Re: [Zope] zope and LDAP for authorisation
Hi Jens, you were right, there was a problem with the way I configured the added attribute in the LDAP Schema tab.. a stupid problem actually. When you add an attribute that does not exist in LDAP and want to use that as a login name attribute, it obviously does not work and zope simply returns "unauthorized". When you add "samAccountName" for the login ID user in Windows Active directory (and LDAP), and you try to login with the wrong password (or non-existing username) zope returns "unauthorized". So far so good. But when you add "samAccountName" for the login ID user in Windows Active directory (and LDAP), and you try to login with a correct username/password combination, zope returns "TypeError len() of unsized object" And when you use the right case in "sAMAccountName" you can login without errors. So my login problem is solved. I was only confused because it "seemed" that the attribute was working when it was not... Thanks for your support. Ria > > Message: 9 > Date: Mon, 19 Dec 2005 14:12:03 + > From: Jens Vagelpohl <[EMAIL PROTECTED]> > Subject: Re: [Zope] zope and LDAP for authorisation > To: Zope Zope list > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed > > > On 19 Dec 2005, at 13:59, Marinussen, M.J. (Ria) wrote: > > > Hi Jens, > > > > > >> > >> I need the full error traceback to help. > >> > > > > The full traceback on: > > Zope 2.7.2-0, python 2.3.5, win32 > > LDAPUserFolder 2.6 > > OpenLDAP 2.3.11 > > > > When I type the correct LDAP password I get this error and traceback > > (otherwise I get an "Unauthorized" error). > > Looking at the code this looks like it is a misconfiguration on your > part. It looks like the attribute you use as the login attribute has > not been added to the attributes shown on the LDAP Schema tab in the > ZMI. > > jens > ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] zope and LDAP for authorisation
Oh on the tab "LDAP Schema ", you might try to add the chema-item: sAMAccountName and use that for your loginID, on the main tab of LDAPUserFolder -- Einar Næss Jensen http://einar.nidelven-it.no/einarblog http://www.homemade.no tlf: +47 90990249 ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] zope and LDAP for authorisation
On 12/12/05, Marinussen, M.J. (Ria) <[EMAIL PROTECTED]> wrote: I've checked out LDAPUserFolder but that's not what I'm looking for (Ithink...).Yes it is. It works very well with ldap/ADThe size/len error you get is probably becaouse you have given wrong settings (wrong id to check against?), but could also be due to the fact that the AD server will only pass on 1000(?) entries per default. If you change the settings in your AD to allow for sending the full list of users, you error might go away (as I recall from my own problems with AD).Stuff to read: http://support.microsoft.com/?kbid=271088more spesifc:you have to change the setting: MaxPageSize 1000toMaxPageSize [at least as many entries as you have in your AD, pluss some extras in case you get many more new users] I do not know how much this will stress your webserver (or your AD-servers), but we are running a five year old pentium III with 2GB ram and 4GB Data.fs and and quite a load without seeing any problems.You probably sorted things out now by the time it took me to write this. Best Regards,Einar Næss Jensen-- Einar Næss Jensenhttp://einar.nidelven-it.no/einarbloghttp://www.homemade.no tlf: +47 90990249 ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] zope and LDAP for authorisation
On 19 Dec 2005, at 13:59, Marinussen, M.J. (Ria) wrote: Hi Jens, I need the full error traceback to help. The full traceback on: Zope 2.7.2-0, python 2.3.5, win32 LDAPUserFolder 2.6 OpenLDAP 2.3.11 When I type the correct LDAP password I get this error and traceback (otherwise I get an "Unauthorized" error). Looking at the code this looks like it is a misconfiguration on your part. It looks like the attribute you use as the login attribute has not been added to the attributes shown on the LDAP Schema tab in the ZMI. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] zope and LDAP for authorisation
Hi Jens, > > I need the full error traceback to help. > The full traceback on: Zope 2.7.2-0, python 2.3.5, win32 LDAPUserFolder 2.6 OpenLDAP 2.3.11 When I type the correct LDAP password I get this error and traceback (otherwise I get an "Unauthorized" error). = Time 2005/12/19 14:50:33.144 GMT+1 User Name (User Id) Anonymous User (None) Request URL http://localhost:8080/ldaptest/protected_folder/index_html Exception Type TypeError Exception Value len() of unsized object Traceback (innermost last): Module ZPublisher.Publish, line 92, in publish Module ZPublisher.BaseRequest, line 423, in traverse Module AccessControl.User, line 641, in validate Module Products.LDAPUserFolder.LDAPUserFolder, line 769, in authenticate Module Products.LDAPUserFolder.LDAPUserFolder, line 723, in getUser Module Products.LDAPUserFolder.LDAPUserFolder, line 678, in getUserByAttr TypeError: len() of unsized object = Ria ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] zope and LDAP for authorisation
+---[ J Cameron Cooper ]-- | Marinussen, M.J. (Ria) wrote: | | >>Hi, | >> | >>I'm looking for a zope product that enables me to use our Active | >>Directory LDAP server for verification of login credentials only. | >>I want users still stored in Zope, and access to directories should be | >>also something I can handle in Zope, and I don't want to use LDAP groups | >>because I don't control the LDAP server and there are no groups on the | >>LDAP server I can use. | >> | >>So really, all I want is that Zope checks the passwords with the LDAP | >>server instead of with it's own userfolder. | >>And perhaps, a possibility to check/search for the available loginnames | >>on the LDAP server when adding a user to the userfolder. You can do this exUserFolder without too much drama. The Require User item for the LDAP Auth Source allows you to specify an attribute and a list of values. You can use uid (e.g.) and supply a list of user ids. -- Andrew Milton [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] zope and LDAP for authorisation
Marinussen, M.J. (Ria) wrote: Hi, I'm looking for a zope product that enables me to use our Active Directory LDAP server for verification of login credentials only. I want users still stored in Zope, and access to directories should be also something I can handle in Zope, and I don't want to use LDAP groups because I don't control the LDAP server and there are no groups on the LDAP server I can use. So really, all I want is that Zope checks the passwords with the LDAP server instead of with it's own userfolder. And perhaps, a possibility to check/search for the available loginnames on the LDAP server when adding a user to the userfolder. I've checked out LDAPUserFolder but that's not what I'm looking for (I think...). Does anyone know whether there is such a product, or give me some poiners to adapt an exisiting product to my needs? There is an LDAPMultiplugin for PluggableAuthService, which might make this easier. It could be as easy as installing LDAPUF in PAS and turning off all its interfaces except for the auth one. However, I don't quite see how you would store users in Zope and then ask for the password in LDAP on a one-to-one basis. Seems like you're relying on an "accidental" correspondence between ZODB-stored user names and LDAP user names. --jcc -- "Building Websites with Plone" http://plonebook.packtpub.com/ Enfold Systems, LLC http://www.enfoldsystems.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] zope and LDAP for authorisation
On 13 Dec 2005, at 13:11, Marinussen, M.J. (Ria) wrote: I have LDAPUserFolder working in a sense that I can search for users (and find the ldap entries) when I'm in the LDAPUserFolder - Users tab. So far so good. But when I limit access to a folder (in the Security tab on zope) to for example authenticated users and I try to logon to that folder, after authenticating (using the correct LDAP username and password) I get an error that doesn't make sense to me. Googling does not bring a solution. The error is: "TypeError len() of unsized object". (Using wrong (LDAP) credentials get's me a "You are not authorized to access this resource. Username and password are not correct." message.) On the same folder this problem does not occur when I use a native zope user to logon. I need the full error traceback to help. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] zope and LDAP for authorisation
Hi Jens, > > Hi, > > > > I'm looking for a zope product that enables me to use our Active > > Directory LDAP server for verification of login credentials only. > > I want users still stored in Zope, and access to > directories should be > > also something I can handle in Zope, and I don't want to use LDAP > > groups > > because I don't control the LDAP server and there are no > groups on the > > LDAP server I can use. > > > > So really, all I want is that Zope checks the passwords > with the LDAP > > server instead of with it's own userfolder. > > And perhaps, a possibility to check/search for the available > > loginnames > > on the LDAP server when adding a user to the userfolder. > > > > I've checked out LDAPUserFolder but that's not what I'm > looking for (I > > think...). > > I'd say "start coding". There is nothing that fits your (somewhat > strange) requirements. I would suggest you modify those requirements > to come up with a saner plan. Could it be you're thinking too > much in > terms of specific implementation and too little in terms of what the > underlying goals are? > > First of all, what do you gain from "storing users in Zope"? Is your > real goal to make sure only a subset of users from LDAP can access > your site? That goal is easily fulfilled by configuring the > LDAPUserFolder to store role information on the user folder and > disregard the LDAP server. Then you just secure