| Request | LDAPMultiPlugins -- bug report -- by Volker |
| Posted on | Jun 26, 2006 6:15 am |
| Subscribe |
| Resolve by Jens Vagelpohl on Oct 17, 2006 11:22 pm | |
|
I believe this is resolved after making the proposed changes. If there are any other problems please open separate bug reports. |
|
|
|
| Comment by Volker Wend on Aug 29, 2006 4:44 pm | |
|
Hi, adding the sAMAccountName would be realy helpful. Right now it defaults to the objectGUID, so a user has the scramble GUID as user folder in Plone. I can understand your issues with attributes special for Plone. I changed the groupid_attr='objectGUID' to name because the search for groups in Plone didn't work. Using the name as attribute worked. I think, seaching for a group with a name would be better than the objectGUID. That way the LDAPMultiplugin and the ActiveDirectory Plugin would behave the same way. |
|
|
|
| Comment by Jens Vagelpohl on Aug 29, 2006 12:25 pm | |
|
Thanks for the patches, I'll do the following: - the only "real" change to dtml/addActiveDirectoryMultiPlugin.dtml, apart from reordering some of the dropdowns, is adding sAMAccountName to the dropdown for the UID attribute. That makes sense. - As far as ActiveDirectoryPlugin.py is concerned, I will not add the Fullname attribute. As explained in my previous comment, it only makes sense in a Plone/CMF environment. PAS and LDAPMultiPlugins is a generic Zope product and won't have any dependencies on CMF/Plone. - You also changed the attribute name for the group IDs from objectGUID to name. Is there a specific reason or is that just a convenience issue? I'm afraid to make a change where I don't know why objectGUID was chosen in the first place since I did not write this code. |
|
|
|
| Comment by Jens Vagelpohl on Aug 29, 2006 12:12 pm | |
|
> I tought that the Active Directory Plugin would add all required > attributes. Could you perhaps add the fullname attribute ? "fullname" has nothing to do with AD at all. It's a Plone/CMF "requirement". Since it makes no sense in any situation out of Plone/ CMF I won't add it automatically, sorry. |
|
|
|
| Comment by Volker Wend on Aug 29, 2006 10:10 am | |
|
Hi, what do you think about the following changes? With these changes and the ones you already did, the ActiveDirectoyMultiplugin would work "out-of-the-box". Volker Index: dtml/addActiveDirectoryMultiPlugin.dtml =================================================================== --- dtml/addActiveDirectoryMultiPlugin.dtml (Revision 1364) +++ dtml/addActiveDirectoryMultiPlugin.dtml (Arbeitskopie) @@ -54,11 +54,10 @@ </div></td> <td align="left" valign="top" colspan="3"> <select name="login_attr"> - <option value="sAMAccountName">Windows Login Name (sAMAccountName) - </option> + <option value="sAMAccountName">Windows Login Name (sAMAccountName) </option> <option value="cn">Canonical Name (cn)</option> + <option value="givenName">First Name (givenName)</option> <option value="sn">Last Name (sn)</option> - <option value="givenName">First Name (givenName)</option> <option value="dn">Distinguished Name (dn)</option> <option value="objectGUID">Object GUID (objectGUID)</option> </select> @@ -71,11 +70,12 @@ </div></td> <td align="LEFT" valign="TOP" colspan="3"> <select name="uid_attr"> - <option value="objectGUID">Object GUID (objectGUID)</option> + <option value="sAMAccountName">Windows Login Name (sAMAccountName) </option> <option value="cn">Canonical Name (cn)</option> <option value="givenName">First Name (givenName)</option> <option value="sn">Last Name (sn)</option> <option