Does anyone have a script or any advice for exporting Zope users and groups to an LDIF file? Thanks Jamie
On Thu, 11 May 2006 20:35:53 +0000, Jamie Bullock wrote:
Does anyone have a script or any advice for exporting Zope users and groups to an LDIF file?
I have built such a script for a client, though the 'users' and 'groups' that the script works on are workflowable content objects in Plone (similar to the approach used CMFMember). It is then fairly easy to find users and groups in the portal catalog and map then to appropriate LDAP attributes. Writing LDIF to update an existing LDAP repository (rather than just rebuilding it completely) took me quite a while to get right. The script is about 700 LOC (including blank lines & comments) - it is not trivial, unless you are just going to rebuild your LDAP each time. If not using Plone, CMFMemmber, etc. then imagine you could extract users and groups directly out of Zope and use member properties etc to find the LDAP attributes that you need. Let me know if you want me to ask my client to open source a version of the script. They are generally agreeable with that sort of thing. At some stage we may open source the whole project. PS: The aim of my client's project is to have a central staff directory with all staff usernames and passwords, and group/role based authorization info controlled though a single Plone Web interface. For example, I have set up to be qmailGroup objects in LDAP so that mailing lists can be controlled through the web UI when using mail servers that understand the qmail schema. I am also using PAM LDAP to control access to apache 2 and subversion, and using LDAP to control authentication and authorization on other remote Zope servers.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
PS: The aim of my client's project is to have a central staff directory with all staff usernames and passwords, and group/role based authorization info controlled though a single Plone Web interface. For example, I have set up to be qmailGroup objects in LDAP so that mailing lists can be controlled through the web UI when using mail servers that understand the qmail schema. I am also using PAM LDAP to control access to apache 2 and subversion, and using LDAP to control authentication and authorization on other remote Zope servers.
Just out of curiosity, why do you use PAM-LDAP with Apache as opposed to mod_auth_ldap? jens -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEZEpRRAx5nvEhZLIRAp4SAJ4o8hXwWGSWuayllW4BqU9fcsqb3wCdGd1O Du6sWEdPOHqN7O7mqjK3XXY= =2Svh -----END PGP SIGNATURE-----
On Fri, 12 May 2006 09:41:53 +0100, Jens Vagelpohl wrote:
Just out of curiosity, why do you use PAM-LDAP with Apache as opposed to mod_auth_ldap?
Good question. No major reason, but we expect to use PAM LDAP for other services on our servers, since LDAP centrally controls our authentication, so I took the more general solution.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12 May 2006, at 10:42, Sam Stainsby wrote:
On Fri, 12 May 2006 09:41:53 +0100, Jens Vagelpohl wrote:
Just out of curiosity, why do you use PAM-LDAP with Apache as opposed to mod_auth_ldap?
Good question. No major reason, but we expect to use PAM LDAP for other services on our servers, since LDAP centrally controls our authentication, so I took the more general solution.
Ah, I'd be worried whether adding the additional layer (PAM) isn't going to slow you down. jens -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEZFuSRAx5nvEhZLIRAjrXAJ98jmXS4MR+Gb6JIcnlbwR9Y4iP+QCfR15Z eIWdjdMmaFPXsfvOkvxy3pE= =LuTI -----END PGP SIGNATURE-----
On Fri, 12 May 2006 10:55:29 +0100, Jens Vagelpohl wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12 May 2006, at 10:42, Sam Stainsby wrote:
On Fri, 12 May 2006 09:41:53 +0100, Jens Vagelpohl wrote:
Just out of curiosity, why do you use PAM-LDAP with Apache as opposed to mod_auth_ldap?
Good question. No major reason, but we expect to use PAM LDAP for other services on our servers, since LDAP centrally controls our authentication, so I took the more general solution.
