-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME.txt
112 lines (90 loc) · 4.65 KB
/
README.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
=========================
Products.LDAPUserFolder
=========================
.. contents::
This product is a replacement for a Zope user folder. It does not store its
own user objects but builds them on the fly after authenticating a user against
the LDAP database.
Bug tracker
===========
Please post questions, bug reports or feature requests to the bug tracker
at https://bugs.launchpad.net/ldapuserfolder
Debugging problems
==================
All log messages are sent to the standard Zope event log 'event.log'. In
order to see more verbose logging output you need to increase the log level
in your Zope instance's zope.conf. See the 'eventlog' directive. Setting
the 'level' key to 'debug' will maximize log output and may help pinpoint
problems during setup and testing.
Why does the LDAPUserFolder not show all my LDAP groups?
========================================================
According to feedback received from people who use Netscape directory
products the way a new group is instantiated allows empty groups to exist
in the system. However, according to the canonical definition for group
records groups must always have a group member attribute.
The LDAPUserFolder looks up group records by looking for group member
entries. If a group record has no members then it will be skipped. As said
above, this only seems to affect Netscape directory servers.
To work around this (Netscape) phenomenon add one or more members to the
group in question using the tools that came with the directory server. It
should appear in the LDAPUserFolder after that.
Why use LDAP to store user records?
===================================
LDAP as a source of Zope user records is an excellent choice in many cases,
like...
- You already have an existing LDAP setup that might store company employee
data and you do not want to duplicate any data into a Zope user folder
- You want to make the same user database available to other applications
like mail, address book clients, operating system authenticators
(PAM-LDAP) or other network services that allow authentication against
LDAP
- You have several Zope installations that need to share user records or a
ZEO setup
- You want to be able to store more than just user name and password in your
Zope user folder
- You want to manipulate user data outside of Zope
... the list continues.
The LDAP Schema
===============
Your LDAP server should contain records that can be used as user
records. Any object types like person, organizationalPerson,
or inetOrgPerson and any derivatives thereof should work. Records
of type posixAccount should work correctly as well.
The LDAPUserFolder expects your user records to have at least the
following attributes, most of which are required for the
abovementioned object classes, anyway:
- an attribute to hold the user ID (like cn, uid, etc)
- userPassword (the password field)
- objectClass
- whatever attribute you choose as the username attribute
- typcial person-related attributes like sn (last name),
givenName (first name), uid or mail (email address) will make
working with the LDAPUserFolder nicer
Zope users have certain roles associated with them, these roles
determine what permissions the user have. For the LDAPUserFolder,
role information can be expressed through membership in group
records in LDAP.
Group records can be of any object type that accepts multiple
attributes of type "uniqueMember" or "member" and that has a
"cn" attribute. One such type is "groupOfUniqueNames". The cn
describes the group / role name while the member attributes point
back to all those user records that are part of this group. Only
those group-style records that use full DNs for its members
are supported, which excludes classes like posixGroup.
For examples of valid group- and user-records for LDAP please
see the file SAMPLE_RECORDS.txt in this distribution. It has
samples for a user- and a group record in LDIF format.
It is outside of the scope of this documentation to describe the
different object classes and attributes in detail, please see
LDAP documentation for a better treatment.
Things to watch out for
=======================
Since a user folder is one of these items that can lock users out
of your site if they break I suggest testing the settings in some
inconspicuous location before replacing a site's main acl_users folder
with a LDAPUserFolder.
As a last resort you will always be able to log in and make changes
as the superuser (or in newer Zope releases called "emergency user")
who, as an added bonus, can delete and create user folders. This is
a breach of the standard "the superuser cannot create / own anything"
policy, but can save your skin in so many ways.