Hello,
I am installing a new version of our Zope/Plone software for hosting our web portal. The new software is using a product called PloneLDAP, which (I think) in turn requests authentication using openLDAP client. openLDAP is authenticating through our mail server, which wants bind requests in version 2 format. Modification of the mail server software to use version 3 authentication does not seem to be an option, as (according to my Tech guy) it is "really not LDAP", but has an "LDAP Like" interface. The interface requires the bind to look like this:
ldapConnection, userid, password
not in version 3 format, which looks like this:
ldapConnection, uid="userid", password
I have tried to force openLDAP client to perform bind requests using the "ldap_version 2" parameter in the /usr/local/etc/openldap/ldap.conf system-wide ldap configuration file, and also in a .ldaprc file stored in the Zope working directory. Neither seem to work. Can anyone tell me how to successfully configure openLDAP to send a version 2 bind request?
Thanks!
Ken
This would be adjusted in your slapd.conf. See http://linux.die.net/man/5/slapd.conf
You will need an allow statement such as "allow bind_v2".
--AP
On Jun 23, 2008, at 11:28 AM, kenglund wrote:
Hello,
I am installing a new version of our Zope/Plone software for hosting our web portal. The new software is using a product called PloneLDAP, which (I think) in turn requests authentication using openLDAP client. openLDAP is authenticating through our mail server, which wants bind requests in version 2 format. Modification of the mail server software to use version 3 authentication does not seem to be an option, as (according to my Tech guy) it is “really not LDAP”, but has an “LDAP Like” interface. The interface requires the bind to look like this:
ldapConnection, userid, password
not in version 3 format, which looks like this:
ldapConnection, uid=”userid”, password
I have tried to force openLDAP client to perform bind requests using the “ldap_version 2” parameter in the /usr/local/etc/openldap/ ldap.conf system-wide ldap configuration file, and also in a .ldaprc file stored in the Zope working directory. Neither seem to work. Can anyone tell me how to successfully configure openLDAP to send a version 2 bind request?
Thanks!
Ken
--On Monday, June 23, 2008 11:28 AM -0400 kenglund kenglund@sbc.edu wrote:
Hello,
I am installing a new version of our Zope/Plone software for hosting our web portal. The new software is using a product called PloneLDAP, which (I think) in turn requests authentication using openLDAP client. openLDAP is authenticating through our mail server, which wants bind requests in version 2 format. Modification of the mail server software to use version 3 authentication does not seem to be an option, as (according to my Tech guy) it is "really not LDAP", but has an "LDAP Like" interface. The interface requires the bind to look like this:
Either your tech guy is on crack, since LDAP v3 is the current LDAP protocol version, and has been for many years, or you have a misunderstanding somewhere along the way of what they were saying.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On Tuesday 24 June 2008 18:20:28 Quanah Gibson-Mount wrote:
--On Monday, June 23, 2008 11:28 AM -0400 kenglund kenglund@sbc.edu wrote:
Hello,
I am installing a new version of our Zope/Plone software for hosting our web portal. The new software is using a product called PloneLDAP, which (I think) in turn requests authentication using openLDAP client. openLDAP is authenticating through our mail server, which wants bind requests in version 2 format. Modification of the mail server software to use version 3 authentication does not seem to be an option, as (according to my Tech guy) it is "really not LDAP", but has an "LDAP Like" interface. The interface requires the bind to look like this:
Either your tech guy is on crack, since LDAP v3 is the current LDAP protocol version, and has been for many years, or you have a misunderstanding somewhere along the way of what they were saying.
Or, the software in question *really* only does do LDAPv2. This is the case with a lot of proprietary software from supposedly reputable vendors.
Either way, it doesn't seem that the library can set the LDAP protocol version (so, you can't put it in an OpenLDAP configuration file). You will have to see whether PloneLDAP supports setting the protocol version. It doesn't appear possible via configuration (from what I have seen), you may have to hack PloneLDAP up a bit, or get a real LDAP server ....
Regards, Buchan
--On Tuesday, June 24, 2008 6:38 PM +0200 Buchan Milne bgmilne@staff.telkomsa.net wrote:
On Tuesday 24 June 2008 18:20:28 Quanah Gibson-Mount wrote:
--On Monday, June 23, 2008 11:28 AM -0400 kenglund kenglund@sbc.edu wrote:
Hello,
I am installing a new version of our Zope/Plone software for hosting our web portal. The new software is using a product called PloneLDAP, which (I think) in turn requests authentication using openLDAP client. openLDAP is authenticating through our mail server, which wants bind requests in version 2 format. Modification of the mail server software to use version 3 authentication does not seem to be an option, as (according to my Tech guy) it is "really not LDAP", but has an "LDAP Like" interface. The interface requires the bind to look like this:
Either your tech guy is on crack, since LDAP v3 is the current LDAP protocol version, and has been for many years, or you have a misunderstanding somewhere along the way of what they were saying.
Or, the software in question *really* only does do LDAPv2. This is the case with a lot of proprietary software from supposedly reputable vendors.
Whether or not the software only does LDAPv2 in no way relates to saying that "ldapv3 is really not ldap". That's why I said either the guy is on crack, or there was a misunderstanding (i.e., the software only does ldapv2, and trying to do ldapv3 would be a hack, etc).
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On Tuesday 24 June 2008 18:54:24 Quanah Gibson-Mount wrote:
--On Tuesday, June 24, 2008 6:38 PM +0200 Buchan Milne
bgmilne@staff.telkomsa.net wrote:
On Tuesday 24 June 2008 18:20:28 Quanah Gibson-Mount wrote:
--On Monday, June 23, 2008 11:28 AM -0400 kenglund kenglund@sbc.edu
wrote:
Hello,
I am installing a new version of our Zope/Plone software for hosting our web portal. The new software is using a product called PloneLDAP, which (I think) in turn requests authentication using openLDAP client. openLDAP is authenticating through our mail server, which wants bind requests in version 2 format. Modification of the mail server software to use version 3 authentication does not seem to be an option, as (according to my Tech guy) it is "really not LDAP", but has an "LDAP Like" interface. The interface requires the bind to look like this:
Either your tech guy is on crack, since LDAP v3 is the current LDAP protocol version, and has been for many years, or you have a misunderstanding somewhere along the way of what they were saying.
Or, the software in question *really* only does do LDAPv2. This is the case with a lot of proprietary software from supposedly reputable vendors.
Whether or not the software only does LDAPv2 in no way relates to saying that "ldapv3 is really not ldap". That's why I said either the guy is on crack, or there was a misunderstanding (i.e., the software only does ldapv2, and trying to do ldapv3 would be a hack, etc).
Well, there is software out there that presents an LDAP-like interface data primarily intended for other purposes, but that you would typically not consider to be an LDAP server. CommunigatePro is one that comes to mind. As such, it may not support LDAPv3, and also could be considered to qualify as "really not LDAP".
(back-sql, or Oracle OID don't really qualify here, as it is possible to write to them via the LDAP protocol, whereas CommunigatePro does not allow writes at all).
However, CommunigatePro does apparently also allow one to use a real LDAP server instead of it's internal per-user-file-based user list ... but I didn't try it, we just migrated a few hundred thousand users off it onto something better.
Regards, Buchan
Regards, Buchan
Quanah Gibson-Mount wrote:
--On Tuesday, June 24, 2008 6:38 PM +0200 Buchan Milne bgmilne@staff.telkomsa.net wrote:
On Tuesday 24 June 2008 18:20:28 Quanah Gibson-Mount wrote:
--On Monday, June 23, 2008 11:28 AM -0400 kenglundkenglund@sbc.edu wrote:
Hello,
I am installing a new version of our Zope/Plone software for hosting our web portal. The new software is using a product called PloneLDAP, which (I think) in turn requests authentication using openLDAP client. openLDAP is authenticating through our mail server, which wants bind requests in version 2 format. Modification of the mail server software to use version 3 authentication does not seem to be an option, as (according to my Tech guy) it is "really not LDAP", but has an "LDAP Like" interface. The interface requires the bind to look like this:
Either your tech guy is on crack, since LDAP v3 is the current LDAP protocol version, and has been for many years, or you have a misunderstanding somewhere along the way of what they were saying.
Or, the software in question *really* only does do LDAPv2. This is the case with a lot of proprietary software from supposedly reputable vendors.
Whether or not the software only does LDAPv2 in no way relates to saying that "ldapv3 is really not ldap". That's why I said either the guy is on crack, or there was a misunderstanding (i.e., the software only does ldapv2, and trying to do ldapv3 would be a hack, etc).
Given the description in the original post, it's all a hack no matter how you look at it.
Anyway, the question is moot. There is no ldap.conf option to make the client library use LDAPv2 - the library always uses LDAPv2 by default, so any naive software that doesn't explicitly choose LDAPv3 is getting LDAPv2 anyway.
As for making an LDAP Bind request using a simple username instead of a DN - the OpenLDAP library just passes whatever name was given to it. It's up to the calling application to decide what format that name will use, and of course the remote server has to recognize that name format.
Buchan Milne wrote:
Either way, it doesn't seem that the library can set the LDAP protocol version (so, you can't put it in an OpenLDAP configuration file). You will have to see whether PloneLDAP supports setting the protocol version. It doesn't appear possible via configuration (from what I have seen), you may have to hack PloneLDAP up a bit, or get a real LDAP server ....
I think the issue of the original poster is not with PloneLDAP, rather with his mail server which seems to have a LDAPv2 interface.
FYI: PloneLDAP is implemented in Python and therefore uses python-ldap as a LDAP API (which is for the protocol part a wrapper around the OpenLDAP client libs). In opposite to the OpenLDAP client libs python-ldap sets the default for protocol version to LDAPv3 (since version 2.0.0pre12 as of 2003-05-27). Although strictly speaking this was a incompatible API change nobody ever complained since then. ;-)
Ciao, Michael.
Michael Ströder wrote:
Buchan Milne wrote:
Either way, it doesn't seem that the library can set the LDAP protocol version (so, you can't put it in an OpenLDAP configuration file). You will have to see whether PloneLDAP supports setting the protocol version. It doesn't appear possible via configuration (from what I have seen), you may have to hack PloneLDAP up a bit, or get a real LDAP server ....
I think the issue of the original poster is not with PloneLDAP, rather with his mail server which seems to have a LDAPv2 interface.
Sorry, Buchan. After re-reading I figured out that you already said this. ;-)
Ciao, Michael.
"kenglund" kenglund@sbc.edu writes:
Hello,
I am installing a new version of our Zope/Plone software for hosting our web portal. The new software is using a product called PloneLDAP, which (I think) in turn requests authentication using openLDAP client. openLDAP is authenticating through our mail server, which wants bind requests in version 2 format. Modification of the mail server software to use version 3 authentication does not seem to be an option, as (according to my Tech guy) it is “really not LDAP”, but has an “LDAP Like” interface. The interface requires the bind to look like this:
ldapConnection, userid, password
not in version 3 format, which looks like this:
ldapConnection, uid=”userid”, password
I have tried to force openLDAP client to perform bind requests using the “ldap_version 2” parameter in the /usr/local/etc/openldap/ldap.conf system-wide ldap configuration file, and also in a .ldaprc file stored in the Zope working directory. Neither seem to work. Can anyone tell me how to successfully configure openLDAP to send a version 2 bind request?
man slapd.conf(5), allow bind_v2 but it seems, your examples are not valid anyhow, please give a precise example of your bind request.
-Dieter
kenglund wrote:
openLDAP is authenticating through our mail server, which wants bind requests in version 2 format.
Can you please elaborate how the architecture really looks like?
Modification of the mail server software to use version 3 authentication does not seem to be an option, as (according to my Tech guy) it is “really not LDAP”, but has an “LDAP Like” interface.
Is my understanding correct that the mail server has a LDAP interface and your OpenLDAP installation proxies bind requests to this server? Or does PloneLDAP bind to the mail server directly (via python-ldap/OpenLDAP libs)? In this case you would have to convince the PloneLDAP developers to set class attribute
LDAPObject.protocol_version=ldap.VERSION2
This would need a configuration option and is therefore rather a PloneLDAP feature request.
Note that depending on the LDAPv2 server implementation you can run into issues with NON-ASCII characters if you naively change the protocol version (since LDAPv3 applications correctly assume Unicode with UTF-8 encoding).
Ciao, Michael.
openldap-technical@openldap.org
-
Anthony Porcano -
Buchan Milne -
Dieter Kluenter -
Howard Chu -
kenglund -
Michael Ströder -
Quanah Gibson-Mount