Product
Introducing License Enforcement in Socket
Ensure open-source compliance with Socket’s License Enforcement Beta. Set up your License Policy and secure your software!
.. image:: https://secure.travis-ci.org/collective/pas.plugins.ldap.png :target: http://travis-ci.org/collective/pas.plugins.ldap
.. image:: https://coveralls.io/repos/collective/pas.plugins.ldap/badge.svg?branch=master&service=github :target: https://coveralls.io/github/collective/pas.plugins.ldap?branch=master
This is a LDAP <https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol>
_ Plugin for the Zope <http://www.zope.org/en/latest/>
_ Pluggable Authentication Service (PAS) <http://pypi.python.org/pypi/Products.PluggableAuthService>
_.
It provides users and/or groups from an LDAP directory.
It works in a plain Zope even if it depends on PlonePAS <http://pypi.python.org/pypi/Products.PlonePAS>
_.
If Plone <https://plone.org>
_ is installed an integration layer with a setup-profile and a plone-controlpanel page is available.
pas.plugins.ldap
is not releated to the old LDAPUserFolder/ LDAPMultiPlugins and the packages (i.e. PloneLDAP) stacked on top of it in any way.
It is based on node.ext.ldap, an almost framework independent LDAP stack.
For now users and groups can't be added or deleted. Properties on both are read/write.
See section TODO.
This package depends on python-ldap
.
To build it correctly you need to have some development libraries included in your system.
On a Debian-based installation use:
.. code-block:: console
sudo apt install python-dev libldap2-dev libsasl2-dev libssl-dev
Add to the instance section of your buildout:
.. code-block:: ini
eggs =
...
pas.plugins.ldap
zcml =
...
pas.plugins.ldap
Run buildout. Restart Zope.
Browse to your acl_users
folder and add an LDAP-Plugin.
Configure it using the settings form and activate its features with the activate
tab.
Add to the instance section of your buildout:
.. code-block:: ini
eggs =
...
pas.plugins.ldap
Run buildout. Restart Plone.
Then go to the Plone control-panel, select extensions
and install the LDAP Plugin.
A new LDAP Settings icon appear on the left. Click it and configure the plugin there.
To use an own integration-profile, add to the profiles metadata.xml
file:
.. code-block:: xml
...
<dependencies>
...
<dependency>profile-pas.plugins.ldap.plonecontrolpanel:default</dependency>
</dependencies>
...
Additionally ldap settings can be exported and imported with portal_setup
.
You can place the exported ldapsettings.xml
in your integration profile, so it will be imported with your next install again.
Warning:
The LDAP-password is stored in there in plain text!
But anonymous bindings are possible.
To get detailed output of all LDAP-operations and much more set the logging level to debug. Attention, this is lots of output.
LDAP as an external service might be down, non-responsive or slow. This package logs such events to raise awareness. There are two environment variables to control the logging of LDAP-errors:
PAS_PLUGINS_LDAP_ERROR_LOG_TIMEOUT First LDAP-error is logged, further errors ignored until the given number of seconds have passed. This supresses flooding logs if LDAP is down. Default: 300.0 (time in seconds, float).
PAS_PLUGINS_LDAP_LONG_RUNNING_LOG_THRESHOLD Log long running LDAP/PAS operations. If a PAS operation takes longer than he given number of seconds, log it as error. Default: 5 (time in seconds, float).
Without caching this module is slow (as any other module talking to LDAP will be).
By default the LDAP-queries are not cached.
A must have for a production environment is having memcached <http://memcached.org/>
_ server configured as LDAP query cache.
Cache at least for ~6 seconds, so a page load with all its resources is covered also in worst case.
The UGM tree is cached by default on the request, that means its built up every request from (cached) ldap queries.
There is an alternative adapter available which will cache the ugm tree as volatile attribute (_v_...
) on the persistent plugin.
Volatile attributes are not persisted in the ZODB. If the plugin object vanishes from ZODB cache the atrribute is gone.
