Please go to the SourceForge home for this project at http://sourceforge.net/projects/zldapadapter/

Soren Roug has done all the most recent work on the product.

On the SourceForge site, you will find the place to download the current stable and development versions and most importantly, a place to submit bug notices and discuss the product.

The material below is all out of date, but is provided for historical purposes.

Notes on LDAPAdapter 0.98.3
• If you want to use your existing LDAP database to authenticate users for control of your Zope folders, this may be a product for you to test. Please note that until at least a v1+ release, it should be considered a development product and not used in production work unless you're convinced that the code looks ok, and you know what you're doing. It is currently in use, but like all security products, should be very widely and heavily tested before being accepted as reliable.
• LDAPAdapter is entirely dependent on a platform specific module which is NOT included in the distribution. It's ldapmodule - see below for details of how to achieve ldapmodule enlightenment. Of course, you also need an LDAP server !
• NOTE ! If you are upgrading from an earlier version, BE SURE to delete all existing LDAPAdapters anywhere in your zope folders before installing this upgrade. The reason is as follows. This new version includes some new properties which don't exist in earlier versions. I've put some code to try to catch this situation but I can't test all possible upgrade sequences. If the new version tar is installed and Zope restarted BEFORE all the old LDAPAdapters are removed from the site, the code may break with the rather scary consequence that you could LOSE ALL ACCESS TO THE AFFECTED FOLDERS ! acl_users folders are like that - they can really mess up your day. Trust me, I know !
• This software is still experimental and still in beta testing. You have been warned. You get what you pay for. Guaranteed only to take up space on your hard disk. Void where prohibited. Your mileage may vary. Caveat emptor. You get the message.

• LDAPAdapter is a Zope object for authenticating users against an LDAP database. It was shamelessly hacked out of Michel P's IMAPAdapter ! Blame him if you're looking for someone to point fingers at....

• LDAPAdapter works just like a user folder. When you create and LDAPAdapter object, it's id will always be set to acl_users. There is one important difference between LDAPAdapters and User Folders: LDAPAdapters do not contain users (That's why they're not called LDAPUserFolders), rather, LDAPAdapters authenticate against an LDAP server. This can confuse some Zope users who think they must add a Zope user in order to allow someone to access a part of Zope. All you need to do is ensure that the user has an LDAP database entry, and Zope will let them see the branch of the object database that the LDAPAdapter authenticates for. This is not a weakness in security, if a user can't authenticate against LDAP account, they will not be allowed to log into Zope.

• This is an interesting thing, since the BASE DN is configurable on a per-adapter basis - so you can have separate zope areas for different sub-trees of your LDAP. This product has the capacity to choose what kind of bind is made - scope_subtree and so on.

• Please. If you use this product, let me know what you found. I've had very little feedback to date. Authentication products need a lot of testing ! I'm happy to try to fix things since I need this product on my own site !

The following software is required to use LDAPAdapter:
• An LDAP server.

• A compiled and working version of David Leonard's ldapmodule for python (see http://www.csee.uq.edu.au/~leonard/dc-prj/ldapmodule/ and http://python-ldap.sourceforge.net/) This can be made to work on solaris and linux. It's not as easy as it might be, but it can be done...David's working on a supereasy install/compile so it should get easier.
• And, of course, Zope.

Installation:

• Place the LDAPAdapter tarball in your Zope directory and extract it. Restart Zope. Check your control_panel/Products for a healthy LDAPAdapter. Note that the LDAPAdapter product will be BROKEN after you install it if you don't have a working ldapmodule.so somewhere on the zope pythonpath or in the product folder. Unfortunately this is platform dependent so you absolutely must get your own. This may involve deep voodoo with Makefiles - you may need to seek assistance. See below for details. Once you have a working LDAPAdapter product, you may now create LDAPAdapter instances at will.

When you add a LDAPAdapter object it will ask you for the following:
• title: title for this adapter
• Default Domain: This is the domain you want tacked onto the end of the zope user, it would probably be a good idea to make this match the domain name that your LDAP server authenticates for. It's not actually used anywhere at present.
• LDAP Server: defaults to localhost
• LDAP Port: defaults to 389
• LDAP base dn to start the search at for authenticating users.
• LDAP bind UID and password - these will often not be needed but there may be situations where an authentication is needed just to bind to your ldap server
• LDAP Search Scope: Choose the depth for all searches from the base dn
• LDAP Default Roles: All users authenticated from your ldap tree will be given the roles you put here - a comma delimited list.
• List of special userids - these specific userid's will ALSO be given any roles listed in the next field
• List of roles for special users - this list might contain Manager for example if you want certain users to have the manager role for this folder and below.

Licensing:
• It's free (as in free speech), as is Zope.

Known Bugs Worthy of Mention:
1. There is little error handling, if you enter a wrong server name or port, LDAPAdapter will not be able to bind. The status will show Opened, cache enabled if the adapter was able to bind to the server you specified

Important changes
1. v0.98.1 has yet more security and other fixes kindly suggested by Art Hampton . Thank heavens for open source...many hands make security work.
2. v0.98 is a cleaned-up version from S�ren Roug who kindly took the time to perform his own independent review and cleared out some old cobwebs from the development process..
3. v0.95 includes a few further minor changes suggested by S�ren Roug. A final code and comment cleanup should take us to 1.0 when S�ren gets around to it. He's planning on using it on the European Environmental Agency's 30+ web servers - so it's getting a fair testing I think..
4. v0.92 incorporates some minor fixes suggested by S�ren Roug who knows a lot more about ldap than I do ! Included now are a management interface debug mode toggle, an option to list all groups which are potentially returned when a user authenticates and a more rational filter for checking groups.
5. v0.91 adds ldap bind dn and password just in case you need those. Caching turns out to be a nightmare because of the way the zodb works. Decided to remove it...rather than fight.
6. v0.8 incorporates some major architectural changes (again..) and now includes two permanent ldap connections - one cached to save time on repeated lookups. The adapter now seems reasonably stable in terms of memory leaks which is a big change from some earlier releases. The code was adapted from elsewhere - see attribution in the source
7. v0.4 has a debug flag which adds a comprehensive event log to the who monitor. It now creates and destroys ldap connections on every login - trying to track down a nasty leak.

Ross Lazarus, January 14, 2000 [email protected]