Description

This Product uses the win32com.client python methods to retrieve groups from a Microsoft Active Directory server domain and present them in the Zope Management Interface as Zope roles. When used in conjunction with an exUserFolder with an ADS AuthSource, all AD users are imported and are automatically assigned the Zope roles of the AD groups to which they belong. You can also just add a user to a standard user folder with the same name as a user in the Active Directory and the AD groups of which the user is a member will be assigned to that user in Zope. An administrator can then assign Zope permissions to AD groups in the Zope Management Interface, and then members of AD groups will receive those Zope permissions when accessing Zope pages/web applications.

Requirements

• Zope 2.6.2b2 installed on a Windows 2000 Server
• Python 2.1.3
• The win32 Python extensions

Optional Products

• exUserFolder 0.20.0

Although an exUserFolder is not required for ADSGroupsFolder to work, if you have one installed in your CMF/Plone site, all of your Active Directory users will automatically become members of your site.

This Product has been tested only with the Products and versions listed above. It may also work with other versions of Zope, but has not been tested. Your mileage may vary.

Download

Get the most current version at the ADSGroupsFolder package site

Installation

• Install Python 2.1.3 (yes, I know Zope comes with Python, but I have figured out how to get the win32client modules to show up correctly with just Zope installed). Any pointers on how to fix this issues are welcome
• Install win32all for Python 2.1.3
• Unzip ADSGroupsFolder into lib\python\Products in the root of your Zope installation
• Restart Zope
• Login to the ZMI, navigate to the Root Folder, and in the Select type to add... drop down box, choose ADS Groups Folder
• Fill in the appropriate information for your Active Directory domain:
  • Folder Name - should be ADSGroupsFolder already
  • LDAP Domain - the DNS domain name for your AD domain (e.g. mydomain.com)
  • Base DN - the container from which to start searching for groups (e.g. cn=Users,dc=mydomain,dc=com)
  • Group Search Filter - this is * by default, which will return all groups in the search container (and all subfolders if Subtree is the search scope). If you would like to limit the search to only certain groups, input the proper filter (e.g. A* will only return groups in your Active Directory that begin with the letter A).
  • LDAP Search Scope - Subtree, or One Level. If Subtree is selected, all containers and sub-containers in the Base DN container will be searched for groups. If One Level is selected, only containers at the same level as the Base DN container will be search.
  • Click the Add ADS Groups Folder button

Once the folder has been added you can click on any object's Security tab to make sure that the folder is working correctly. You should see the standard Zope roles along with any groups that begin with Domain* (Domain Admins, Domain Users, etc) and any groups returned by the options that you specified when adding the ADSGroupsFolder.

If the folder is working properly, you can now add a user to your acl_users folder with the same username as a user in the Active Directory. When you click on the user to modify it, if the user is a member of any of the groups that were returned by the ADSGroupsFolder, those roles will be highlighted and any permissions that you specified for that AD Groups/Zope Role will be enforced upon that user.

If you want the AD user to be a Zope Manager, or Zope Reviewer, (or any other Zope role), add a group in Active Directory of the same name and add that user to that group in the Active Directory Users and Computers tool. For example, if you have a user called djflux in your AD and you want him to be a Zope Manager, create a group called Manager in your Active Directory and add djflux to the Manager group in AD. Now djflux is a Zope Manager.

Known Issues

• Currently ADSGF is an all-or-nothing proposition (i.e. you can't just install one in a CMF/Plone site and have it only work there).
• The ADSGroupsFolder has to be installed at the root of your Zope installation.
• When used in conjunction with an exUserFolder and ADS4XUF, please specify either a null or ZODB BTree Property Source. I've received maximum recursion depth errors when using exUserFolder with a portal_memberdata Property Source wrapper. This issue seems to be related to cmfPropSource according to a Google search

Credits

• The majority of this code was culled from the ADS4XUF product by net-labs
• The insipiration for this product and some DTML code was gleamed from ImportNTGroups.
• Alan Runyan http://www.clearnoodle.com, http://www.runyaga.com/ aided in the production of a separate Zope product.
• The unicode_support.py module comes from jcNTUserFolder written by Jephte Clain (Jephte.Clain (at) univ-reunion.fr).
• Leo from Hiperlogica helped greatly with his ASP404 script and suggestions for this product.

My thanks goes out to these gentlemen for their help and inspiration.