[Setup] PlonePAS and LDAP

Gregory Hnatiuk ghnatiuk at gmail.com
Wed Nov 7 20:39:19 UTC 2007

Ha.  That looks like it's doing the trick.

Plone 3.0.2 doesn't suffer the same problems with identical setup of
the same LDAP products, and I'm not sure exactly what has changed in
Zope or Plone PAS stuff.  Plone 2.5 does include source_users for
enumeration by default, and I don't think that's the difference
because deactivating it for user enumeration in Plone 3.0.2 doesn't
introduce the problem.

I'm a little wary of the fact that re-creating the admin user in a
Plone PAS User Manager plugin means we're just faking finding the real
zope user via enumeration, but it doesn't seem to be causing any
problems.  I'll certainly report back if I find any.

Thanks for the suggestion!

On 11/7/07, bryanbrock <bbrock at real.com> wrote:
> It seems like you might be able to create another PlonePAS User Manager
> object to do that.  In 3.0 there is one called source_users by default.
> Maybe you could create one called  source_users_admin with only one user in
> it--admin--and set the priority as you described.
> Gregory Hnatiuk wrote:
> >
> > Hello,
> >
> >   I've run into an issue using PloneLDAP with Plone 2.5.4 that's
> > leaving me scratching my head.  I was hoping someone might be able to
> > direct me to a solution or at least maybe an explanation.  It could
> > very easily be a problem with our configuration and setup, or a
> > limitation of PAS, but I'm really at a loss.
> >
> >     It appears that the PloneLDAP ActiveDirectory PAS plugin is
> > (rather wildly) squashing zope users from an enumeration standpoint,
> > specifically when it comes to the display logic for local roles on the
> >  Sharing tab of any plone content.
> >
> >     We have a zope administrator called 'admin' who happens to own a
> > number of objects in our Plone site.  We have an Active Directory user
> > called 'ADTadmin' (whom we unfortunately don't have any control over).
> >  In Plone2.5 with PloneLDAP installed we activate the AD PAS plugin
> > for User_Enumeration (among others, but this seems to be the problem
> > factor).  Then, on the sharing tab of an object that has 'admin' as a
> > local  Owner, the Current Sharing permissions section of the page
> > displays 'ADTadmin' rather than the zope admin user.
> >
> >  I traced this from the template back to the computeRoleMap
> > plone_script to the PlonePAS _getLocalRolesForDisplay method.  This
> > uses the get_local_roles method to correctly get the local roles for
> > the object  (and in our case, correctly contains 'admin'), but then
> > when trying to get a UserName and Id for that user, is returning a
> > user from a wildcard LDAP lookup on the string 'admin' rather than
> > finding the exact match  zope user, resulting in a UserName of
> > 'ADTadmin'.  This is happening precisely at the self.getUser(username)
> > call in the _getLocalRolesDisplay of pas.py.
> >
> >  Unfortunately, I'm not familiar enough with the inner workings of PAS
> > to have figured out how this getUser call ends up calling the
> > PloneLDAPActiveDirectoryMultiPlugin enumerateUsers method.  It looks
> > like if somewhere in there an 'exact_match' could be specified, it
> > would take care of the issue.  Changing the default of exact_match
> > from enumerateUsers fixes that problem, but of course introduces
> > others like  not being able to search by partial usernames.
> >
> >  Is this something anyone is aware of?  I wasn't able to find any
> > documentation on this specific problem.  If so, are you aware of any
> > fixes short of changing user ids?
> >
> > I've thought of one possible solution, but it's based on an assumption
> > that I haven't yet confirmed.  It appears that when trying to find
> > users, Plone first checks through all PlonePAS plugins that provide
> > IUserEnumerationPlugin and only checks zope users when no plugins
> > return results.  This doesn't happen if you have a wildcard match
> > found by LDAPMultiPlugins.  Might I solve the problem if I created a
> > PlonePAS plugin that provided IUserEnumeration which returned zope
> > users?  If I set that plugin as a higher priority than my ADPlugin for
> > user enumeration in PAS, it might return my zope user before Active
> > Directory wildcard matched to 'ADTadmin'.  Would that be a Very Bad
> > Idea?
> >
> >
> >  Thanks,
> >
> >  Gregory Hnatiuk
> >  PCGCampbell
> >
> > _______________________________________________
> > Setup mailing list
> > Setup at lists.plone.org
> > http://lists.plone.org/mailman/listinfo/setup
> >
> >
> --
> View this message in context: http://www.nabble.com/PlonePAS-and-LDAP-tf4752700s15482.html#a13632794
> Sent from the Installation, Setup, Upgrades mailing list archive at Nabble.com.
> _______________________________________________
> Setup mailing list
> Setup at lists.plone.org
> http://lists.plone.org/mailman/listinfo/setup

More information about the Setup mailing list