Ah, I'd be worried whether adding the additional layer (PAM) isn't going to slow you down.
jens
Its only an intranet web server, not a public one, so the traffic isn't huge. I expect that the true bottleneck will lie in communicating with the LDAP server over the WAN rather than the local authentication method.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 13 May 2006, at 05:39, Sam Stainsby wrote:
Ah, I'd be worried whether adding the additional layer (PAM) isn't going to slow you down.
jens
Its only an intranet web server, not a public one, so the traffic isn't huge. I expect that the true bottleneck will lie in communicating with the LDAP server over the WAN rather than the local authentication method.
I wouldn't expect that to be a problem, unless you have a really bad connection out to the WAN or braindead firewalls that cut open connections arbitrarily. However, if the LDAP client side is stupid and wants to do the whole connecting/binding/asking/unbinding dance for each and every request it might be a bit slow. jens -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEZamdRAx5nvEhZLIRAmqlAJoDunbAvwDCsch5bV3cvxGi2jjsAgCgjahG ZPuoKIUKIJiPc8s1KJo/K3I= =raBs -----END PGP SIGNATURE-----
Hi Sam, Thanks for the detailed and quick reply. On Fri, 12 May 2006 10:19:31 +1000 Sam Stainsby <sam@stainsby.id.au> wrote:
On Thu, 11 May 2006 20:35:53 +0000, Jamie Bullock wrote:
Does anyone have a script or any advice for exporting Zope users and groups to an LDIF file?
I have built such a script for a client, though the 'users' and 'groups' that the script works on are workflowable content objects in Plone (similar to the approach used CMFMember). It is then fairly easy to find users and groups in the portal catalog and map then to appropriate LDAP attributes.
It is a Plone site, and we are using GRUF 3.4. We're not using CMFMember or anything like that.
Writing LDIF to update an existing LDAP repository (rather than just rebuilding it completely) took me quite a while to get right. The script is about 700 LOC (including blank lines & comments) - it is not trivial, unless you are just going to rebuild your LDAP each time.
All of our users details are currently stored in the zodb, we don't have an existing LDAP service, so this is from scratch. I'd expect to just need to use the script once, and then just use LDAP as a backend, managing it with a Plone/Zope binding through LDAPUF.
If not using Plone, CMFMemmber, etc. then imagine you could extract users and groups directly out of Zope and use member properties etc to find the LDAP attributes that you need.
Let me know if you want me to ask my client to open source a version of the script. They are generally agreeable with that sort of thing. At some stage we may open source the whole project.
That would be extremely good of you. Of course when I changed the script, I would make that available to other also, so even more people could benefit.
PS: The aim of my client's project is to have a central staff directory with all staff usernames and passwords, and group/role based authorization info controlled though a single Plone Web interface. For example, I have set up to be qmailGroup objects in LDAP so that mailing lists can be controlled through the web UI when using mail servers that understand the qmail schema. I am also using PAM LDAP to control access to apache 2 and subversion, and using LDAP to control authentication and authorization on other remote Zope servers.
That's almost identical to what I need to do. I want Zope/Plone management with an LDAP backend for Plone, ezmlm/qmail lists, and svn/trac! Regards, Jamie
On Fri, 12 May 2006 09:11:26 +0000, Jamie Bullock wrote:
All of our users details are currently stored in the zodb, we don't have an existing LDAP service, so this is from scratch. I'd expect to just need to use the script once, and then just use LDAP as a backend, managing it with a Plone/Zope binding through LDAPUF.
The type of information we need to send to LDAP is too varied to rely on LDAPUF, so we settled for a periodic update to LDAP using the export script (there is also a "manual override" to update or rewrite LDAP immediately). This allows us to create all manner of interesting structures in LDAP if we choose to. The update happens every 10 minutes, which is not an unreasonable delay for this application. Since there are less than 200 staff, the update is not a big strain on the LDAP server.
That's almost identical to what I need to do. I want Zope/Plone management with an LDAP backend for Plone, ezmlm/qmail lists, and svn/trac!
OK, I'll talk to my client about some kind of sharing or collaboration. I believe we are using ezmlm too, though we haven't yet done the LDAP integration for our mail server yet, but we are getting there.
participants (3)
-
Jamie Bullock -
Jens Vagelpohl -
Sam Stainsby