Jens Klein - Modern LDAP User and Group Authentication

published Oct 20, 2016

Talk by Jens Klein at the Plone Conference 2016 in Boston.

This is an update on pas.plugins.ldap.

LDAP is Lightweight Directory Address Protocol. This protocol for storing and querying information on users goes back to the eighties. There are various solutions, like OpenLDAP, ActiveDirectory.

There has been LDAP support in Plone for a long time. Products.LDAPUserFolder has been available as basis, replacing the standard user folder. Products.LDAPMultiPlugins wraps it to the PAS API, difficult to install. Products.PloneLDAP integrates is more into Plone, but also difficult to install. plone.app.ldap is a wrapper around this, making it easy to install in Plone. But everything is stacked on top of each other, very difficult to maintain or understand.

We created a complete rewrite: pas.plugins.ldap. We use an abstraction of the LDAP features, in``node.ext.ldap``, Python 2.7 only, using python-ldap, pure Python.

You can get groups and users from LDAP. It maps LDAP attributes to PAS property sheets. Support for caching, for many users, 98 percent test coverage.

Limitations: you cannot add users or groups, only edit them. The underlying library does implement this, so this is a TODO item, although our sites don't actually need it: users are added or deleted in a different system. No multiple (fallback) servers possible. It patches the user portraits, so this may conflict with other patches that you may have.

We have a test layer that uses an OpenLDAP instance.

node.ext.ugm is used, which is a set of interfaces for User and Group Management.

pas.plugins.ldap uses those base packages, configures it using GenericSetup, provides ZMI and control panel forms to configure LDAP.

Supporting 'many' users is tricky, this was solved using money from a fund raiser campaign. Thank you!