Skip to main content

LDAP/AD Plugin for Plone/Zope PluggableAuthService (users+groups)

Project description

https://secure.travis-ci.org/collective/pas.plugins.ldap.png https://coveralls.io/repos/collective/pas.plugins.ldap/badge.svg?branch=master&service=github

This is a LDAP Plugin for the Zope Pluggable Authentication Service (PAS).

It provides users and/or groups from an LDAP directory.

It works in a plain Zope even if it depends on PlonePAS.

If Plone is installed an integration layer with a setup-profile and a plone-controlpanel page is available.

pas.plugins.ldap is not releated to the old LDAPUserFolder/ LDAPMultiPlugins and the packages (i.e. PloneLDAP) stacked on top of it in any way.

It is based on node.ext.ldap, an almost framework independent LDAP stack.

For now users and groups can’t be added or deleted. Properties on both are read/write.

See section TODO.

Installation

Dependencies

This package depends on python-ldap.

To build it correctly you need to have some development libraries included in your system.

On a Debian-based installation use:

sudo apt install python-dev libldap2-dev libsasl2-dev libssl-dev

Zope

Add to the instance section of your buildout:

eggs =
    ...
    pas.plugins.ldap

zcml =
    ...
    pas.plugins.ldap

Run buildout. Restart Zope.

Browse to your acl_users folder and add an LDAP-Plugin.

Configure it using the settings form and activate its features with the activate tab.

Plone

Add to the instance section of your buildout:

eggs =
    ...
    pas.plugins.ldap

Run buildout. Restart Plone.

Then go to the Plone control-panel, select extensions and install the LDAP Plugin.

A new LDAP Settings icon appear on the left. Click it and configure the plugin there.

To use an own integration-profile, add to the profiles metadata.xml file:

...
<dependencies>
    ...
    <dependency>profile-pas.plugins.ldap.plonecontrolpanel:default</dependency>
</dependencies>
...

Additionally ldap settings can be exported and imported with portal_setup. You can place the exported ldapsettings.xml in your integration profile, so it will be imported with your next install again.

Warning:

The LDAP-password is stored in there in plain text!

But anonymous bindings are possible.

Logging

To get detailed output of all LDAP-operations and much more set the logging level to debug. Attention, this is lots of output.

LDAP as an external service might be down, non-responsive or slow. This package logs such events to raise awareness. There are two environment variables to control the logging of LDAP-errors:

PAS_PLUGINS_LDAP_ERROR_LOG_TIMEOUT

First LDAP-error is logged, further errors ignored until the given number of seconds have passed. This supresses flooding logs if LDAP is down. Default: 300.0 (time in seconds, float).

PAS_PLUGINS_LDAP_LONG_RUNNING_LOG_THRESHOLD

Log long running LDAP/PAS operations. If a PAS operation takes longer than he given number of seconds, log it as error. Default: 5 (time in seconds, float).

Caching

Without caching this module is slow (as any other module talking to LDAP will be).

By default the LDAP-queries are not cached.

A must have for a production environment is having memcached server configured as LDAP query cache.

Cache at least for ~6 seconds, so a page load with all its resources is covered also in worst case.

The UGM tree is cached by default on the request, that means its built up every request from (cached) ldap queries.

There is an alternative adapter available which will cache the ugm tree as volatile attribute (_v_...) on the persistent plugin.

Volatile attributes are not persisted in the ZODB. If the plugin object vanishes from ZODB cache the atrribute is gone.

The volatile plugin cache can be activated by loading its zcml with <include package="pas.plugins.ldap" file="cache_volatile.zcml".

The caching time can be influenced by overriding the value in pas.plugins.ldap.cache.VOLATILE_CACHE_MAXAGE.

It defaults to 10 and its unit is seconds.

Note:

Caching the UGM tree longer than one request means it could contain outdated data.

If you plan a different implementation of UGM tree caching,provide your own adapter implementing pas.plugins.ldap.interfaces.IPluginCacheHandler.

Limitations and Future Optimizations

This package was not tested/developed with Windows. It may work under Windows if python-ldap is installed properly and recognized by buildout.

