root/CPS3/products/CPSLDAPSetup/tags/1.0.0/README.txt

Revision 35237, 5.0 kB (checked in by ogrisel, 3 years ago)

added missing confirm password field and widget + various doc update

  • Property svn:keywords set to Id
Line 
1 ============
2 CPSLDAPSetup
3 ============
4
5 :Revision: $Id$
6
7 This package provides a sample LDAP configuration in the form of an extension
8 profile for CPS 3.4.1
9
10 The main goal of this product is to provide an example of such a configuration
11 and ease the setup.
12
13 This configuration defines an LDAP server as the main user sources. Groups and
14 roles are stored within the ZODB. All users registered in the members directory
15 automatically get the 'Member' role (thanks to a read_process_expr in the
16 members schema).
17
18 You may start from this to setup your own configuration.
19
20 /!\ WARNING /!\
21 ---------------
22
23 By importing the profile on an existing CPS Site running with
24 the (default) ZODB members directory, **you will lose all existing user
25 data**. This is because the members directory in its whole has to be
26 replaced by a different one.
27
28
29 Configuration :
30 ----------------
31
32  - edit the members_ldap.xml file from profiles/default/directories/
33    and adjust to parameters according to your own LDAP server
34    configuration.
35
36  - Please consult other xml files in profiles/default to get the
37    details on how the directories will be setup.
38
39
40 Installation
41 ------------
42
43  - Install the ``python-ldap``_ module in the PYTHONPATH of your Zope instance.
44    You can check if it's correctly installed by typing `import ldap` in a
45    python shell.
46  - Extract this product within your Products directory.
47  - Restart Zope
48  - Create a CPS Site. *Do not check* the CPS LDAP Setup profile at this point.
49  - If you're trying this on an existing CPS Site, make a backup copy
50    of the members directory.
51  - Go to portal_setup tool, select the CPS LDAP Setup profile and
52    import it.
53  - If your LDAP server is read only, may also want to additionally import the
54    CPS LDAP Setup Readonly profile (see below for more details on the readonly
55    setup).
56
57 The ldap_utils/ subfolder provides sample configuration files to setup a test
58 OpenLDAP server. The default setup works out of the box with these. If you use
59 it, don't forget to change the passwords.
60
61
62 Structure
63 ---------
64
65 The default profile included in this setup changes the default ``members`` ZODB
66 directory installed by the CPSDefault base profile by the following new compound
67 structure of directories::
68
69                                 members
70                                 - type:   MetaDirectory
71                                 - schema: members
72
73                                    |
74                  ------------------------------------------
75                  |                                        |
76
77          members_stack                            members_cps_fields
78          - type:   StackingDirectory              - type:   ZODBDirectory
79          - schema: members_ldap                   - schema: members_cps_fields
80
81                  |
82        ----------------------------------------------------
83        |                                                  |
84   members_ldap                                    members_zodb
85   - type:   LDAPBackingDirectory                  - type:   ZODBDirectory
86   - schema: members_ldap                          - schema: members_ldap
87
88 The toplevel meta directory is used to aggregate attributes that are defined in
89 the inetOrgPerson schema that is used by the left hand side branch whereas the
90 right hand side branch (a single ZODB directory) is used to store CPS specific
91 attributes such as ``homeless``, ``last_login_time`` and any user defined fields
92 that do not fit in the inetOrgPerson branch.
93
94 The stacking directory is necessary to plug the LDAPBackingDirectory since the
95 toplevel directory is not able to perform primary key (uid <-> dn) translation.
96 The stacking is also useful to define members in the ZODB that are not defined
97 in the LDAP server.
98
99 The groups and roles are not affected by this setup. They remain stored in the
100 ``groups`` and ``roles`` ZODB directories as defined in the CPSDefault base
101 profiles.
102
103 Cross references between the members / groups and members / roles directories
104 are implemented as computed fields in the members schema.
105
106
107 Read-only LDAP mode
108 -------------------
109
110 If you want to plug CPS on a readonly LDAP server you should furthermore import
111 the CPSLDAPSetup "readonly_ldap" extension profile (after having first applied
112 the CPSLDAPSetup "default" extension profile).
113
114 This extension add a dynamic readonly protection to the fields that are stored
115 in the LDAP server to make it explicit to users they cannot change those values.
116 CPS specific fields (groups, roles and homeless) can still get changed (by a
117 Manager) since they do not require LDAP write access.
118
119 Furthermore, new members created from CPS are stored in the "members_zodb"
120 backing instead of "members_ldap".
121
122 Tuning
123 ------
124
125  - the members_ldap and the ZODB directories are associated to the
126    standard RAM Cache Manager sitting at the top of portal_directories.
127  - CPSUserFolder comes with it's own built in cache set to 1s by the
128    CPSDefault base profile.
129
130 Dependencies
131 ------------
132
133  - CPS >= 3.4.1
134    http://www.cps-project.org/
135  - _``python-ldap``: http://python-ldap.sf.net
Note: See TracBrowser for help on using the browser.