The volatile plugin cache can be activated by loading its zcml with <include package="pas.plugins.ldap" file="cache_volatile.zcml"
.
The caching time can be influenced by overriding the value in pas.plugins.ldap.cache.VOLATILE_CACHE_MAXAGE
.
It defaults to 10 and its unit is seconds.
Note:
Caching the UGM tree longer than one request means it could contain outdated data.
If you plan a different implementation of UGM tree caching,provide your own adapter implementing pas.plugins.ldap.interfaces.IPluginCacheHandler
.
This package was not tested/developed with Windows.
It may work under Windows if python-ldap
is installed properly and recognized by buildout.
This package works fine for several 10000 users or groups, unless you list users.
This is not that much a problem for small amount of users.
There is room for future optimization in the underlying node.ext.ldap <https://pypi.python.org/pypi/node.ext.ldap>
_.
If you want to help with the development (improvement, update, bug-fixing, ...) of pas.plugins.ldap
this is a great idea!
The code is located in the GitHub Collective <https://github.com/collective/pas.plugins.ldap>
_.
You can clone it or get access to the GitHub Collective <https://collective.github.com/>
_ and work directly on the project.
Maintainers are Robert Niederreiter, Jens Klein and the BlueDynamics Alliance <https://bluedynamics.com/>
_ developer team.
We appreciate any contribution and if a release is needed to be done on pypi, please just contact one of us:
dev@bluedynamics dot com <mailto:dev@bluedynamics.com>
_
See also Issue-Tracker <https://github.com/collective/pas.plugins.ldap/issues>
_
issue #61 <https://github.com/collective/pas.plugins.ldap/issues/61>
_.
[mamico]Features:
Support for nested groups in AD using LDAP_MATCHING_RULE_IN_CHAIN. [pbauer]
Support for plugin-external group DNs when using memberOf attribute. [jensens]
Bug fixes:
issue #97 <https://github.com/collective/pas.plugins.ldap/issues/97>
_
and issue #92 <https://github.com/collective/pas.plugins.ldap/issues/92>
_.
[al45tair]Use the plugin ID as the property sheet ID instead of the user ID.
Fixes issue #95 <https://github.com/collective/pas.plugins.ldap/issues/95>
_.
[reinhardt]
Grant the Member role to all LDAP users. [reinhardt]
Fixed error display for /plone_ldapcontrolpanel when a wrong value is provided for the "Groups container DN" field. [alecghica]
Fixed error adding a Plone user group. [iulianpetchesi]
Log LDAP-errors as level error, to get them i.e. into Sentry. [jensens]
Make timeout of LDAP-errors logging configurable with environment variable PAS_PLUGINS_LDAP_ERROR_LOG_TIMEOUT
.
[jensens]
Log long running LDAP/ pas.plugin.ldap operations as error.
Threshold can be controlled with environment variable PAS_PLUGINS_LDAP_LONG_RUNNING_LOG_THRESHOLD
.
[jensens]
Remove broken old import step from base profile.
Fixes issue #74 <https://github.com/collective/pas.plugins.ldap/issues/74>
_.
[maurits]
Remove deprecation warning for removal of time.clock() which will break Python 3.8 support. [fredvd]
Require python-ldap 3.2.0. Fixes "initialize() got an unexpected keyword argument 'bytes_strictness'". [reinhardt]
Pimp ZMI view to look better on Zope 4. [jensens]
Fixes #71, node.ext.ldap version-requirement wrong [jensens]
Fix inspector: In Python 3 JSON dumps does not accept bytes as keys. [jensens, 2silver]
Explicitly set the ID on the property sheet instead of write on read. [jensens, 2silver]
Less verbose plugin logging of pseudo errors. [jensens, 2silver]
Enable partial search for users if no exact match was asked. [jensens]
Add bundle on request for latest YAFOWIL. [jensens]
Drop Plone 4.3 support. [jensens]
Convert plugin.py
doctests to unittests.
[jensens]
Black code style. [jensens]
Fix #51: plone_ldapinspector broken with UnicodeDecodeError [dmunico]
Make bind user and password optional. [thet, jensens]
Python 3 support:
[reinhardt]
Remove manual LDAP search pagination on UGM principal search
calls.
This is done in downstream API as of node.ext.ldap
1.0b7.
[rnix]
Fix testing: register plugin type of PlonePAS. [jensens, fredvd, mauritsvanrees]
Overhaul of test setup (travis). [jensens]
Set the memcached TTW setting in the form definition to unicode, so that you can save the controlpanel form if you change this field. [fredvd]
Improve README [svx]
page_size
resulted in float value.
Now set form datattype to integer.
Thanks @datakurre for reporting!
[jensens]GroupEnumeration paged. [jensens]
UserEnumeration paged. [jensens]
Add page_size server property. [jensens]
Fix LDAP check. [jensens]
Split profiles for Plone 4 and 5. [jensens]
fix tests for Plone 5 [jensens]
Fixed LDAP errors not handled. This prevent leave the site broken just after the installation of the plugin [keul]
Adopt LDAP instector to use DN instead of RDN for node identification. [rnix]
Add dummy defaults
setting to UsersConfig
and GroupsConfig
adapters. These defaults are used to set child creation defaults, thus
concrete implementation is postponed until user and group creation is
supported through plone UI.
[rnix]
Add ignore_cert
setting to LDAPProps
adapter.
[rnix]
Remove check_duplicates
setting which is not available any more in
node.ext.ldap.
[rnix]
Use node.ext.ldap 1.0b1. [rnix]
major speedup expected by using node.ext.ldap >=1.0a1 [jensens]
use implementer decorator for better readability. [jensens]
Fix setuptools to v7.0. [jensens]
Feature: Alternative volatile cache for UGM tree on plugin. [jensens]
overhaul test setup [jensens]
introduce pluggable caching mechanism on ugm-tree level, defaults to
caching on request. Can be overruled by providing an adapter implementing
pas.plugins.ldap.interfaces.IPluginCacheHandler
.
[jensens]
log how long it takes to build up a users or groups tree. [jensens]
RuntimeError
instead of KeyError
when password change method
couldn't locate the user in LDAP tree. Maybe it's a local user and
Products.PlonePAS.pas.userSetPassword
expects a RuntimeError
to be
raised in this case.
[saily]add property check_duplicates
. Adds ability to disable duplicates check
for keys in ldap in order to avoid failure if ldap strcuture is not perfect.
Add new property to disable duplicate primary/secondary key checking in LDAP trees. This allows pas.plugins.ldap to read LDAP tree and ignore duplicated items instead of raising::
Traceback (most recent call last): ... RuntimeError: Key not unique: =''.
ldap errors dont block that much if ldap is not reachable, timeout blocked in past the whole zope. now default timeout for retry is 300s - and some code cleanup [jensens]
use more modern base for testing [jensens]
Add URL example to widget help information how to specify an ldap uri. [saily]
Add new bootstrap v2 [saily]
make it work.
base work done so far in bda.pasldap
and bda.plone.ldap
was merged.
Copyright (c) 2010-2020, BlueDynamics Alliance, Austria, Germany, Switzerland All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
THIS SOFTWARE IS PROVIDED BY BlueDynamics Alliance AS IS
AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL BlueDynamics Alliance BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
FAQs
LDAP/AD Plugin for Plone/Zope PluggableAuthService (users+groups)
We found that pas.plugins.ldap demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Ensure open-source compliance with Socket’s License Enforcement Beta. Set up your License Policy and secure your software!
Product
We're launching a new set of license analysis and compliance features for analyzing, managing, and complying with licenses across a range of supported languages and ecosystems.
Product
We're excited to introduce Socket Optimize, a powerful CLI command to secure open source dependencies with tested, optimized package overrides.