This package works fine for several 10000 users or groups, unless you list users.

This is not that much a problem for small amount of users. There is room for future optimization in the underlying node.ext.ldap.

Source Code

If you want to help with the development (improvement, update, bug-fixing, …) of pas.plugins.ldap this is a great idea!

The code is located in the GitHub Collective.

You can clone it or get access to the GitHub Collective and work directly on the project.

Maintainers are Robert Niederreiter, Jens Klein and the BlueDynamics Alliance developer team.

We appreciate any contribution and if a release is needed to be done on pypi, please just contact one of us: dev@bluedynamics dot com

Contributors

  • Jens W. Klein

  • Robert Niederrreiter

  • Florian Friesdorf

  • Daniel Widerin

  • Johannes Raggam

  • Luca Fabbri

TODO

See also Issue-Tracker

Milestone 2.0

  • remove portrait monkey patch

  • add/delete users

  • add/delete groups

  • add flags for readonly groups and users

  • modes for only groups or only users from ldap

  • SSL/TLS configuration TTW

  • creation defaults TTW

  • group in group (depends on: node.ext.ldap: group.groups support) (Done for AD in 1.8.0)

  • roles from ldap

  • Option on LDAP inspector whether to use query filters from users and groups config

History

1.8.0 (2020-06-11)

Features:

  • Support for nested groups in AD using LDAP_MATCHING_RULE_IN_CHAIN. [pbauer]

  • Support for plugin-external group DNs when using memberOf attribute. [jensens]

1.7.2 (2020-02-21)

Bug fixes:

1.7.1 (2020-02-14)

  • Use the plugin ID as the property sheet ID instead of the user ID. Fixes issue #95. [reinhardt]

  • Grant the Member role to all LDAP users. [reinhardt]

1.7.0 (2020-01-22)

  • Fixed error display for /plone_ldapcontrolpanel when a wrong value is provided for the “Groups container DN” field. [alecghica]

  • Fixed error adding a Plone user group. [iulianpetchesi]

  • Log LDAP-errors as level error, to get them i.e. into Sentry. [jensens]

  • Make timeout of LDAP-errors logging configurable with environment variable PAS_PLUGINS_LDAP_ERROR_LOG_TIMEOUT. [jensens]

  • Log long running LDAP/ pas.plugin.ldap operations as error. Threshold can be controlled with environment variable PAS_PLUGINS_LDAP_LONG_RUNNING_LOG_THRESHOLD. [jensens]

1.6.2 (2019-09-12)

  • Remove broken old import step from base profile. Fixes issue #74. [maurits]

  • Remove deprecation warning for removal of time.clock() which will break Python 3.8 support. [fredvd]

  • Require python-ldap 3.2.0. Fixes “initialize() got an unexpected keyword argument ‘bytes_strictness’”. [reinhardt]

1.6.1 (2019-05-07)

  • Pimp ZMI view to look better on Zope 4. [jensens]

  • Fixes #71, node.ext.ldap version-requirement wrong [jensens]

1.6.0 (2019-05-07)

  • Fix inspector: In Python 3 JSON dumps does not accept bytes as keys. [jensens, 2silver]

  • Explicitly set the ID on the property sheet instead of write on read. [jensens, 2silver]

  • Less verbose plugin logging of pseudo errors. [jensens, 2silver]

  • Enable partial search for users if no exact match was asked. [jensens]

  • Add bundle on request for latest YAFOWIL. [jensens]

  • Drop Plone 4.3 support. [jensens]

  • Convert plugin.py doctests to unittests. [jensens]

  • Black code style. [jensens]

  • Fix #51: plone_ldapinspector broken with UnicodeDecodeError [dmunico]

  • Make bind user and password optional. [thet, jensens]

  • Python 3 support:

    • fixed imports

    • text/encoding fixes

    • fixed exception handling

    • mangled doctests using Py23DocChecker from node.ext.ldap

    • simplified object_classes expressions in yaml config

    [reinhardt]

1.5.3 (2017-12-15)

  • Remove manual LDAP search pagination on UGM principal search calls. This is done in downstream API as of node.ext.ldap 1.0b7. [rnix]

