1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
LDAPUserFolder - Add: Create a new link to an LDAP Directory
Description
LDAPUserFolder works just like a user folder. When you create an
LDAPUserFolder object, its id will always be set to 'acl_users'.
There is one important difference between LDAPUserFolders and User
Folders: LDAPUserFolders *do not* contain users (That's why they're
not called LDAPUserFolders), rather, LDAPUserFolders authenticate
*against* an LDAP server. This can confuse some Zope users who
think they must add a Zope user in order to allow someone to
access a part of Zope. All you need to do is ensure that the user
has an LDAP database entry, and Zope will let them see the branch
of the object database that the LDAPUserFolder authenticates for.
This is not a weakness in security, if a user can't authenticate
against LDAP, they will not be allowed to log into Zope.
When you add a LDAPUserFolder object it will ask you for the following:
Controls
'Title' -- The (optional) title for this adapter
'LDAP Server' -- Specify the server name or IP address, optionally followed by
a colon and a port number. If no port number is given a default of 389, which
is the standard port LDAP servers listen on, will be assumed. The server name
must not contain any prefixes like "ldap://".
'Use SSL' -- If the LDAP server supports connections via the ldaps protocol
(LDAP over SSL) then you may communicate over SSL by checking this box.
Note that LDAP over SSL is not StartTLS, which uses the same port as
normal LDAP traffic.
'Read-only' -- Check this box if you want to prevent the LDAPUserFolder
from writing to the LDAP directory. This will disable record insertion
or modification.
'Login Name Attribute' -- The LDAP record attribute used as the username. The list
of default choices can be changed in the Advanced settings after instantiating
the LDAPUserFolder.
'RDN Attribute' -- The RDN attribute (Relative Distinguished Name) is the
name of the LDAP attribute used as the first component of the full DN
(Distinguished Name). In most cases the default value of *cn* is correct, you
can select *uid* if your schema defines it. Please see RFC 2377 for more
information.
'Search base DN for users' -- The DN for the branch of your LDAP database that
contains user records.
'User Search Scope' -- Choose the depth for all searches from the user search base dn
'Group storage' -- Choose where to store the group (a.k.a. Role) information
for users. You can either store roles inside LDAP itself or you can store it
inside the LDAP User Folder, which is simpler and does not require that LDAP
deals with user roles at all.
'Search base DN for groups' -- The DN for the branch of your LDAP database that
contains group records. These group records are of the LDAP class
"groupOfUniqueNames" and the entry CN attribute constitutes the group name.
Groups embody Zope roles. A user which is part of a "Manager" group will
have the "Manager" role after authenticating through the LDAPUserFolder.
If you have chosen to store groups inside the user folder itself this setting
will be disregarded.
'Group Search Scope' -- Choose the depth for all searches from the group search base
dn. If you have chosen to store groups inside the user folder itself this setting
will be disregarded.
'Manager DN and password' -- All LDAP operations require some form of
authentication with the LDAP server. Under normal operation if no
separate Manager DN is provided, the LDAPUserFolder will use the current
user's DN and password to try and authenticate to the LDAP server. If a
Manager DN and password are given, those will be used instead.
'Default User Roles' -- All users authenticated from your ldap tree
will be given the roles you put in this comma-delimited list.
Zope expects all users - anonymous as well as authenticated - to
have the role Anonymous.
'Add' -- Instantiate the LDAPUserFolder.
|
