[Grok-dev] grok and ldap auth

[Jens Adner]

Excellent, first step is done, in a different way, but it's working.

Yesterday, I could install python-ldap, ldapadapter and ldappas  
successful. I know what you mean with "finicky" in build the ldap- 
python, Kevin ;-) I had to build the ldap-python manually, after  
comment out 4 lines in the source code. ldapadapter and ldappas could  
build fine with easy-install.

In addition, I put 2 lines to my configure.zcml:

<include package="ldapadapter" />
<include package="ldappas" />

Now I could add an ldapadapter in the manage gui from my grok project.

I did register this adapter in the gui with the name "fhsLdapAdapter",  
and my simple code to get auth against our global ldap is follow:

---------------------------------
import grok
import ldappas.authentication

class Auth2(grok.Application, grok.Container):
   auth=ldappas.authentication.LDAPAuthentication()
   auth.adapterName = 'fhsLdapAdapter'
   auth.searchBase = 'dc=fh-sm,dc=de'
   auth.searchScope = 'sub'
   auth.groupsSearchBase = ''
   auth.groupsSearchScope = ''
   auth.loginAttribute = 'uid'
   auth.principalIdPrefix = 'ldap.'
   auth.idAttribute = 'uid'
   auth.titleAttribute = 'sn'
   auth.groupsAttribute = 'ou'
   auth.groupIdAttribute = 'cn'

class Index(grok.View):
    def foobar(self):
      principal = Auth2.auth.authenticateCredentials({'login':  
'adner','password': 'securepassword'})
      return principal, principal.title,principal.description
------------------------------------------------------------------------

the correspond template print out the principal:  
(PrincipalInfo(u'ldap.adner'), u'Adnerson', u'Adnerson')

First step is done, thanks for your help. Now I have to study the rest  
of your code Kevin for make my views restricted to an ldap principal.

Jens

Am 17.09.2008 um 06:50 schrieb Kevin Teague:

>
> On Sep 16, 2008, at 7:41 PM, Reed O'Brien wrote:
>
>> On Sep 16, 2008, at 4:39 AM, Jens Adner wrote:
>>
>>> Hello,
>>>
>>> I'm new here. I have some experience with zope2 and plone and ldap
>>> auth. I'm locking for a framework to create a small webapp for
>>> authenticating our students against the global ldap database.
>>>
>>> We changed from perl and php to python in our system programming and
>>> I'm happy  with python, so grok seems to be a good choice for this
>>> task.
>>>
>>> Maybe anyone  can help me in programming a ldap interface for grok
>>> auth. I tried some of the example codes for grok, but now I need  
>>> some
>>> help for the first steps.
>>>
>>> I read about ldappas and ldapadapter, but I don't know how to use  
>>> them
>>> in zope3 (grok) to make a view restricted for ldap users.
>>>
>>> I'n the near future, i18n and mysql data models are in the point of
>>> interest.
>>>
>>> Sorry for my english
>>
>> Sorry for my only english:(
>>
>> You might look at GUM
>>
>> http://www.bcgsc.ca/scm/hg.repo/gum/
>>
>> It uses ldappas and ldapadapter. I have not used it but maybe you can
>> get some ideas there.
>>
>
> Some of the interesting knowledge I learned while making GUM you  
> might find relevant:
>
> - Usage of z3c.recipe.ldap to configure an ldap instance to use for  
> testing and development.
>
>   I use Mac OS X for dev, it has OpenLDAP already on the system, so  
> z3c.recipe.ldap just needs to
>   configure an instance of it. However, my buildout.cfg is a bit Mac- 
> specific.
>
>   I spent a fair bit of time with the rootpw setting, since it  
> seemed to ignore this attribute unless it
>   was encrypted (although the OpenLDAP docs I read seemed to  
> indicate otherwise).
>
> - Getting python-ldap to install as part of the buildout process was  
> finicky. I  ended up making binary eggs,
>   tossing them into an Apache index directory and informing buildout  
> about this location using the find-links option.
>   You'll need to adjust the bcgsc.ca URL to prefix it with www.  
> because it seems our DNS config is broken ATM for the non-www  
> domain :(
>   Or make your own python-ldap eggs.
>
> - Determining if a user is allowed to access a view is done with an  
> event subscriber, the code is in src/gum/ldapapp.py.
>   My subscriber is fairly specific to the needs of GUM (and it could  
> use a little more clean-up), but it serves as an OK example.
>   Note that the IPrincipalCreated is fired everytime a user logs in,  
> and Principal == User terminology-wise. The zope.securitypolicy
>   package has documentation for the role and permission APIs.
>
> @grok.subscribe(IPrincipalCreated)
> def update_principal_info_from_ldap(event):
>    "Update the principal with information from LDAP"
>    principal = event.principal
>    app = grok.getSite()
>    uid = principal.id.split('.')[-1]
>    user = app['users'][uid]
>    principal.title = user.cn
>    principal.uid = uid
>    principal.groups.extend([u'gum.Admin'])
>
>    # grant roles to permissions
>    rpm = IRolePermissionManager(app)
>    rpm.grantPermissionToRole(u'gum.Add', u'gum.Admin')
>    rpm.grantPermissionToRole(u'gum.Edit', u'gum.Admin')
>
>    # grant the Admin role to members of the ldap_admin_group
>    admin_group = app['groups'][app.ldap_admin_group]
>    if uid in admin_group.uids:
>        prm = IPrincipalRoleManager(app)
>        prm.assignRoleToPrincipal(u'gum.Admin', u'gum.ldap.%s' % uid)
>
>  You'll also need to make Permissions to grant Roles to:
>
> class Add(grok.Permission):
>    grok.name(u'gum.Add')
>
>   And then a View can be protected with the require directive:
>
> class AddUser(grok.AddForm):
>    grok.require(u'gum.Add')
>
>
> Maybe there are better ways to do this? But hopefully it'll get you  
> started, if you get stuck somewhere specific, feel free to ask more  
> questions.
>
>

++++++++ Jens Adner IuK-Zentrum Fachhochschule Schmalkalden +++++++++
++++++++ Fon: +49 3683 6889201  Fax: +49 3683 6889499 +++++++++++++++
++++++++     Jabber: adnus at jabber.ccc.de  +++++++++++++++++++++++++++