[Setup] PlonePAS and LDAP

Dan Thomas dthomas at ois-online.com
Wed Nov 7 18:52:40 UTC 2007

I had a similar problem, but not in an LDAP instance. My Zope root user was
'aaaa' and had created Plone content. The byline displayed 'aaaaxxxx' based
on another Plone user. When I removed this user, I saw 'aaaayy,' yet another
Plone user. I concluded that I should not be creating content as a Zope root

In your case, (Zope) admin is a substring of (Plone) ADTadmin, so this may
be the same issue.


Gregory Hnatiuk wrote:
> Hello,
>   I've run into an issue using PloneLDAP with Plone 2.5.4 that's
> leaving me scratching my head.  I was hoping someone might be able to
> direct me to a solution or at least maybe an explanation.  It could
> very easily be a problem with our configuration and setup, or a
> limitation of PAS, but I'm really at a loss.
>     It appears that the PloneLDAP ActiveDirectory PAS plugin is
> (rather wildly) squashing zope users from an enumeration standpoint,
> specifically when it comes to the display logic for local roles on the
>  Sharing tab of any plone content.
>     We have a zope administrator called 'admin' who happens to own a
> number of objects in our Plone site.  We have an Active Directory user
> called 'ADTadmin' (whom we unfortunately don't have any control over).
>  In Plone2.5 with PloneLDAP installed we activate the AD PAS plugin
> for User_Enumeration (among others, but this seems to be the problem
> factor).  Then, on the sharing tab of an object that has 'admin' as a
> local  Owner, the Current Sharing permissions section of the page
> displays 'ADTadmin' rather than the zope admin user.
>  I traced this from the template back to the computeRoleMap
> plone_script to the PlonePAS _getLocalRolesForDisplay method.  This
> uses the get_local_roles method to correctly get the local roles for
> the object  (and in our case, correctly contains 'admin'), but then
> when trying to get a UserName and Id for that user, is returning a
> user from a wildcard LDAP lookup on the string 'admin' rather than
> finding the exact match  zope user, resulting in a UserName of
> 'ADTadmin'.  This is happening precisely at the self.getUser(username)
> call in the _getLocalRolesDisplay of pas.py.
>  Unfortunately, I'm not familiar enough with the inner workings of PAS
> to have figured out how this getUser call ends up calling the
> PloneLDAPActiveDirectoryMultiPlugin enumerateUsers method.  It looks
> like if somewhere in there an 'exact_match' could be specified, it
> would take care of the issue.  Changing the default of exact_match
> from enumerateUsers fixes that problem, but of course introduces
> others like  not being able to search by partial usernames.
>  Is this something anyone is aware of?  I wasn't able to find any
> documentation on this specific problem.  If so, are you aware of any
> fixes short of changing user ids?
> I've thought of one possible solution, but it's based on an assumption
> that I haven't yet confirmed.  It appears that when trying to find
> users, Plone first checks through all PlonePAS plugins that provide
> IUserEnumerationPlugin and only checks zope users when no plugins
> return results.  This doesn't happen if you have a wildcard match
> found by LDAPMultiPlugins.  Might I solve the problem if I created a
> PlonePAS plugin that provided IUserEnumeration which returned zope
> users?  If I set that plugin as a higher priority than my ADPlugin for
> user enumeration in PAS, it might return my zope user before Active
> Directory wildcard matched to 'ADTadmin'.  Would that be a Very Bad
> Idea?
>  Thanks,
>  Gregory Hnatiuk
>  PCGCampbell
> _______________________________________________
> Setup mailing list
> Setup at lists.plone.org
> http://lists.plone.org/mailman/listinfo/setup

View this message in context: http://www.nabble.com/PlonePAS-and-LDAP-tf4752700s15482.html#a13633307
Sent from the Installation, Setup, Upgrades mailing list archive at Nabble.com.

More information about the Setup mailing list