[Grok-dev] LDAP authentication and groups

Jens Adner j.adner at fh-sm.de
Thu Aug 6 11:37:33 EDT 2009


good question!

I use the IPrincipalCreated event in this way:

def update_principal_info_from_ldap(event):
 principal = event.principal
 app = grok.getSite()


 prm = IPrincipalRoleManager(app)
 if principal.id.find('ldap'):
   ## get ldap groups and extend principal groups:
         filter="(&(objectclass=groupOfNames)(member=uid=%s,*))" %
         (principal.id.split('.')[-1]),attrs=['cn','ou'] )
   for x in results:


No idea if this is the best way to do that. But it works for me.

Problem is, the event fire up for every View accessing by the user. So
every View an ldap-connection with a search will open.

In a highly frequent website this could be a problem.

Hope this helps you a little.

Bye Jens

Jeroen Michiel schrieb:
> Hi, 
> I'm trying to authenticate against our Active Directory server using LDAP.
> I got authentication going with ldappas and ldapadapter.
> Now I want to assign roles and permissions based on the Groups the user is a
> member of, as configured in the Active Directory server (so administration
> remains centralized in the AD server). What is the best approach to this?
> Should I 
> * subscribe to the IPrincipalCreated event and then get the auth plugin via
> the authentication attribute of the event and search with the appropriate
> ldap identifiers and add the found groups to the groups attribute (perhaps
> with a prefix)?
> * create my own PrincipalFactory and do the stuff in there?
> * Don't use the AD groups, but implement my own in my server, ending up with
> decentralized administration.
> * ...
> Any help or ideas appreciated!

++++++++ Jens Adner IuK-Zentrum Fachhochschule Schmalkalden +++++++++
++++++++ Fon: +49 3683688 9201  Fax: +49 3683688 989201     +++++++++

More information about the Grok-dev mailing list