  • Fix testing: register plugin type of PlonePAS. [jensens, fredvd, mauritsvanrees]

  • Overhaul of test setup (travis). [jensens]

1.5.2 (2017-10-20)

  • Set the memcached TTW setting in the form definition to unicode, so that you can save the controlpanel form if you change this field. [fredvd]

  • Improve README [svx]

1.5.1 (2016-10-18)

  • Fix: TTW setting of page_size resulted in float value. Now set form datattype to integer. Thanks @datakurre for reporting! [jensens]

1.5 (2016-10-06)

  • No changes.

1.5b1 (2016-09-09)

  • GroupEnumeration paged. [jensens]

  • UserEnumeration paged. [jensens]

  • Add page_size server property. [jensens]

  • Fix LDAP check. [jensens]

  • Split profiles for Plone 4 and 5. [jensens]

  • fix tests for Plone 5 [jensens]

  • Fixed LDAP errors not handled. This prevent leave the site broken just after the installation of the plugin [keul]

  • Adopt LDAP instector to use DN instead of RDN for node identification. [rnix]

  • Add dummy defaults setting to UsersConfig and GroupsConfig adapters. These defaults are used to set child creation defaults, thus concrete implementation is postponed until user and group creation is supported through plone UI. [rnix]

  • Add ignore_cert setting to LDAPProps adapter. [rnix]

  • Remove check_duplicates setting which is not available any more in node.ext.ldap. [rnix]

  • Use node.ext.ldap 1.0b1. [rnix]

  • major speedup expected by using node.ext.ldap >=1.0a1 [jensens]

  • use implementer decorator for better readability. [jensens]

  • Fix setuptools to v7.0. [jensens]

1.4.0 (2014-10-24)

  • Feature: Alternative volatile cache for UGM tree on plugin. [jensens]

  • overhaul test setup [jensens]

  • introduce pluggable caching mechanism on ugm-tree level, defaults to caching on request. Can be overruled by providing an adapter implementing pas.plugins.ldap.interfaces.IPluginCacheHandler. [jensens]

  • log how long it takes to build up a users or groups tree. [jensens]

1.3.2 (2014-09-10)

  • Small fixes in inspector. [rnix]

1.3.1 (2014-08-05)

  • Fix dependency versions. [rnix]

1.3.0 (2014-05-12)

  • Raise RuntimeError instead of KeyError when password change method couldn’t locate the user in LDAP tree. Maybe it’s a local user and Products.PlonePAS.pas.userSetPassword expects a RuntimeError to be raised in this case. [saily]

1.2.0 (2014-03-13)

  • add property check_duplicates. Adds ability to disable duplicates check for keys in ldap in order to avoid failure if ldap strcuture is not perfect.

  • Add new property to disable duplicate primary/secondary key checking in LDAP trees. This allows pas.plugins.ldap to read LDAP tree and ignore duplicated items instead of raising:

    Traceback (most recent call last):
    ...
    RuntimeError: Key not unique: <key>='<value>'.

1.1.0 (2014-03-03)

  • ldap errors dont block that much if ldap is not reachable, timeout blocked in past the whole zope. now default timeout for retry is 300s - and some code cleanup [jensens]

  • use more modern base for testing [jensens]

  • Add URL example to widget help information how to specify an ldap uri. [saily]

  • Add new bootstrap v2 [saily]

1.0.2

  • sometimes ldap returns an empty string as portrait. take this as no portrait. [jensens, 2013-09-11]

1.0.1

  • because of passwordreset problem we figured out that pas searchUsers calls plugins search with both login and name, which was passed to ugm and returned always an empty result [benniboy]

1.0

  • make it work.

  • base work done so far in bda.pasldap and bda.plone.ldap was merged.

License

Copyright (c) 2010-2020, BlueDynamics Alliance, Austria, Germany, Switzerland All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  • Neither the name of the BlueDynamics Alliance nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY BlueDynamics Alliance AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BlueDynamics Alliance BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pas.plugins.ldap-1.8.0.tar.gz (47.2 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page