zope and LDAP for authorisation
Hi, I'm looking for a zope product that enables me to use our Active Directory LDAP server for verification of login credentials only. I want users still stored in Zope, and access to directories should be also something I can handle in Zope, and I don't want to use LDAP groups because I don't control the LDAP server and there are no groups on the LDAP server I can use. So really, all I want is that Zope checks the passwords with the LDAP server instead of with it's own userfolder. And perhaps, a possibility to check/search for the available loginnames on the LDAP server when adding a user to the userfolder. I've checked out LDAPUserFolder but that's not what I'm looking for (I think...). Does anyone know whether there is such a product, or give me some poiners to adapt an exisiting product to my needs? Thanks in advance, Ria Marinussen Webmaster -------------------------------------------- Faculty EEMCS, Department of Computer Science, University of Twente Email: ria.marinussen[at]cs.utwente.nl --------------------------------------------
--On 12. Dezember 2005 12:04:59 +0100 "Marinussen, M.J. (Ria)" <M.J.Marinussen@ewi.utwente.nl> wrote:
I've checked out LDAPUserFolder but that's not what I'm looking for (I think...).
That's exactly what you are looking for. What is wrong with LDAPUF? (come with some reasonable arguments otherwise Jens (author of LDAPUF) might beat you :-) -aj
On 12 Dec 2005, at 11:04, Marinussen, M.J. (Ria) wrote:
Hi,
I'm looking for a zope product that enables me to use our Active Directory LDAP server for verification of login credentials only. I want users still stored in Zope, and access to directories should be also something I can handle in Zope, and I don't want to use LDAP groups because I don't control the LDAP server and there are no groups on the LDAP server I can use.
So really, all I want is that Zope checks the passwords with the LDAP server instead of with it's own userfolder. And perhaps, a possibility to check/search for the available loginnames on the LDAP server when adding a user to the userfolder.
I've checked out LDAPUserFolder but that's not what I'm looking for (I think...).
I'd say "start coding". There is nothing that fits your (somewhat strange) requirements. I would suggest you modify those requirements to come up with a saner plan. Could it be you're thinking too much in terms of specific implementation and too little in terms of what the underlying goals are? First of all, what do you gain from "storing users in Zope"? Is your real goal to make sure only a subset of users from LDAP can access your site? That goal is easily fulfilled by configuring the LDAPUserFolder to store role information on the user folder and disregard the LDAP server. Then you just secure your site by requiring a certain role and only give that role to the subset of users you want to let in. jens
On 12/12/05, Marinussen, M.J. (Ria) <M.J.Marinussen@ewi.utwente.nl> wrote:
I've checked out LDAPUserFolder but that's not what I'm looking for (I think...).
Yes it is. It works very well with ldap/AD The size/len error you get is probably becaouse you have given wrong settings (wrong id to check against?), but could also be due to the fact that the AD server will only pass on 1000(?) entries per default. If you change the settings in your AD to allow for sending the full list of users, you error might go away (as I recall from my own problems with AD). Stuff to read: http://support.microsoft.com/?kbid=271088 more spesifc: you have to change the setting: MaxPageSize 1000 to MaxPageSize [at least as many entries as you have in your AD, pluss some extras in case you get many more new users] I do not know how much this will stress your webserver (or your AD-servers), but we are running a five year old pentium III with 2GB ram and 4GB Data.fsand and quite a load without seeing any problems. You probably sorted things out now by the time it took me to write this. Best Regards, Einar Næss Jensen -- Einar Næss Jensen http://einar.nidelven-it.no/einarblog http://www.homemade.no tlf: +47 90990249
Oh.... on the tab "LDAP Schema ", you might try to add the chema-item: sAMAccountName and use that for your loginID, on the main tab of LDAPUserFolder -- Einar Næss Jensen http://einar.nidelven-it.no/einarblog http://www.homemade.no tlf: +47 90990249
participants (4)
-
Andreas Jung -
Einar Næss Jensen -
Jens Vagelpohl -
Marinussen, M.J. (Ria)