value="dn">Distinguished Name (dn)</option> + <option value="objectGUID">Object GUID (objectGUID)</option> </select> </td> </tr> Index: ActiveDirectoryMultiPlugin.py =================================================================== --- ActiveDirectoryMultiPlugin.py (Revision 1364) +++ ActiveDirectoryMultiPlugin.py (Arbeitskopie) @@ -122,6 +122,8 @@ public_name='first_name') uf.manage_addLDAPSchemaItem('sn', 'Last Name', public_name='last_name') + uf.manage_addLDAPSchemaItem('name', 'Fullname', + public_name='fullname') uf.manage_addLDAPSchemaItem('memberOf', 'Group DNs', public_name='memberOf', @@ -142,12 +144,12 @@ {'id':'group_recurse', 'type':'int', 'mode':'w'}, ) - groupid_attr = 'objectGUID' + groupid_attr = 'name' grouptitle_attr = 'cn' group_class = 'group' group_recurse = 1 - def __init__(self, id, title='', groupid_attr='objectGUID', + def __init__(self, id, title='', groupid_attr='name', grouptitle_attr='cn', group_class='group', group_recurse=1): """ Initialize a new instance """ self.id = id |
|
|
|
| Comment by Volker Wend on Aug 29, 2006 8:49 am | |
|
I needed to tweak the LDAP Directory Schema a little bit within the LDAPUserfolder. Now I got it working. The Property 'fullname' was missing. I mapped that to the LDAP Property 'name' and I had to use the the same attribute(sAMAccountName) for Login and User ID. I tought that the Active Directory Plugin would add all required attributes. Could you perhaps add the fullname attribute ? |
|
|
|
| Comment by Jens Vagelpohl on Aug 29, 2006 5:47 am | |
|
I think this is a different issue. You need to find out how that folder_localrole_form generates the "authorinfo" variable and dig in there. |
|
|
|
| Comment by Volker Wend on Aug 29, 2006 5:33 am | |
|
Doesn't really help, since I get an error later. Module TAL.TALInterpreter, line 531, in do_insertText_tal Module Products.PageTemplates.TALES, line 227, in evaluateText Module Products.PageTemplates.TALES, line 221, in evaluate - URL: file:CMFPlone/skins/plone_forms/folder_localrole_form.pt - Line 314, Column 24 - Expression: standard:'authorinfo/fullname' - Names: {'container': <PloneSite at /Sites/TestSite>, 'context': <ATFolder at /Sites/TestSite/Members/Dagmar-20Wend>, 'default': <Products.PageTemplates.TALES.Default instance at 0x40e94fec>, 'here': <ATFolder at /Sites/TestSite/Members/Dagmar-20Wend>, 'loop': <Products.PageTemplates.TALES.SafeMapping object at 0x43b126ac>, 'modules': <Products.PageTemplates.ZRPythonExpr._SecureModuleImporter instance at 0x40e636ec>, 'nothing': None, 'options': {'args': ()}, 'repeat': <Products.PageTemplates.TALES.SafeMapping object at 0x43b126ac>, 'request': <HTTPRequest, URL=http://172.25.16.202:8080/Sites/TestSite/Members/Dagmar-20Wend/folder_localrole_form>, 'root': <Application at >, 'template': <FSPageTemplate at /Sites/TestSite/folder_localrole_form used for /Sites/TestSite/Members/Dagmar-20Wend>, 'traverse_subpath': [], 'user': <PloneUser 'wend1'>} Module Products.PageTemplates.Expressions, line 185, in __call__ Module Products.PageTemplates.Expressions, line 173, in _eval Module Products.PageTemplates.Expressions, line 127, in _eval - __traceback_info__: authorinfo Module Products.PageTemplates.Expressions, line 334, in restrictedTraverse - __traceback_info__: {'path': ['fullname'], 'TraversalRequestNameStack': []} AttributeError: 'NoneType' object has no attribute 'fullname' |
|
|
|
| Comment by Jens Vagelpohl on Aug 29, 2006 5:10 am | |
|
