Skip to content.

plope

Personal tools
You are here: Home » Members » ingeniweb's Home » Plone + GRUF + LDAPUserFolder documentation
 
 

Plone + GRUF + LDAPUserFolder documentation

How to plug LDAPUserFolder into GRUF

Here's a useful link for anybody who wants to make Plone work with LDAP.

The GRUF+LDAP documentation

The covered topics, amongst others, are:

  • Which version of Plone/GRUF/LDAPUF?
  • How to make the local_roles_form work?
  • How to store groups in LDAPUF and have GRUF recognize them?
  • Which LDAP schema / structure can you use with LDAPUF?
  • How to map Plone user attributes to what is stored in your LDAP directory?
  • How to have your photo stored on LDAP?
  • ...and much more...

Do not hesitate to review / comment it! ;)

Send you feedback here :

Contact us for more information: www.ingeniweb.com , contact@ingeniweb.com or by phone: +33 1 30 06 01 41.

Created by ingeniweb
Last modified 2005-04-01 12:02 AM

A couple clarifications

Posted by jens at 2005-04-05 03:25 PM
There are a few assertions in that text insinuating that writing back to the LDAP directory is a bad thing. That's not true, it's as transparent as reading from the directory and there's nothing bad about it per se. As a matter of fact it can be *very* safe if you know how to either write the Python-based application to have sensible "access controls" or if you write the directory ACLs well. Also, there's nothing "complicated" about it. The complication rests with the application that uses the user folder because it will have to know a few things about the directory structure and the schemata used.

'If you decide to store your groups in LDAP, it won't be possible to give Zope roles to those groups.' - This needs correction/clarification. The document is pretty fast and loose about some terms being used, especially "group" and "role". It is very important to note that "group" in LDAP are a far more generic concept and don't have much in common with the concept of "groups" as used in GRUF, or with "roles" as used in Zope/Plone/GRUF. Group records in LDAP are simply containerish objects that store pointers to other records, nothing more.

'By default, LDAPUserFolder expects your user class to have the following structure:' - This assertion and the example tree structure shown below it make it sound as if there are strict limits or conventions. But there aren't. The requirements are pretty loose. It would be better to just call the structure shown an "example that works", not "this is how it must be done".

'rdn attribute: (LDAP side) That's the attribute used as the rdn (it's easy !). This is used only with read-write directories, to create new entries in the database.' - That sentence makes no sense I'm afraid.

'member: cn=User1's name, ou=people, o=Organization, c=US' - It is *very bad form* to encourage users to use special characters in LDAP attribute values, or to use whitespace after the comma-separator. This is like teaching a child really bad manners. Thise things may work in one application but not in others.

Under the heading "LDAP Groups" it says 'First of all, LDAP supports groups and not roles.' and then 'BTW, you cannot assign a role to a user if that role doesn't already exist in LDAP'. Roles don't exist in LDAP, the second statement is confusing.

jens