LDAPUserFolder - Configure: Set the basic configuration for the LDAPUserFolder

Description

This view is used to change the basic settings of a LDAPUserFolder.

Controls

Title

The (optional) title for this adapter

Login Name Attribute

The LDAP record attribute used as the username. The list of default choices can be changed by adding attributes on the LDAP Schema tab.

User ID Attribute

The LDAP record attribute used as the user ID. The list of default choices can be changed by adding attributes on the LDAP Schema tab. IMPORTANT: You should only set this attribute to a LDAP record attribute that contains a single value and that does not get changed, otherwise you will run into problems with the Zope object ownership mechanism.

RDN Attribute

The RDN attribute (Relative Distinguished Name) is the name of the LDAP attribute used as the first component of the full DN (Distinguished Name). In most cases the default value of cn is correct, you can select uid if your schema defines it. Please see RFC 2377 for more information.

Users Base DN

The DN for the branch of your LDAP database that contains user records.

Scope

Choose the depth for all searches from the user search base dn

Group storage

Choose where to store the group (a.k.a. Role) information for users. You can either store roles inside LDAP itself or you can store it inside the LDAP User Folder, which is simpler and does not require that LDAP deals with user roles at all.

Group mapping

If your group information is stored in LDAP and you do not want to set up individual LDAP group to Zope role mappings, then you can simply map all LDAP groups to Zope roles. Each group a user is member of will show up as a role with the same name on the user object.

Groups Base DN

The DN for the branch of your LDAP database that contains group records. These group records are of the LDAP class "groupOfUniqueNames" and the entry CN attribute constitutes the group name. Groups embody Zope roles. A user which is part of a "Manager" group will have the "Manager" role after authenticating through the LDAPUserFolder. If you have chosen to store groups inside the user folder itself this setting will be disregarded.

Scope

Choose the depth for all searches from the group search base dn. If you have chosen to store groups inside the user folder itself this setting will be disregarded.

Manager DN and password

All LDAP operations require some form of authentication with the LDAP server. Under normal operation if no separate Manager DN is provided, the LDAPUserFolder will use the current user's DN and password to try and authenticate to the LDAP server. If a Manager DN and password are given, those will be used instead.

Manager DN usage

Specify how the Manager DN (if it has been provided) will be used.

• Never will never apply this DN. If no Manager DN is specified this is the default value. Bind operations use the current user's DN and password if the user is known and an anonymous bind if not. Under normal operation only initial logins are performed without a known current user.
• Always means the Manager DN is used to bind for every single operation on the LDAP server.
• For login data lookup only uses the Manager DN upon user login when the user itself has not been instantiated yet and thus the user's DN is not yet known. Once the user has been instantiated its DN and password are used for binding.

Read-only

Check this box if you want to prevent the LDAPUserFolder from writing to the LDAP directory. This will disable record insertion or modification.

User object classes

Comma-separated list of object classes for user records. Any new user record created through the LDAPUserFolder will carry this list of object classes as its objectClass attribute.

Additional user search filter

Only set this value if you really know what you are doing! You can lock out your users with a faulty value here! The additional user search filter allows the administrator to specify a free-form LDAP filter expression which will be added to the default user search filter. The default user search filter and this additional search filter are combined as an AND expression. Records must satisfy both filters to be found using the various user searches. Any value specified in this field must follow correct LDAP search filter syntax.

User password encryption

This dropdown specifies the encryption scheme used to encrypt a user record userPassword attribute. This scheme is applied to the plaintext password when a user edits the password or when a new user is created. Check your LDAP server to see which encryption schemes it supports, pretty much every server can at least do "crypt" and "SHA".

Default User Roles

All users authenticated from your ldap tree will be given the roles you put into this comma-delimited list. Zope expects all users - anonymous as well as authenticated - to have the role Anonymous.

Apply Changes

Save your configuration changes.