so good afternoon if this is a short talk it's I hope to be able to do a real demonstration about how to set up a new

atom at least relatively new add-on for plan to integrate with LDAP so about you who should you lose this talk integrators developers with the main question how do I connect blown to nail the abuser directory and maybe you might

be interesting interested to know what's new in buzz plugins held up compared to the old blown up LDAP or products out up stack that we've been using in the community for a very long time I'm threatened Ike I'm working for SAS software we're based in Rotterdam I've been using for a very long time as a

user then I moved a bit to an integrator developer consultant trainer and doing a lot with it so what we're going to do a short introduction for those who don't know it what's L DUP why do people use held up how do we have users in groups

in plone how do we integrate L top employer and then we'll quickly go on to watching the plug-in installing it setting it up sharing top some users and groups advanced setup and hopefully I'll get in time to the wrap-up and have time for questions

so why do we use l-dub l-dub is a centralized database of users and groups and if you know when we started with computers we had to copy a user and group files from one computer to another or a system administrator had to move from his Windows 3 PC to another Windows

2 3 PC and a set of users and that really sucked the UNIX guys got there a bit earlier of course so they got into an NES system Network Information Systems X 500 and when we started with the PC revolution around the 1990s we

had four windows we had long manager and something I really loved because I used that in secondary school Novell NetWare that's all that stuff had one user list and had one one group list and what happened that we wanted to mimic all the organizational structures a bit more so we made here aku call user databases

where you'd have an organizational structure UNIX was the first again with slub de then some old favorite that's the first time I realized it that something was going on Netscape with the browser also started to build server products and make Netscape directory server and of course Windows followed with novel novel directory services

which Windows copied and became Active Directory and out of all of that stuff came in the end l-dub what is l-dub Elif is actually just a protocol to to query a database with users and groups inside and there can be many LDAP back end so

you can query Active Directory you can query a UNIX server which has some user or group structure in there but LDAP is the protocol that makes it kind of yeah platform independent connector to all of them so when we go

to plum town has its own user database you can just store users and groups in it but like we said with larger organizations you might want to connect to a central directory the central directory is mostly used for authentication so you have authentication and your authorization

authentication is who are you normally with you have to verify a user with a password and then the system knows who you are then we can also store as a part of authentication in which groups do you belong and then when you go to the surface for example the plone group we will say for this on this folder

this group has this permissions and the permissions part is the authorization part so mostly with setups authentication is done in the directory and the authorization is mostly done on the services themselves what's this problem in a plum community if you have

a client or you have an organization and you want to set up all up you only do it occasionally there are a number of moving parts you set this up once you fiddle a while until it works you don't look back and then maybe next year you have another client or you have knowingly two or three clients you forgot exactly what was what and you

have to start all over again I looked up on community that lunga org we have a new system now for two and two and a half years and there are at least 50 threats on LDAP on community top down bottom or with questions what we already had is rather old this is the authentication Enzo

we started with an SEO users folder we started with a products LDAP user folder around 2001 then we extended that with a pluggable authentication service Enzo which was their version two was 2007 and that's not even clone this is just what we built for soap in the last 15 years on top of that in plum then we have some

known ones if you try to set up some l-dub which is blown up LDAP and products don't held up which is only wrapping all the stuff that is Enzo so that's a lot of history and a lot of stack and a lot of add-on products you have to learn so one of the loan

providers here in Europe Lu dynamics created a new plugin called post plugins held up with a new underlying system where all the other stuff I showed on the last pages is not really there they base it on another system it's called node it's some kind of virtual three of

objects and that's how they copy and be able to very quickly not only query and held-up server but also do some caching and it's a lot easier especially if you not only have plan but you also have

other products like pyramids which we here have on a conference pass plugins Eldar builds on no text l-dub which is a Python package you can also use in pyramids or you might use in other custom projects and it all under the hood works the same so what do we get when we have a new add-on in in plumb we

start using it we improve it there was a fundraising last year to improve for possibly in Zelda to add some pagination which is a support to query large amounts of users and groups in in an LDAP system if you have a larger organization like a university or a medium-sized company you can get for

5,000 to 50,000 objects and if you query an LDAP server and say look I'm searching for all users and you get back $50,000 $50,000 you or you won't get an answer at all so that was added last year some other people made some more improvements Oscar super mates

improvements for his University and we also have made some improvements and especially what we did was improve on to Oscars fixes for user searching because that was something that's not in there I'll show you if you go to the sharing top and you type part of a user name then nothing would show and that's one of the things we fixed

and that's what I'd like to show you so we added some fixes we did it for ourselves in plan for but it also works in in plan five still some work to be done this nice github thingy allows you

to fork pay for packages and then fork them again and then do some more fixes on another Fork and we kind of have to wrap this back up into the original poss plugins l-dub thing but that's it's a bit tricky so to demonstrate stuff the cool part did I manage this yes I'm gonna sit in about

ten minutes demonstration I've got a small LDAP server setup on my laptop here I'm going to quickly show you if anybody wants to do this also on a UNIX or a Mac system i can give them my configuration later so you can test and play with this yourself because that's really the intention of

this talk don't don't do a lot of guessing you really have to experiment a bit with l-dub to get into it so I've got in my terminal over here not sharing let's set it up better which is wrong

speaking synchronous yeah yeah that's better so I've got an small LDAP server running here which is called a slop day with a configuration and it serves it on localhost a three eight nine so that

they're running configuration is not that difficult let's get this one over here actually it's a one large configuration file for the LDAP directory server and this is the most important part where you say we are serving

l-dub demo comm which is the kind of data structure and this is the root user and the root user you need that to load the directory in this case with a lot of users and end groups so you can do that with LDAP aldub ad then you have to test

if everything is working so what you can do is use on the command line for example l-dub search and this gem here will query my held up for some pom pom pom almost everything that is an eye network person in the main directory and if you

see it returns some stuff do this first don't start messing around in plan yourself first test that your LDAP server is running so then you might want to have something more convenient to browse and what you can use is Apache directory studio it's an open source

project from Apache it's a big Java tool it has an elder browser it isn't have hasn't built in LDAP server and here we are I've got a connection here for which you can set some properties but the properties is just query to localhost and now I can browse through my LDAP demo dot-com

Lister main organizational units do not have a subfolder with groups and I have a subgroup with users added a few bogus and real users so this is me I hope it'll be legible and here so you have a

user with a number of attributes it almost looks a bit like so for applo it's just an object tree with folders and with objects in them and those objects have a number of fields but in LDAP it's optimized to only be user objects or group objects or your organizational structure so use this you can add add fields you can edit fields

it sits and can't go into it go into it with much detail but use this to to check your directory a local demo but also if you're in your organization or you go to another company as a consultant use this to figure out what's going on then we have to configure lone

scheme' sheets later so I'll not go off this a lot only important thing always spin your packages right in your build-out don't just include possibly can sell up and hope for the best so let's go to our plan side come to the

side set up in the side setup with the add-ons you will see that there's a lot of directory support i've already activated it for now it will also

activate the extra support library and if you go up then you will now have here in the configuration held up ad support so the most important thing is of course finding your server on the server top already said it's running on eight three eight nine and this is the main user

with which plone first locks into l-dub to be able to make all the other queries for now i've used the the same root user I've set in the LDAP configuration file don't do this in production in production make sure you use a read-only user that if for some reason your your plant server gets breached and somebody

finds this password they can only connect to be held up as a normal user and only have read-only rights then we go down and now we have on the second part we are going to say where all the users are in held up and this is the organizational unit users l-dub demo calm and in this part we only want to find all the I network

persons and this exactly matches what we find here here is our held up and we are looking for all users under this tree to figure out the users and we want an eyelet or per person back and now comes the tricky part where I spend a lot of time I think most of you spend a lot of time and that's the user attribute

aliases so you will have to map with LDAP the fields which are on all the user objects here on to a few required ones plan for every user once an ID and a login and the real distinguished name is I think for past plugins held up self

and you have to map them to a unique item there I've now used UID which is the main identifier in my own directory which is the UID field over here which is like thread fidei for example here but if you go to a company which has Active Directory then in the Active Directory the user object might standard

have some account name as identifying as the unique identifying object and below there you have a number of extra fields which will get copied from l-dub into plow attributes for example the mail object the full name the location which

is always which is also in in a normal user profile object in plan and in the end you can set up caching which is very important if you want to go to

