portal_setup • Don’t forget registry.xml with the memcached settings • Demo of ldapdemo.policy product • show config in editor • demo
- 28. Final thoughts • This is not plug and play easy stuff • Know your directory, don’t trial and error attributes, use Apache Directory Studio to find them • Production: • SSL communication with LDAP • Read only admin user • Add’on still needs more polishment • Plone 5 / Plone 4
- 29. Thank You • Questions ? • Sprint on pas.plugins.ldap improvements?