[Zope-dev] LDAP

Jens Vagelpohl jens@zope.com
Thu, 22 Nov 2001 07:44:23 -0500 

magnus,

the LDAPUserFolder has SHA password handling "hardcoded" into it. in order 
for it to produce crypy passwords you'd have to look up the few places 
where it creates a password and change it to use crypt. i chose SHA 
because to the LDAP server itself it does not make any difference whether 
it's SHA or CRYPT and SHA is marginally more secure.

as far as your login problems go, look up a user record on the Users tab 
and see if that record has any roles associated with it.

you must also ensure that the user record you are trying to retrieve has 
permissions inside LDAP to look up itself and permission to look up the 
groups associated with it. the ACLs in slapd.conf govern that piece. you 
could use ldapsearch to "emulate" these searches by binding with the 
respective user's DN and passowrd and looking up its own details as well 
as its own groups.

jens


P.S.: LDAP and trying to use it for zope authentication can be very 
painful to set up if you're not experienced with LDAP first. there are a 
*lot* of factors and pitfalls involved. you must have a good understanding 
about how LDAP works, knowledge about LDAP schemas and LDAP ACLs.


On Thursday, November 22, 2001, at 05:33 , Magnus Heino wrote:

>
> Hi.
>
> I'm struggeling with zope, cmf and ldap.
>
> I started of with a fresh RH7.2 installation. I ran the openldap migration
> scripts. Then created users using the posixAccout and posixGroup class.
> These classes seem to be different from what is recommended in the
> LDAPUserFolder product.
>
> Anyway, I have added an LDAPUserFolder, and I am able to add new new 
> users,
> browse users, add groups (LDAPUserFolder cannot handle posixGroups).
>
> What I can't do though, is login using this info. If I from the management
> page in LDAPUserolder changes password, the encryption will change from 
> the
> current Crypt, to SHA. When it is SHA, I cannot login on using pam. But 
> even
> if I have sha, logging in via LDAPUserFolder still doesn't work.
>
> So, does anyone have a clue of whats going on? :) I haven't used ldap
> before, so it might just be me doing something stupid... all I want is an
> ldap database, using classes that work both in zope and with pam.
>
> /Magnus
>
>
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )