This is the story of a guy who needed to get a Plone intranet site set up for Single Sign On in a Microsoft Windows Active Directory environment.
New Server
We start our story with a new server, with Ubuntu Server installed. I'll assume that the reader has some idea of how to move around in Linux and install packages.
Install some required software before installing Plone.
Here are some packages I had to install before installing Plone:
gcc, make, build-essential
I used apt-get to install these packages.
Install Plone
Next, we install Plone-3.2.2 using the Unified Installer, which I got from here:
http://launchpad.net/plone/3.2/3.2.2/+download/Plone-3.2.2-UnifiedInstaller.tgz
There are good instructions for installing Plone here:
http://plone.org/documentation/tutorial/installing-plone-3-with-the-unified-installer
After running the Unified Installer, start your Zope instance. Your Plone site should then be accessible at http://localhost:8080/Plone if you are browsing on the same machine as you installed Plone on. If not, point your browser at the name or IP address of the machine where you installed Plone like this: http://myploneserver:8080/Plone.
Get ready for LDAP
Before Plone can talk to Active Directory's LDAP interface, our Plone server needs to have OpenLDAP and Python-LDAP installed. We'll use buildout (you've heard of buildout, right?) to install these two pieces.
Requirements (again)
Before I could get OpenLDAP to install properly, I had to install some other packages. Surprise, surprise ;-)
Browsing around the web, I found that the following packages were recommended, so I installed them on the server using apt-get:
libssl-dev, libreadline5-dev, libldap2-dev, libsasl2-dev, libdb4.4-dev
That solved my dependency issues and the buildout was able to run successfully :-)
Plone products for LDAP
We also needed to install some Plone products to enable Plone to access LDAP servers. We need LDAPMultiPlugins, PloneLDAP, and plone.app.ldap. Since the plone.app.ldap egg specifies the other two products as dependencies, we will just add that one to our buildout and it will call the other two for us.
Editing buildout.cfg
To get our LDAP installation working we needed to add some lines to our buildout.cfg file. I found some good info, and links to other good info, here: http://panyasan.wordpress.com/2009/03/25/plone-ldap-and-buildout/
Here's what I added to the Unified Installer's buildout.cfg:
I added two new "parts" to the main [buildout] section:
parts =
openldap
python-ldap
...
Also in the main [buildout] section I added these lines:
eggs =
plone.app.ldap
zcml =
plone.app.ldap
In the [instance] section I added these lines
eggs =
${python-ldap:egg}
environment-vars =
LD_LIBRARY_PATH ${openldap:location}/lib
Here is the contents of the new [openldap] "part":
[openldap] recipe = zc.recipe.cmmi url = http://www.openldap.org/software/download/OpenLDAP/openldap-stable/openldap-stable-20090411.tgz extra_options = --with-sasl --with-tls --enable-slapd=no CPPFLAGS=-D_GNU_SOURCE
Here is the [python-ldap] "part":
[python-ldap]
recipe = zc.recipe.egg:custom
egg = python-ldap
include-dirs =
${openldap:location}/include
/usr/include
/usr/lib/sas
library-dirs =
${openldap:location}/lib
/usr/lib
rpath =
${openldap:location}/lib
Install LDAP Support in Plone
Now that we've gotten all of our software dependencies taken care of and we've rerun our buildout, let's get into our Plone site and enable LDAP Support. Go to Site Setup > Add-on Products and click next to "LDAP Support", then click the "Install" button.
<Warning>
Do _not_ click next to "LDAPUserFolder CMF Tools". This product is used in CMF sites, NOT Plone sites. If you install this product, it will break your site and you will need to get into the ZMI and "Undo" installing it.
</Warning>
Configuring LDAP access in Plone
Now that we have LDAP Support installed everything should "just work" right? NOT. Plone needs a bunch of information about the Active Directory server and how it's set up in order to access the Users and Groups that are stored in AD. I asked the sysadmin who manages the AD server for info, and he gave me some good facts, but the Microsoft AD management tool that he uses didn't give me enough data to completely configure Plone to use the AD server. So what next?
Inspecting Active Directory
I needed more details about the objects that are stored in AD, and the way in which they are organized. I used a cool tool from the Apache foundation called Apache Directory Studio. This tool let me browse the AD directory and get all of the details that I needed (that the MS AD management tool left out)
Configuring the LDAP connection
Now we need to get into the LDAP configuration control panel in Plone. So click on: Site Setup > LDAP Connection to get there.
Global Settings
The first thing to do here is make sure that all of the required fields on the "Global Settings" tab are filled out (they're the ones with the red square next to them). Otherwise you won't be able to work in the other tabs and you may become confused ;-)
The data that you enter will be specific to the Active Directory server that you are accessing, but I'll show you what I entered just as an example. Please note that I use quotation marks to show you the text that I entered, but you should not use quotation marks when you enter your own data.
LDAP server type: Select "Active Directory"
rDN attribute, user id attribute, login name attribute: leave these alone for now.
LDAP object classes: Using the info I gathered with Apache Directory Studio, I found the classes that are applied to users in this AD server. Your server may be the same, or not. The classes are: "organizationalPerson,person,top,user".
Bind DN: This is the Distinguished Name of a Domain Admin user. Something like: "CN=myUser,CN=Users,DC=example,DC=com"
Bind password: This is the password for the aforementioned Domain Admin user. You may have to pay in blood to get this.
Base DN for users: This specifies the location where Plone should start searching for users in Active Directory. It will be something like: "OU=All our users,DC=example,DC=com"
Search scope for users: Leave "subtree" selected here.
Base DN for groups: This tells Plone where to look in Active Directory for the list of groups. It should be something like: "OU=Groups,DC=example,DC=com"
Search scope for groups: Leave "subtree" selected here.
Now click the "Save" button.
LDAP Schema
Next, click on the "LDAP Schema" tab.
Here we need to add the sAMAccountName LDAP property, so click on the "Add property" button.
Property Description: Type a description, like "Active Directory login name".
LDAP Property Name: Type "sAMAccountName".
Plone Property Name: Leave blank.
Multi-valued Property: Leave unchecked.
Click the "Save" button.
Global Settings (again)
Now go back to the Global Settings tab if you're not there already.
Select "sAMAccountName" for the attributes: rDN attribute, user id attribute, login name attribute.
Click the "Save" button.
LDAP Servers
Next, click on the "LDAP Servers" tab.
Click on the "Add LDAP Server" button.
Enabled: Select this checkbox.
LDAP server: enter the IP address or name of your Active Directory server.
LDAP connection type: Leave "LDAP" selected.
Connection timeout: Leave this at "5" unless you have a reason to change it.
Operation timeout: Leave this at "-1" unless you have a reason to change it.
Click the "Save" button.
This concludes our tour of the LDAP Configuration control panel.
(If your AD server has a configuration that is "complicated" or is on a non-standard port, use the configuration tool in the ZMI at http://localhost:8080/Plone/acl_users/ldap/acl_users/manage_main.)
Fine Tuning
We're almost there now. If things went well we should be able to log into the Plone site using the login form using an Active Directory user's login name and password. However, I noticed that after I logged in and went to the user's personal preferences page, the user's Full Name and Email Address were missing. :-(
I got a tip from Stephen Altmueller (mond21) in the #plone chat room. He said that I needed to enable the ldap Properties Plugin in the ZMI. The place to find the list of Property Plugins is here: http://localhost:8080/Plone/acl_users/plugins/PropertiesPlugins. I found that it was enabled, but it was not the first Properties Plugin in the list of enabled plugins. I moved it to the top of the list and all was well. Thanks Stephen!
Wrap up
Now we can use our Windows username and password to login to our Plone site. :-)
Next we want to get logged in automatically, using Apache to help with authenticating users against Active Directory, but that's another story.