Ah, interesting... the fact that the "fake" record came back is worth looking into at some point, but to get you going right now, I just checked in one more change into the LDAPMultiPlugin code: Index: ActiveDirectoryMultiPlugin.py =================================================================== --- ActiveDirectoryMultiPlugin.py (revision 1363) +++ ActiveDirectoryMultiPlugin.py (revision 1364) @@ -314,7 +314,7 @@ l_results.extend(acl.findUser(key, val, attrs=attrs)) for l_res in l_results: - if l_res['dn'] not in seen: + if l_res['dn'] not in seen and l_res.has_key(login_attr): l_res['id'] = l_res[uid_attr] l_res['login'] = l_res[login_attr] l_res['pluginid'] = plugin_id (This is probably not going to display nicely on the web, but should be fine in the email you receive) |
|
|
|
| Comment by Volker Wend on Aug 29, 2006 5:04 am | |
|
2006-08-29 10:59:37 DEBUG event.LDAPUserFolder findUser searched term "Jarke", param "name" [{'dn': 'CN=xxx xxx,OU=User,OU=KH xxx,OU=xxx,DC=xxx,DC=de', 'sn': '', 'sAMAccountName': 'Jarke', 'cn': xxx Jarke'}, {'dn': 'No useful filter criteria given', 'cn': 'n/a', 'sn': 'Error'}] |
|
|
|
| Comment by Jens Vagelpohl on Aug 29, 2006 4:55 am | |
|
> Traceback (most recent call last): > File "/data/ZopeInstances/Instance1/Products/PluggableAuthService/ > PluggableAuthService.py", line 306, in searchUsers > user_list = enum.enumerateUsers(**kw) > File "/data/ZopeInstances/Instance1/Products/LDAPMultiPlugins/ > ActiveDirectoryMultiPlugin.py", line 319, in enumerateUsers > l_res['login'] = l_res[login_attr] > KeyError: 'sAMAccountName' This traceback is odd, it seems to indicate that searches for users return records that do not look like what the plugin expects. sAMAccountName, as you probably know, is the equivalent to uid/cn for "normal" schemata, it contains the user's login. It would be interesting to find what those offending records are. Could you either print the full contents of l_results in line 315 of the ActiveDirectoryPlugin module, if the set is not too big, or catch that KeyError and just print that offending record? |
|
|
|
| Comment by Volker Wend on Aug 29, 2006 4:20 am | |
|
I can search for Users within the LDAPUserfolder(ZMI) but I can't search within Plone. This works when I use the generic LDAPMultiPlugin. 2006-08-29 10:19:09 DEBUG Plone searchForMembers: searching PAS with arguments {'name': 'jarke'}. 2006-08-29 10:19:09 DEBUG event.LDAPUserFolder findUser Exception (No useful filter criteria given) 2006-08-29 10:19:09 DEBUG event.LDAPUserFolder findUser searched term "jarke", param "name" 2006-08-29 10:19:09 DEBUG PluggableAuthService UserEnumerationPlugin active_directory_auth error Traceback (most recent call last): File "/data/ZopeInstances/Instance1/Products/PluggableAuthService/PluggableAuthService.py", line 306, in searchUsers user_list = enum.enumerateUsers(**kw) File "/data/ZopeInstances/Instance1/Products/LDAPMultiPlugins/ActiveDirectoryMultiPlugin.py", line 319, in enumerateUsers l_res['login'] = l_res[login_attr] KeyError: 'sAMAccountName' |
|
|
|
| Comment by Jens Vagelpohl on Aug 29, 2006 4:10 am | |
|
The changes only affect the ActiveDirectoryMultiplugin, so I'd like you to only try that. Can you define "search for users" more specifically? Are you using the ZMI? Or some other application like Plone? Do you have any log output at the highest log level? When it comes to the Active Directory I'm basically in the dark, I have no setup to test things myself. |
|
|
|
| Comment by Volker Wend on Aug 29, 2006 4:06 am | |
|
That seems to work now. But... I can't search for users. The LDAPMultiPlugin works, the ActiveDirectoryMultiPlugin does not. Both using the same LDAPUserFolder. Regards, Volker |
