Plone 2.5.2 and LDAP - revisited

Published: 2007-03-04 18:23 UTC. Tags: software LDAP plone

One or two years ago, I spent some time trying to understand how to connect Plone 2.0 to LDAP. I really had no luck as things were complicated. Reading out existing users from the directory might have been possible, but trying to create users was a thing never heard of.

I decided to check out the current state of Plone and LDAP again with amore modern version of Plone, in my case, Plone 2.5.2. After some heavy experimentation, I've come to the conclusion that the software involved has grown more mature, but it's still hard to get it working.

Sources of Information

Software Requirements

  • python-ldap. Make sure the python that is used to run Zope has this module available, or nothing at all will work.
  • LDAPUserFolder. I used version 2.8beta.
  • LDAPMultiPlugins. I first tried version 1.4, but got some problems. Version 1.5, released yesterday(!), works much better.
  • The LDAPMultiPlugins patch available at For me, it applied cleanly on top of LDAPMultiPlugins 1.5. It adds functionality that is available and needed by PlonePAS. Group memberships seems to work much better with this patch than without.
  • Two patches, one on CMFPlone/ (download here), and one on PasswordResetTool/skins/PasswordReset/ (download here). Without these, registration will fail. Please note that both patches are ugly hacks that are not long-term solutions to the problem.
  • This patch:, or login after password reset will fail with a recursion depth error.


Drop LDAPUserFolder and LDAPMultiPlugins into your Products folder, apply patches listed above, and restart Zope.


Follow In short, you add a LDAP Multi Plugin to your PAS folder (acl_users in ZMI) by using the dropdown in the top right corner and then configure it.

Theory of Operation

Plone 2.5 uses PlonePAS, which is an adaption of Zope's PAS (the Pluggable Authentication System) for its user/group handling. That is a good thing, as PAS is a very flexible system that can do just about anything.

To get LDAP users/groups/authentication, LDAPMultiPlugins need to be installed and configured. After configuration, LDAPMultiPlugins contain an LDAPUserFolder that is used to actually fetch information from LDAP. The different plugins in LDAPMultiPlugins then add functionality such as authentication, user and group enumeration et. al. to PlonePAS.

Configuration of which LDAP server(s) to use, which base to use etc are made by visiting acl_users -> <your LDAPMultiPlugin> -> Contents -> acl_users. A bit awkward to find, if you ask me.


It's very important to pay attention to the LDAP Schema tab under the LDAPUserFolder.
  • The LDAP attribute used to keep the full name of the user must be mapped to fullname. In my case, this means that the LDAP attribute cn should be mapped to fullname. For other directory configurations the attribute may be named differently. Novell eDirectory for example, uses cn as username.
  • The LDAP attributes used to keep the e-mail address of the user must be mapped to email. In most cases this means that the LDAP attribute mail should be mapped to email.
  • Only attributes listed in the LDAP Schema tab are available in the dropdowns used to select which field to use as login name attribute, username etc in the configuration of LDAPUserFolder.
  • All attributes listed as MUST in the LDAP schemas used to create new users (and search for existing) must be listed under the LDAP Schema. If not, user registration will fail due to LDAP schema errors.
It's also very important to pay attention to the list of User Object Classes  in the configure tab. This list is used both to construct the query used when searching for user objects, and to create new user objects at registration. At new user registration, an LDAP object is first created with all attributes (except the RDN attribute) set to [unset] in the LDAP database. As mentioned above, all attributes listed under the LDAP Schemas tab are filled with this value. Later on in the registration codepath, the attributes actually mapped to plone attributes are set (one attribute at a time, in separate LDAP requests).

The order of the PAS Plugins is very important. To get user registration to work, and for other things as well, the LDAP Multi Plugin should be at top of the list of plugins for each type of plugin.

For (much) better performance, add caching by visiting the Caches tab of both ZMI->acl_users and your LDAP Multi Plugin. Adding a cache to source_groups also seems like a good idea (there's no cache tab, so you'll have to find the URL to the cache management yourself - it's something like http://uterus:8080/Plone/acl_users/source_groups/ZCacheable_manage. For me, it seems to work using the RAM Cache Manager that already exist in any Plone 2.5 installation.

That's all the things I can remember as being important from yesterday's late night session :-).

←← previous blog entry next blog entry →→

Comment by Kuiyu Chang

Created Thu, 8 Mar 2007 11:18:33 +0000

You can install multiple LDAP Multi Plugin, each one corresponding to a different sub-tree in your DIT.

Important thing to do to make Plone 2.5.x authenticate with LDAP.

After you have setup everything, go to ZMI: {your_plone_instance}/acl_users/{name of your LDAPMultiplugin object}
and activate at least "Authentication" in order for an LDAP user to authenticate under Plone.

If you miss this step, the LDAP user will not authenticate.

Comment by Kuiyu CHANG

Created Sat, 10 Mar 2007 09:44:33 +0000

Actually, you can only put a single LDAPMultiplugin (i.e. a single DIT) in PlonePAS.

When I put two, each with its DIT, sometimes,
ldap_user = acl.getUserById("username") fails, as it looked up the wrong plugin. I believe a randomly selected LDAPUserFolder is returned.

Comment by Maurits van Rees

Created Mon, 12 Mar 2007 22:49:52 +0000

Nice write-up with good pointers. Thanks!

You might also want to check out the ldapconfig product:

That should make configuring Plone and ldap as easy as changing some settings in a config file and dropping it in the etc/ dir of your instance. You still need to patch LDAPMultiPlugins and basically know what you are doing though.

Comment by hubert

Created Tue, 13 Mar 2007 21:11:22 +0000

Really, thank you for this up-to-date how-to. I hoped the new elements you bring would have solved my problem : I can't search members with this LDAP setup... Did you get it working ? Do you have an idea about what I can be missing ?

