LDAP for Plone with pas.plugins.ldap

Jens W. Klein <jk@kleinundpartner.at>

Klein & Partner KG http://kleinundpartner.at

Innsbruck, Austria, Europe, Earth

What is LDAP?

Lightweight Directory Access Protocol

LDAP is a Protocol

to query data in the database

(directory data)

but is NOT a database itself

History

• based on IT directory requirements of telecommunication companies' in the early 80ies
• resulted in X.500 specification which included DAP (Directory Access Protocol).
• X.500/DAP is a massive/ complex protocol.
• DAP was not TCP/IP compliant,

easier to use lightweight variant was developed around 1993

LDAP in the Wild

• Broadly used in enterprises and organisations
• with need of user management
• at large scale.

• mature free software solutions like
  • OpenLDAP
  • 389 Directory Server
  • Apache Directory Server

• commercial solutions like
  • ActiveDirectory (Microsoft)
  • OpenDirectory (Apple)
  • eDirectory (Novell)
  • Tivoli (IBM)
  • Oracle Internet Directory

• Documented
• Industry standard base schemas available
• Extensible by own schemas.

a history lesson about LDAP in ZOPE and Plone

or what we had before pas.plugins.ldap

or the reason we rewrote the LDAP stack

Products.LDAPUserFolder

• replaces the original Zope UserFolder
• old school mature code (dates back to 2001)
• difficult to extend (monkey patches needed)
• very limited group management

Products.LDAPMultiPlugins

• plugin for Products.PluggableAuthService (PAS)
• instance of Products.LDAPUserFolder is contained in plugin
• wraps UserFolder API to PAS API
• difficult to install

Products.PloneLDAP

• set of plugins for Products.PluggableAuthService (PAS)
• derives from Products.LDAPMultiPlugins
• integrates LDAP fully into a Plone site
• better group management
• difficult to install

plone.app.ldap

• UI to install and manage PloneLDAP and the stack below
• easier to install

so the existing code

• worked and was mature for the use case it was build for,
• was all but flexible,
• was difficult to understand.
• It was nearly impossible to extend in a sane way (monkey patching!)
• It was stacked all on top of the other.

Now: pas.plugins.ldap

no code of the old stack was harmed

we did a complete rewrite

developed on prior experience with

• Products.GroupsFromLDAP
• bda.ldap

both discontinued (Plone 2.5 times!)

Features

• Users and/or Groups from LDAP
• abstraction from LDAP structure

• different group models
  • posix
  • samba
  • groupOfNames
  • memberOf

• mapping of LDAP attributes to PAS property sheets.
• account expiration
• ldap caching
• support for many users
• tested

Limitations

• not support for multiple (fallback) LDAP servers -> future
• brings a Plone Portrait patch, may conflict with other PAS plugins

node.ext.ldap

• LDAP convinience library
• based on python-ldap
• pure Python

• idea of tree representation (nodes)
• no Plone dependencies
• uses zope.interface/ zope.component
• configuration must be provided by code using it

• 98% test coverage
• provides own test layer (against running OpenLDAP)

• used by BlueDynamics Alliance and others in Pyramid projects
• cone.ugm is a
  • Pyramid based
  • multitenant
  • standalone
  • user and group management tool.

• dates back to 2007
• 8 contributors
• BSD 3-clause licence

node.ext.ugm

• user and group management convinience library and interfaces
• provides also role management (not used in Plone)
• node.ext.ldap provides an UGM object
• no Plone dependencies

pas.plugins.ldap

• pure PAS plugin
• uses node.ext.ldap's UGM features
• configures node.ext.ldap (GenericSetup)
• provides ZMI and control panel forms to configure LDAP

• works with many users and groups (several 10000)
• support different kinds of groups

• works with different LDAP servers, tested so far
  • OpenLDAP
  • OpenDirectory
  • ActiveDirectory
  • 389 Directory Server

• 10 contributors
• dates back to 2007

Fundraising Campaign

In March 2016 pas.plugins.ldap did not support "many" users well.

Goal: Refactor parts of the new stack to support LDAP paging.

There was the need to have a modern scalable LDAP stack in Plone.

The following companies funded together 2000 Dollar.

• Zopyx
• Six Feet Up
• Syslab
• PretaGov
• Enfold Systems
• Wildcard Corp

BlueDynamics Alliance members Robert Niederreiter and Jens Klein refactored node.ext.ldap and pas.plugins.ldap.

In August the new release of pas.plugins.ldap was out.

Now Plone support several 10- or even 100-thousands of LDAP users and groups.

pas.plugins.ldap is supported

• 100% OpenSource!
• read code, get into it, file issues,
• help to make it better!
• BlueDynamics Alliance provides professional support for those who need it!