production because otherwise all the queers you will do to be out of server all the time will get repeated for the same requests and then you can really Bach there on the LDAP server and maybe people said complaining or you will get performance problems I'll jump quickly over the group settings here because actually the groups are similar as the as the user

settings you have to provide again where the where the groups are in the directory search for them say what you want to get back good group of names is also exactly here the object class is also here group of names in the directory so that's the same the same thing again some required attributes and

some extra sheets so you've seen the actual objects I've shown them in an Apache studio let's try this out so I'm going to the dues folder and I'm going

to be sharing top and I'm going to search for threats a day well this already worked this is so here I have read from back certainly popping up with its full name and the full name is coming up because I match the full name in the extended worksheet edge

routes but I can also search for Rotter there and this is now popping up because I have a location field and this is the extension that ASCO and also we assess mate for possibly a Zelda it's now searching in the location as well and it's finding all users with the location

set to rötteln so now i can add those users i won't go into that because that's discipline sharing stuff but i can also search for something that's called common and there's a communications group so this is the thing we had to it's kind of a strike thing you have to use an Asterix if you

want to search for partial things so I can do this and with your marketing I can also do star est and then it will come up with me and maurits again because I filled out our email addresses with software dot Annelle so the searching is really really really

flexible and very convenient if you have a large user directory and that's something we we really need it for some customers about them out you the local share in top it should also work on the global sharing top but I found on this morning there's a bug in there so if you go to

site setup and you say in the users and groups here you can also of course do global it should work the same but for some there's a bug in one 508 with this so I'm not going to do this because then the whole server stops searching for any users not the last thing is I've now set

my own social units here if you can see there's a sneaky sub group over here with another user you might know him and Paul at the moment is not found at all so if I go to the news here and I go into the sharing top sharing top and I

search for for air he's not showing up this is something it's not showing up because in the site set up in the settings for Active Directory I've set up the user searching to be only good for one level so it will only find the

objects that are directly below the users l-dub demo com if I switch this to subtree then it will do a kind of recursive search and if I do this then when we go to news and go to the sharing top we should be able to search for

something and it doesn't show up of course demo effect No then we have to do with some question probably just restarting my instance for

now a short later I first finish up the talk we don't have that much time on it anymore so I've showed this very simple one this is what happens when you look into a real Active Directory LDAP server then

you see a lot lot lot lot more objects because active route actually has a lot of more support and if you look into that you will also for example see some account name here or other fields which are in there or you talked a bit about performance if you really want to have a very large very large directory than

using MST I talked with the developer of bas plugins held up this morning gents and he said always use memcache never leave home without it always activate memcache because otherwise performance will be horrible very easy to set up most UNIX systems already have it this

is a small snippet you could use if you're using build-outs and you want to set up a local memcache the server i've not skipped over the configuration this is of course quite a bit to set up in the side setup if you have to go to the active directory panel and set all these settings what you can do is make a

policy package and I quickly like to demonstrate that manage I'll create a new plan sides

the sea of Paul is available right now sharing yes and there he shows up now so that's the one level or subtree recursive Sochi so back to my new site

go to the site setup go to the add-ons and I've created an optimal policy product and when I install it you'll notice nothing installed here now held up is set in cell installed and my policy arrow is also installed when you

go now to the configuration for Active Directory and held up support all my settings are there all mappings are there I can also configure the Memphis tea surfer for one to never go to news and tried the sharing in the second

blown sites then let's hope this works they're more effect yeah and there's my fretful like as well so one last thing I of course I can log into a site so I can go to and use my very secret secret

password and if you go into preferences and look at the personal information there you will see that it also copied this stuff from the LDAP directory it copied my full name and it copied my location as

well and if you extend your OPA user objects you can grab more information from so that's what you can do with with some general setup settings for for much easier deployment final thoughts as you can see this is running through it in in 15 20 minutes it's not plug-and-play easy stuff and that's also

where I think the questions from community that planet or come from hae-in's of this product I filled in some fields I guessed some attributes and it doesn't work no it doesn't you should know really know your directory use Apache directory studio look into the Elva see what's there for production use SSL communication

nowadays you never know what's happening in the server farm or in your in the company system when your plant server is talking to the LDAP server as I said make a read-only admin user and what we figured out the I don't still need some polish meant it still needs some refinement but it's a very very mature

and stable products already thank you any questions think your friends big applause for him you