cone.ldap 0.2

Features

• LDAP access via node.ext.ldap

• Application integration into cone.app

• Integration into cone.ugm

• POSIX support

• Samba support

Prerequirements

lxml, python-ldap and openldap gets compiled, the required dev headers must be installed on the system.

On debian based systems install:

$ apt-get install -y libxml2-dev libxslt1-dev
$ apt-get install -y libsasl2-dev libssl-dev libdb-dev

Installation

cone.ldap contains a buildout configuration. Download or checkout package and run:

cone.ldap$ ./bootstrap.sh python3

Start Test LDAP server with appropriate LDIF layer:

cone.ldap$ ./bin/testldap start groupOfNames_10_10

Start the application:

cone.ldap$ ./bin/pserve cfg/gon_10_10/ldap_gon_10_10.ini

and browse http://localhost:8081/. Default admin user password is admin.

The “roles” behavior in the principal form is only displayed if roles configuration is sane. The LDIF imported for test layer does not provide the roles container by default. Browse “Settings -> LDAP Roles” and perform “create roles container” action if you want to enable roles in the demo.

Note: If python_ldap fails, don’t use buildout offline mode!

General

For customizing the plugin, make an integration package and include it in your setup.

Application configuration

To define the LDAP related configuration locations, provide the following settings in your application ini file.

# LDAP UGM backend activation
ugm.backend = ldap

# Basic LDAP server configuration
ldap.server_config = /path/to/ldap_server.xml

# LDAP UGM backend related configuration
ldap.users_config = /path/to/ldap_users.xml
ldap.groups_config = /path/to/ldap_groups.xml
ldap.roles_config = /path/to/ldap_roles.xml

Examples of these configuration file can be found at cfg folder of the source package.

UGM Default values and default value callbacks

Depending on the LDAP object classes used for users and groups, more or less attributes are required for the entries. Maybe not all of these attributes should be visible to the user. Some might even require to be computed. Therefor the plugin supports default values and default value callbacks.

Default values and callbacks are registered via factory_defaults.users, factory_defaults.groups and factory_defaults.roles.

from cone.ldap.settings import factory_defaults

The factory defaults can be static values.

factory_defaults.user['someField'] = '12345'

Default value callbacks get the principal node and id as attributes.

def some_field_callback(node, id):
    return 'some computed value'

factory_defaults.user['someField'] = some_field_callback

Samba support

Example configuration to enable samba support.

from cone.ldap.settings import factory_defaults
from node.ext.ldap.ugm import posix
from node.ext.ldap.ugm import shadow
from node.ext.ldap.ugm import samba

samba.SAMBA_LOCAL_SID = 'S-1-5-21-1234567890-1234567890-1234567890'
samba.SAMBA_DEFAULT_DOMAIN = 'yourdomain'
samba.SAMBA_PRIMARY_GROUP_SID = 'S-1-5-21-1234567890-1234567890-1234567890-123'

user = factory_defaults.user
user['gidNumber'] = posix.memberGid
user['loginShell'] = posix.loginShell
user['shadowFlag'] = shadow.shadowFlag
user['shadowMin'] = shadow.shadowMin
user['shadowMax'] = shadow.shadowMax
user['shadowWarning'] = shadow.shadowWarning
user['shadowInactive'] = shadow.shadowInactive
user['shadowLastChange'] = shadow.shadowLastChange
user['shadowExpire'] = shadow.shadowExpire
user['sambaSID'] = samba.sambaUserSID
user['sambaDomainName'] = samba.sambaDomainName
user['sambaPrimaryGroupSID'] = samba.sambaPrimaryGroupSID
user['sambaAcctFlags'] = samba.sambaAcctFlags
user['sambaPwdLastSet'] = samba.sambaPwdLastSet

group = factory_defaults.group
factory_defaults.group['memberUid'] = posix.memberUid

0.2 (2022-12-05)

• Move users_expires_attr and users_expires_unit settings from cone.ugm, since they always have been used only for LDAP UGM backend.

0.1 (2020-07-09)

• Initial release.