your site by > requiring a certain role and only give that role to the subset of > users you want to let in. > > jens Andreas warned me not to step on your toes ... ;-) I didn't mean to put LDAPUserFolder down but it felt like using a canonball to kill a mosquito (famous Dutch saying) Well I did say I *thought* LDAPUserFolder was not what I was looking for. But since you are the expert on LDAPUserFolder I think I should take that back. What you describe, is what I want to do .. but I thought it would be necessary to store the users in zope to be able to form groups in zope... Perhaps I would have figured it out myself if I was able to get LDAPUserFolder to work but I think I'm missing something... (well actually I'm missing a lot... I don't know much about LDAP so "start coding" is probably not a good idea...) Here is my situation at this moment: I have LDAPUserFolder working in a sense that I can search for users (and find the ldap entries) when I'm in the LDAPUserFolder - Users tab. So far so good. But when I limit access to a folder (in the Security tab on zope) to for example authenticated users and I try to logon to that folder, after authenticating (using the correct LDAP username and password) I get an error that doesn't make sense to me. Googling does not bring a solution. The error is: "TypeError len() of unsized object". (Using wrong (LDAP) credentials get's me a "You are not authorized to access this resource. Username and password are not correct." message.) On the same folder this problem does not occur when I use a native zope user to logon. I'm using on Windows XP Zope 2.7.2-0, python 2.3.5, win32 LDAPUserFolder 2.6 OpenLDAP 2.3.11 And I allso tested on Windows XP with Plone 2.1.1 (is with Zope 2.7.8-final, python 2.3.5, win32) LDAPUserFolder 2.6 OpenLDAP 2.3.11 Do you have any idea what I'm doing wrong? Thanks in advance, Ria ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] zope and LDAP for authorisation
On 12 Dec 2005, at 11:04, Marinussen, M.J. (Ria) wrote: Hi, I'm looking for a zope product that enables me to use our Active Directory LDAP server for verification of login credentials only. I want users still stored in Zope, and access to directories should be also something I can handle in Zope, and I don't want to use LDAP groups because I don't control the LDAP server and there are no groups on the LDAP server I can use. So really, all I want is that Zope checks the passwords with the LDAP server instead of with it's own userfolder. And perhaps, a possibility to check/search for the available loginnames on the LDAP server when adding a user to the userfolder. I've checked out LDAPUserFolder but that's not what I'm looking for (I think...). I'd say "start coding". There is nothing that fits your (somewhat strange) requirements. I would suggest you modify those requirements to come up with a saner plan. Could it be you're thinking too much in terms of specific implementation and too little in terms of what the underlying goals are? First of all, what do you gain from "storing users in Zope"? Is your real goal to make sure only a subset of users from LDAP can access your site? That goal is easily fulfilled by configuring the LDAPUserFolder to store role information on the user folder and disregard the LDAP server. Then you just secure your site by requiring a certain role and only give that role to the subset of users you want to let in. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] zope and LDAP for authorisation
--On 12. Dezember 2005 12:04:59 +0100 "Marinussen, M.J. (Ria)" <[EMAIL PROTECTED]> wrote: I've checked out LDAPUserFolder but that's not what I'm looking for (I think...). That's exactly what you are looking for. What is wrong with LDAPUF? (come with some reasonable arguments otherwise Jens (author of LDAPUF) might beat you :-) -aj pgpCmANe4R2ZG.pgp Description: PGP signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] zope and LDAP for authorisation
Hi, I'm looking for a zope product that enables me to use our Active Directory LDAP server for verification of login credentials only. I want users still stored in Zope, and access to directories should be also something I can handle in Zope, and I don't want to use LDAP groups because I don't control the LDAP server and there are no groups on the LDAP server I can use. So really, all I want is that Zope checks the passwords with the LDAP server instead of with it's own userfolder. And perhaps, a possibility to check/search for the available loginnames on the LDAP server when adding a user to the userfolder. I've checked out LDAPUserFolder but that's not what I'm looking for (I think...). Does anyone know whether there is such a product, or give me some poiners to adapt an exisiting product to my needs? Thanks in advance, Ria Marinussen Webmaster Faculty EEMCS, Department of Computer Science, University of Twente Email: ria.marinussen[at]cs.utwente.nl ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )