[Zope] zope and LDAP for authorisation

Marinussen, M.J. (Ria) M.J.Marinussen at ewi.utwente.nl
Tue Dec 13 08:11:06 EST 2005 

Hi Jens,

> > Hi,
> >
> > I'm looking for a zope product that enables me to use our Active
> > Directory LDAP server for verification of login credentials only.
> > I want users still stored in Zope, and access to 
> directories should be
> > also something I can handle in Zope, and I don't want to use LDAP  
> > groups
> > because I don't control the LDAP server and there are no 
> groups on the
> > LDAP server I can use.
> >
> > So really, all I want is that Zope checks the passwords 
> with the LDAP
> > server instead of with it's own userfolder.
> > And perhaps, a possibility to check/search for the available  
> > loginnames
> > on the LDAP server when adding a user to the userfolder.
> >
> > I've checked out LDAPUserFolder but that's not what I'm 
> looking for (I
> > think...).
> 
> I'd say "start coding". There is nothing that fits your (somewhat  
> strange) requirements. I would suggest you modify those requirements  
> to come up with a saner plan. Could it be you're thinking too 
> much in  
> terms of specific implementation and too little in terms of what the  
> underlying goals are?
> 
> First of all, what do you gain from "storing users in Zope"? Is your  
> real goal to make sure only a subset of users from LDAP can access  
> your site? That goal is easily fulfilled by configuring the  
> LDAPUserFolder to store role information on the user folder and  
> disregard the LDAP server. Then you just secure your site by  
> requiring a certain role and only give that role to the subset of  
> users you want to let in.
> 
> jens

Andreas warned me not to step on your toes ... ;-)
I didn't mean to put LDAPUserFolder down but it felt like using a
canonball to kill a mosquito (famous Dutch saying)
Well I did say I *thought* LDAPUserFolder was not what I was looking
for.
But since you are the expert on LDAPUserFolder I think I should take
that back. What you describe, is what I want to do
.. but I thought it would be necessary to store the users in zope to be
able to form groups in zope...
Perhaps I would have figured it out myself if I was able to get
LDAPUserFolder to work but I think I'm missing something... (well
actually I'm missing a lot... I don't know much about LDAP so "start
coding" is probably not a good idea...)

Here is my situation at this moment:
I have LDAPUserFolder working in a sense that I can search for users
(and find the ldap entries) when I'm in the LDAPUserFolder - Users tab.
So far so good. But when I limit access to a folder (in the Security tab
on zope) to for example authenticated users and I try to logon to that
folder, after authenticating (using the correct LDAP username and
password) I get an error that doesn't make sense to me. 
Googling does not bring a solution. 
The error is: "TypeError  len() of unsized object". (Using wrong (LDAP)
credentials get's me a "You are not authorized to access this resource.
Username and password are not correct." message.) On the same folder
this problem does not occur when I use a native zope user to logon.

I'm using on Windows XP 
Zope 2.7.2-0, python 2.3.5, win32
LDAPUserFolder 2.6
OpenLDAP 2.3.11 

And I allso tested on Windows XP with 
Plone 2.1.1 (is with Zope 2.7.8-final, python 2.3.5, win32) 
LDAPUserFolder 2.6 
OpenLDAP 2.3.11

Do you have any idea what I'm doing wrong?

Thanks in advance,

Ria

More information about the Zope mailing list