Hi. I'm struggeling with zope, cmf and ldap. I started of with a fresh RH7.2 installation. I ran the openldap migration scripts. Then created users using the posixAccout and posixGroup class. These classes seem to be different from what is recommended in the LDAPUserFolder product. Anyway, I have added an LDAPUserFolder, and I am able to add new new users, browse users, add groups (LDAPUserFolder cannot handle posixGroups). What I can't do though, is login using this info. If I from the management page in LDAPUserolder changes password, the encryption will change from the current Crypt, to SHA. When it is SHA, I cannot login on using pam. But even if I have sha, logging in via LDAPUserFolder still doesn't work. So, does anyone have a clue of whats going on? :) I haven't used ldap before, so it might just be me doing something stupid... all I want is an ldap database, using classes that work both in zope and with pam. /Magnus
magnus, the LDAPUserFolder has SHA password handling "hardcoded" into it. in order for it to produce crypy passwords you'd have to look up the few places where it creates a password and change it to use crypt. i chose SHA because to the LDAP server itself it does not make any difference whether it's SHA or CRYPT and SHA is marginally more secure. as far as your login problems go, look up a user record on the Users tab and see if that record has any roles associated with it. you must also ensure that the user record you are trying to retrieve has permissions inside LDAP to look up itself and permission to look up the groups associated with it. the ACLs in slapd.conf govern that piece. you could use ldapsearch to "emulate" these searches by binding with the respective user's DN and passowrd and looking up its own details as well as its own groups. jens P.S.: LDAP and trying to use it for zope authentication can be very painful to set up if you're not experienced with LDAP first. there are a *lot* of factors and pitfalls involved. you must have a good understanding about how LDAP works, knowledge about LDAP schemas and LDAP ACLs. On Thursday, November 22, 2001, at 05:33 , Magnus Heino wrote:
Hi.
I'm struggeling with zope, cmf and ldap.
I started of with a fresh RH7.2 installation. I ran the openldap migration scripts. Then created users using the posixAccout and posixGroup class. These classes seem to be different from what is recommended in the LDAPUserFolder product.
Anyway, I have added an LDAPUserFolder, and I am able to add new new users, browse users, add groups (LDAPUserFolder cannot handle posixGroups).
What I can't do though, is login using this info. If I from the management page in LDAPUserolder changes password, the encryption will change from the current Crypt, to SHA. When it is SHA, I cannot login on using pam. But even if I have sha, logging in via LDAPUserFolder still doesn't work.
So, does anyone have a clue of whats going on? :) I haven't used ldap before, so it might just be me doing something stupid... all I want is an ldap database, using classes that work both in zope and with pam.
/Magnus
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
as far as your login problems go, look up a user record on the Users tab and see if that record has any roles associated with it.
What roles needs to be associated?
you must also ensure that the user record you are trying to retrieve has permissions inside LDAP to look up itself and permission to look up the groups associated with it. the ACLs in slapd.conf govern that piece. you could use ldapsearch to "emulate" these searches by binding with the respective user's DN and passowrd and looking up its own details as well as its own groups.
I thought that this was ok since I can loggin to my linux account... (A while later) Ok. I just locked myself out :-) Great.
P.S.: LDAP and trying to use it for zope authentication can be very painful to set up if you're not experienced with LDAP first. there are a *lot* of factors and pitfalls involved. you must have a good understanding about how LDAP works, knowledge about LDAP schemas and LDAP ACLs.
Any suggestions of how to gain this knowledge? I know alot more now than I did a week ago, but I certainly need to learn more :-/ Thanks for taking the time explaining things! :) /Magnus
as far as your login problems go, look up a user record on the Users tab and see if that record has any roles associated with it.
What roles needs to be associated?
whatever roles are needed for the page you were trying to access, like "Manager" for pages in the zope management interface.
you must also ensure that the user record you are trying to retrieve has permissions inside LDAP to look up itself and permission to look up the groups associated with it. the ACLs in slapd.conf govern that piece. you could use ldapsearch to "emulate" these searches by binding with the respective user's DN and passowrd and looking up its own details as well as its own groups.
I thought that this was ok since I can loggin to my linux account...
(A while later) Ok. I just locked myself out :-) Great.
the fact that you can log into your linux account is not related to the LDAPUserFolder. the only thing you can deduce from that is that your username and password are correct, but that's just one piece you need. the second piece, as far as zope is concerned, are the permissions you have, which are attached to roles. so if you see roles in the "Groups" tab but when you are looking up your record none of the checkboxes for roles are checked you have no role (except maybe aonymous) for zope, and therefore very limited. start by creating some groups on the groups tab (if they are not already there) with names that are "meaningful" to zope, such as "Manager" for manager accounts. then look up your own record again and check "Manager" in the list of roles and submit. that should give your account "Manager" role.
P.S.: LDAP and trying to use it for zope authentication can be very painful to set up if you're not experienced with LDAP first. there are a *lot* of factors and pitfalls involved. you must have a good understanding about how LDAP works, knowledge about LDAP schemas and LDAP ACLs.
Any suggestions of how to gain this knowledge? I know alot more now than I did a week ago, but I certainly need to learn more :-/
well, i learned "by doing", i'm subscribed to the openldap-software and the python-ldap mailing lists and i downloaded a couple white papers off the internet... i think the openldap website (www.openldap.org) is a good place to start. there's the slapd admin guide, the FAQ-o-Matic and the searchable mailing list archives. if i had bought books i might be able to recommend some, but i never did. jens
participants (2)
-
Jens Vagelpohl -
Magnus Heino