Skip to main content


Project description


Plugin for providing user and group management with LDAP as backend.


  • Create, edit and delete users and groups
  • Manage membership of users in groups
  • Roles support
  • Local Manager Support
  • User and group form configuration
  • POSIX support
  • Samba support


lxml, python-ldap and openldap get compiled, the required dev headers must be installed on the system.

On debian based systems install:

$ apt-get install libxml2-dev libxslt1-dev
$ apt-get install libsasl2-dev libssl-dev libdb-dev

On ubuntu oneiric, you might need Berkeley v4.7 Database Libraries to make it work:

$  apt-get install libdb4.7-dev


cone.ugm contains a buildout configuration. Download and extract package ZIP file, enter extraction location and run:

cone.ugm$ python2.7
cone.ugm$ ./bin/buildout

Start Test LDAP server with appropriate LDIF layer:

cone.ugm$ ./bin/testldap start groupOfNames_10_10

Start the application:

cone.ugm$ ./bin/paster serve ugm_groupOfNames_10_10.ini

and browse http://localhost:8081/. Default admin user password is admin.

The “roles” behavior in the principal form is only displayed if roles configuration is sane. The LDIF imported for test layer does not provide the roles container by default. Browse “Settings -> LDAP Roles” and perform “create roles container” action if you want to enable roles in the demo.

Note: If python_ldap fails, don’t use buildout offline mode!


For customizing the plugin, make an integration package and include it in buildout.

LDAP configuration

To define the LDAP configuration location add cone.ugm.ldap_config property to application ini file, i.e.:

cone.ugm.ldap_config = %(here)s/etc/ldap.xml


cone.ugm internally uses 3 roles in order to permit user actions.

editor is permitted to manage membership, admin additionally is permitted to add, edit and delete users and groups, and manager is a superuser. If UGM is the only plugin used, you can reduce the available roles to this three:

>>> = [
...     ('editor', 'Editor'),
...     ('admin', 'Admin'),
...     ('manager', 'Manager'),
... ]

Default value callbacks

Depending on the LDAP object classes used for users and groups, more or less attributes are required for the entries. Maybe not all of these attributes should be visible to the user of cone.ugm. Some might even require to be computed. Therefore the plugin supports default value callbacks. These callbacks get the principal node and id as attributes:

>>> from cone.ugm import model

>>> def some_field_callback(node, id):
...     return 'some computed value'

and are set to factory defaults for users and groups respectively:

>>> model.factory_defaults.user['someField'] = some_field_callback

The factory defaults can also be static values:

>>> model.factory_defaults.user['someField'] = '12345'

Form widgets

The widgets used for attributes can also be customized. It expects a yafowil factory chain, props and custom dicts which are passed to yafowil factory. required flags field as required, and protected defines whether this field is not editable (like user id and group id):

>>> from cone.ugm.browser import form_field_definitions
>>> user = form_field_definitions.user
>>> user['someField'] = dict()
>>> user['someField']['chain'] = 'field:label:error:text'
>>> user['someField']['props'] = dict()
>>> user['someField']['required'] = True
>>> user['someField']['protected'] = False

Samba support

Example configuration:

>>> from node.ext.ldap.ugm import (
...     posix,
...     shadow,
...     samba,
... )

>>> samba.SAMBA_LOCAL_SID = 'S-1-5-21-1234567890-1234567890-1234567890'
>>> samba.SAMBA_DEFAULT_DOMAIN = 'yourdomain'
>>> samba.SAMBA_PRIMARY_GROUP_SID = 'S-1-5-21-1234567890-1234567890-1234567890-123'

>>> from cone.ugm import model

>>> user = model.factory_defaults.user
>>> user['gidNumber'] = posix.memberGid
>>> user['loginShell'] = posix.loginShell
>>> user['shadowFlag'] = shadow.shadowFlag
>>> user['shadowMin'] = shadow.shadowMin
>>> user['shadowMax'] = shadow.shadowMax
>>> user['shadowWarning'] = shadow.shadowWarning
>>> user['shadowInactive'] = shadow.shadowInactive
>>> user['shadowLastChange'] = shadow.shadowLastChange
>>> user['shadowExpire'] = shadow.shadowExpire
>>> user['sambaSID'] = samba.sambaUserSID
>>> user['sambaDomainName'] = samba.sambaDomainName
>>> user['sambaPrimaryGroupSID'] = samba.sambaPrimaryGroupSID
>>> user['sambaAcctFlags'] = samba.sambaAcctFlags
>>> user['sambaPwdLastSet'] = samba.sambaPwdLastSet

>>> group =
>>>['memberUid'] = posix.memberUid


  • Robert Niederreiter <rnix [at] squarewave [dot] at>
  • Florian Friesdorf <flo [at] chaoflow [dot] net>
  • Jens Klein <jens [at] bluedynamics [dot] com>



  • Directly depend on lxml in [rnix, 2014-05-13]


  • Adopt dependencies. [rnix, 2013-01-10]


  • Portrait CSS fix. [rnix, 2012-10-30]
  • Python 2.7 Support. [rnix, 2012-10-16]
  • adopt to 0.9.4 [rnix, 2012-07-29]
  • adopt to node 0.9.8 [rnix, 2012-07-29]
  • adopt to plumber 1.2 [rnix, 2012-07-29]
  • Simplify cone.ugm.browser.actions. [rnix, 2012-07-26]
  • Add local manager functionality. [rnix, 2012-07-25]


  • Get rid of BBB classes usage from [rnix, 2012-05-18]
  • Fix invalidation after settings form save. [rnix, 2012-04-23]
  • Portrait Image support. [rnix, 2012-04-21]
  • Configuration for attributes exposed to attribute map. [rnix, 2012-04-19]
  • Invalidate after creating principal or roles container. [rnix, 2012-04-19]
  • Adopt expires blueprint to yafowil.widget.datetime 1.3. [rnix, 2012-04-19]


  • Add Autoincrement Feature for user ids. [rnix, 2012-03-30]


  • Account expiration widget improvements. [rnix, 2012-03-20]


  • Add account expiration functionality. [rnix, 2011-03-06]
  • Make display field of In-Out widget configurable. [rnix, 2011-01-31]
  • Dynamic width CSS. [rnix, 2011-12-18]
  • Get rid of global cone.ugm.backend. is returend by cone.ugm.model.utils.ugm_backend. [rnix, 2011-11-22]
  • Explicit names for settings forms. [rnix, 2011-11-18]
  • Add node properties for users and groups to get displayed in navtree if displayed. [rnix, 2011-11-16]


  • Initial release.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
cone.ugm-0.9.7.tar.gz (99.6 kB) Copy SHA256 hash SHA256 Source None May 13, 2014

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page