[Setup] PlonePAS and LDAP

Gregory Hnatiuk ghnatiuk at gmail.com
Mon Nov 5 16:25:48 UTC 2007


  I've run into an issue using PloneLDAP with Plone 2.5.4 that's
leaving me scratching my head.  I was hoping someone might be able to
direct me to a solution or at least maybe an explanation.  It could
very easily be a problem with our configuration and setup, or a
limitation of PAS, but I'm really at a loss.

    It appears that the PloneLDAP ActiveDirectory PAS plugin is
(rather wildly) squashing zope users from an enumeration standpoint,
specifically when it comes to the display logic for local roles on the
 Sharing tab of any plone content.

    We have a zope administrator called 'admin' who happens to own a
number of objects in our Plone site.  We have an Active Directory user
called 'ADTadmin' (whom we unfortunately don't have any control over).
 In Plone2.5 with PloneLDAP installed we activate the AD PAS plugin
for User_Enumeration (among others, but this seems to be the problem
factor).  Then, on the sharing tab of an object that has 'admin' as a
local  Owner, the Current Sharing permissions section of the page
displays 'ADTadmin' rather than the zope admin user.

 I traced this from the template back to the computeRoleMap
plone_script to the PlonePAS _getLocalRolesForDisplay method.  This
uses the get_local_roles method to correctly get the local roles for
the object  (and in our case, correctly contains 'admin'), but then
when trying to get a UserName and Id for that user, is returning a
user from a wildcard LDAP lookup on the string 'admin' rather than
finding the exact match  zope user, resulting in a UserName of
'ADTadmin'.  This is happening precisely at the self.getUser(username)
call in the _getLocalRolesDisplay of pas.py.

 Unfortunately, I'm not familiar enough with the inner workings of PAS
to have figured out how this getUser call ends up calling the
PloneLDAPActiveDirectoryMultiPlugin enumerateUsers method.  It looks
like if somewhere in there an 'exact_match' could be specified, it
would take care of the issue.  Changing the default of exact_match
from enumerateUsers fixes that problem, but of course introduces
others like  not being able to search by partial usernames.

 Is this something anyone is aware of?  I wasn't able to find any
documentation on this specific problem.  If so, are you aware of any
fixes short of changing user ids?

I've thought of one possible solution, but it's based on an assumption
that I haven't yet confirmed.  It appears that when trying to find
users, Plone first checks through all PlonePAS plugins that provide
IUserEnumerationPlugin and only checks zope users when no plugins
return results.  This doesn't happen if you have a wildcard match
found by LDAPMultiPlugins.  Might I solve the problem if I created a
PlonePAS plugin that provided IUserEnumeration which returned zope
users?  If I set that plugin as a higher priority than my ADPlugin for
user enumeration in PAS, it might return my zope user before Active
Directory wildcard matched to 'ADTadmin'.  Would that be a Very Bad


 Gregory Hnatiuk

More information about the Setup mailing list