Getting up to speed with Active Directory, LDAP and Plone
So, we're going after a project that involves a lot of user management, and in that, Windows Active Directory and LDAP to authenticate against and update, so that when someone updates their info in Plone, the AD is also updated.I haven't worked with a lot of Windows technology on the server side, it has almost always been Linux and other *nix variants.
So, to show that we are able to get things going with Active Directory, LDAP and Plone I figured I could setup VirtualBox on my Linux laptop, and install a trial version of Windows Server.
I downloaded Windows Server 2012, setup VirtualBox, booted from the ISO but the process stopped because the CPU I'm using is 32 (48) bit, and Windows Server 2012 requires 64 bit.
So OK, I googled again after Windows Server 32 bit and found the Windows Server 2008 trial ISO and downloaded that.
OK, so booting up the VirtualBox system with the ISO, getting to the install screen.. Windows asks for a product key but that shouldn't be necessary because I'm doing a trial..
To speed up the installation process I'm choosing the standard core server install.. which wasn't that smart, as the regular start menu and such were not available, just got a command prompt.. so back to the installer, install full standard version and we're up and running. :)
After some trying and failing I found that I could add all the necessary Active Directory bits through Administration tools -> Server Manager. OK, so got those installed, and setup a local DNS server.
Also installed Plone via the Enfold windows installer, as well as the Java JRE, so I could install Apache Directory Studio (which I opted to install after reading some nice things about it on the net).
OK, so after taking a break from this setup process I fired up VirtualBox again and couldn't get the network going. So, back to the Windows Server installation process, install Java, Plone, Active Directory again. This time, Active Directory was only setup with the LDAP module, so I worked with the simplest setup possible.
I tried some different configurations in buildout.cfg to get the plone.app.ldap package going, first issue was that python-ldap couldn't install properly so after some fiddling around I used the msi installer from PyPi and got python-ldap installed on \plone42\python.
OK, so far so good. But buildout still tried pulling and installing python-ldap.. after googling I found that the python-ldap's python egg.info directory moved to the buildout eggs folder fooled buildout to not download python-ldap. And after running buildout, I removed that folder so that there couldn't be any conflicts between the two info folders.
OK, so far so good.. tried firing up the instance and got the following error message:
ImportError: DLL load failed: The application has failed to start because its side-by-side configuration is incorrect. Please see the application event log for more detail.
Googling I found that it was missing Visual C++ runtime libraries that were missing.. installing runtime libraries for 2005, 2008, 2010 and 2012 (2008 was the right one) that ImportError message disappeared.
So that went fairly well, but starting up with the instance.exe program again raised an ImportError, on win32file. So OK, I looked around and found pywin32 which should contain that module. Downloaded the installer, but didn't get far in the installation process as the Python that comes with the Plone installer doesn't register itself in the windows registry, and it isn't possible to set an installation path manually. So, OK, was about to copy over win32 modules from the new Python 2.6 installation but saw that win32 etc. were already in the site-packages of the Plone installation..
The plot thickens, and again after some Googling it seemed clear that the issue was starting the Plone instance with 'instance.exe fg' didn't work, while starting Plone through the services control panel would.
Well, well. I googled a bit about Enfold plone and finally figured out that there is some LDAP functionality included in the Enfold Plone Server Windows Installer, so I'm going to go for that. Going for server version 4.5 as it looks like the simplest thing to get installed and test how LDAP works with it.
OK, so I tried a bit of this and that, the point of this exercise was to test that it is possible to connect Plone to Active Directory, for retrieval and updating of data..
So, since I'm on a deadline, I decided to go for a simple, verifiable approach to managing AD content. Found pyad, installed Python 2.7, installed pywin32 using the installer, installed easy_install, used easy_install to install pyad. Also setup AD to run Domain Services.
Created the following script:
START
from pyad import pyad
import time
user=pyad.from_cn('Administrator')
for attribute in user.get_allowed_attributes():
if 'pass' in attribute.lower(): print attribute
print 'old password', user.get_attribute('userPassword')[0][:]
user.update_attribute('userPassword', 'newPassword-' + str(time.time()))
user=pyad.from_cn('Administrator')
print 'new password', user.get_attribute('userPassword')[0][:]
END
And that worked well. It is nice to know that there is a rather uncomplicated way to get access to AD, using Python.
I see that what was Enfold Server will be Open Source, and the plan is to get a proper Plone system integrated with Active Directory in the way most people do, but a simple fallback as described above is nice to have. It would be nice if someone wrote a thorough tutorial or manual on how to integrate Plone with AD, as AD seems to be the choice a lot of organizations use to manage users, access, software licenses and other information.
[Permalink] [By morphex] [Python, Zope, Plone - and anything loosely related to that (Atom feed)] [2013 06 Mar 16:02 GMT+2]
Comments
Python LDAP won't compileBy: Jason From what I remember you have to have the correct version of the Visual C++ runtime libraries to compile Python LDAP on windows and that still doesn't usually work. Enfold does have an already compiled egg available for download here: http://dist.enfoldsystems.com/catalog/python-ldap/releases/2.3.12 I don't think that's the most up to date version of Python LDAP but it works. As for the pywin32 problems they are installed with the Enfold Plone installer but windows doesn't recognize them for whatever reason. I have been able to get around that by installing Plone, moving Python out of the Plone directory, installing a new Python into that directory, deleting that Python, moving the original one back, and then installing pywin32 using the installed. Supposedly you can set your system Python using a script which would be the better way to do this but I have had too many problems getting it to work. |