Thanks again !

Comment by Erik Forsberg

Created Wed, 14 Mar 2007 18:39:08 +0000

Depends on what you mean by "can't search" - using which interface? Plone's, or the ZMI?

Make sure the list of objectclasses (in the LDAPUserFolder) correspond to the list of object classes that your user objects actually have, as the list of objectclasses is used to construct the query when finding users.

It can be very educational to listen on the network traffic using for example wireshark, to see what's being sent and what comes back from the LDAP server. That only works if you're using an unencrypted connection, though.

Comment by hubert

Created Fri, 16 Mar 2007 12:11:49 +0000

You are right : using ZMI, no problem : binding Manager DN, searching users, groups, mapping groups on roles... That works just fine.

But users, using the Plone Members tab, only get a "no result" page, no matter what criteria they may supply. Listening the network traffic shows a lot of bindings concerning the Manager DN, a lot of searches concerning attrs and groups about current user but absolutely nothing for searching other users based on supplied criteria.

That is the same with a portal administrator profile : in Plone Setup, it can't see any users in Users and Groups Admin section. To be precise, in this section, searching all users, or one known user give a "no result" answer. Searching groupA lead to an error page : "NameError: global name 'NotSupported' is not defined". Searching groupB makes appear an empty two-columns array (column1=Name, column2=Type). The only difference between groupA and groupB is that only members of groupB have already opened a session on this Plone instance.

I hope I make it clearer this time ;)

Comment by Anjanette

Created Fri, 23 Mar 2007 21:30:43 +0000

The downloaded patch for CMFPlone did not work for me. I am running Plone2.5.2-1. I receive this error message:
patch: **** malformed patch at line 10: from Products.CMFDefault.RegistrationTool import _checkEmail

It goes away if I change the patch by getting rid of the first 2 chunks and changing the third chunk from 189 to 192.

Comment by c. emery

Created Mon, 2 Apr 2007 22:47:40 +0000

I was wondering if you had found a solution to your problem hubert, as I am experiencing the same issue.

All mapping, searching, and listing of ldap objects from the zmi ldapmultiplugin acluser object work fine, but searching users from the sharing tab, manage users feature of the portal management, and the /Members search functions in plone do not return any results.

Any solutions you could share would be greatly appreciated.

Comment by c. emery

Created Wed, 4 Apr 2007 14:01:03 +0000

For anyone else that has had this problem (i.e. zmi based search works correctly but no results in plone), verify your versions of all necessary components. It turned out our problem was due to wrong version (2.6) of LDAPUserfolder. Once version 2.7 was installed, everything works beautifully. We are running win2003 AD server, plone 2.5.2, LDAPMultiplugins 1.5 (with patch from, LDAPUserfolder2.7, Zope 2.9.6.

Comment by toannd

Created Fri, 15 Jun 2007 10:30:26 +0000

I also got the same fault and When I search user by fullname (or cn in LDAP) criterion(Plone) It worked fine. But when I click to "Show All" button. Nothing to happen
Which solutions fof this problem?

Comment by Deepwalker

Created Fri, 22 Jun 2007 19:42:27 +0000

I'm try plone today, and have some problem. And i'm think this happend from unimplemented Products.PlonePAS.interfaces.plugins.IUserIntrospection
I'm right?
I think so because <<User_Introspection (getUserNames)>>

Comment by Laurence Pawling

Created Wed, 27 Jun 2007 13:49:57 +0000

Thanks for an up-to date how-to! I think I went through about 3 different ones before I learned about LDAPMultiPlugin and then another few before I found the patch!

What I'm trying to do is something I'm sure a lot of people do, but I haven't found any documentation on it. I'm trying to use Active Directory groups in combination with Plone/Zope roles and folder sharing to only allow members of say AD group GG-Marketing to edit the Marketing folder of my new Plone based Intranet.

The problem I'm having is that I can't seem to get my LDAPUserFolder to pick up any new roles added to the Zope \acl_users\roles, or anywhere else for that matter!

I've tried adding an LDAPGroupFolder, but just get an AttributeError:listUserSourceFolders. I don't even know if that's going to help me, because I can't find any documentation on it! :-P

Does anyone have any pointers? I've been using Zope and Plone for about 4 days now so might be missing something obvious!

FYI I'm using a pristine install of Zope 2.9.7 (w/ Python 2.4.4) and Plone 2.5.3, with LDAPUserFolder 2.6 (couldn't make 2.8 work) and LDAPMultiPlugins 1.5 (patched).

Comment by Nikhil

Created Wed, 16 Apr 2008 06:58:22 +0000

My ldap authentication is working fine even i can search user's.I have added issue tracker and i want my ldap user to be listed in that issue tracke to assign issue,but its not listing out LDAP user's.
do anyone is facing similar problem.
help me out if you have sol'n

Comment by Wichert Akkerman

Created Wed, 16 Apr 2008 07:32:34 +0000

For some reason this article popped up on planet plone again, but unfortunately it is a year out of date - people should no longer be using these instructions.

LDAP integration is very simple and well documented these days. Just install the PloneLDAP ( bundle and you're done.

If you are using Plone 3.0 you can also use simplon.plone.ldap ( which gives you a simple Plone control panel to configure LDAP in your site.

Comment by Bertrand Mathieu

Created Tue, 22 Apr 2008 12:06:17 +0000

LDAPUserFolder 2.9beta is out for a few months now. It has a very interesting fix:
"Added negative caching for users to avoid querying the LDAP server again and again for invalid logins."

Post a comment

Posting of comments have been disabled for now. Too much spam.