|
|
|
| Comment by Jens Vagelpohl on Aug 28, 2006 3:50 pm | |
|
I just made another change, this time to the ActiveDirectoryMultiplugin code: http://svn.dataflake.org/comp.php? repname=DataflakeSoftware&path=&compare%5B%5D=%2F@1362&compare%5B%5D=% 2F@1363 Could you try the SVN version of the LDAPMultiPlugins product and see if it fixes the problem? |
|
|
|
| Comment by Volker Wend on Aug 28, 2006 11:15 am | |
|
Hi, it doesn't work... I added some print statements in ldapdelegate.py line 340 Thank for your supprt. Volker Wend OU=Standorte,DC=blablabla,DC=xxx 2 (&(objectClass=group)(|(CN=\#GRP_Benutzerkonfiguration)(CN=AutoEnroll User)(CN=EFG Kinderteam)(CN=\#GRP_SAP_TEST)(CN=\#GRP_OFFICE_OUTLOOK)(CN=\#GRP_OFFICE_KOMPLETT)(CN=\#GRP_Desktop)(CN=\#GRP_IE)(CN=EFGDaten)(CN=Workstation Powerusers)(CN=GR Intranet Manager)(CN=\#Laufwerk(a))(CN=EFGBSH Manager)(CN=Poliklinik Manager)(CN=Buckow Manager)(CN=Wannsee Manager))) 2006-08-28 17:08:10 ERROR event.LDAPDelegate {'info': '', 'desc': 'Bad search filter'} Traceback (most recent call last): File "/data/ZopeInstances/Instance1/Products/LDAPUserFolder/LDAPDelegate.py", line 343, in search res = connection.search_s(base, scope, filter, attrs) File "/data/ZopeInstances/Instance1/Products/LDAPUserFolder/SharedResource.py", line 112, in __call__ return self._callable(*args, **kw) File "/usr/local/lib/python2.4/site-packages/ldap/ldapobject.py", line 481, in search_s return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout) File "/usr/local/lib/python2.4/site-packages/ldap/ldapobject.py", line 789, in search_ext_s return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs) File "/usr/local/lib/python2.4/site-packages/ldap/ldapobject.py", line 746, in _apply_method_s return func(self,*args,**kwargs) File "/usr/local/lib/python2.4/site-packages/ldap/ldapobject.py", line 474, in search_ext_s msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit) File "/usr/local/lib/python2.4/site-packages/ldap/ldapobject.py", line 470, in search_ext timeout,sizelimit, File "/usr/local/lib/python2.4/site-packages/ldap/ldapobject.py", line 94, in _ldap_call result = func(*args,**kwargs) FILTER_ERROR: {'info': '', 'desc': 'Bad search filter'} |
|
|
|
| Accept by Jens Vagelpohl on Aug 28, 2006 7:00 am | |
|
I have checked in changes that might solve this problem and would be happy if you could test them. Please get the latest LDAPUserFolder code from Subversion, how to do so is described on the front page at www.dataflake.org: http://www.dataflake.org/ The specific changes can be viewed here: http://svn.dataflake.org/comp.php?repname=DataflakeSoftware&path=&compare%5B%5D=%2FLDAPUserFolder@1360&compare%5B%5D=%2FLDAPUserFolder@1362 |
|
|
|
| Comment by Jens Vagelpohl on Jun 29, 2006 6:48 am | |
|
Volker, Since I don't have any working AD setup I can only help you if you do some debugging. Specifically, if you have any way to tell me what the search filters used look like (e.g. by putting print statements in, like... ActiveDirectoryMultiPlugin.py on line 181: print filt ActiveDirectoryMultiPlugin.py underneath line 220: print filt |
|
|
|
| Initial Request by Volker on Jun 26, 2006 6:15 am | |
|
Hi, I have a problem using the ActiveDirectoryMultiPlugin. A user with a Groupname containing a '#' cannot login. Message says LDAPDelegate {'info': '', 'desc': 'Bad search filter'} Using the LDAPMultiPlugin the User can Login and everything seems to work. I think the getGroupsForPrincipal Method is somehow broken... Any Ideas ? |
