Plone pas.plugins.ldap and SAMBA 4

Question

I am currently trying to authenticate a plone instance against Univention Corporate Server (Samba 4). The plugin pas.plugins.ldap is in buildout and added to the site. If I try to set the UCS Master as LDAP-Server I get:

ERROR: Server Down

Plone is started with bin/instance fg and is set to debug output. In that output is the following:

DEBUG pas.plugins.ldap authenticateCredentials: retry wait 77.72301 of 300s -> {'info': '00002020: Operation unavailable without authentication', 'desc': 'Operations error'}

If I use a bogus user I get:

ERROR: LDAP users; {'info': 'Simple Bind Failed: NT_STATUS_LOGON_FAILURE', 'desc': 'Invalid credentials'}

So apparently the Server is answering and the user is correct. What did I do wrong here?

Answer 1

My name is Marcel and I am an IT Systems Integrator Apprentice at Univention. First of all nice to hear, that you use UCS.

Let me analysize your problem:

DEBUG pas.plugins.ldap authenticateCredentials: retry wait 77.72301 of 300s -> {'info': '00002020: Operation unavailable without authentication', 'desc': 'Operations error'}

UCS does not allow anonymous access to the LDAP. An authentication of a LDAP user is necessary. Check our manuals for further information.

„ERROR: LDAP users; {'info': 'Simple Bind Failed: NT_STATUS_LOGON_FAILURE', 'desc': 'Invalid credentials'}“

This error says that your LDAP user or bind user has no credentials to grant access to the LDAP.

In our external Wiki we have an article that describes how to create a LDAP bind user: http://wiki.univention.com/index.php?title=Cool_Solution_-_LDAP_search_user

Furthermore check if your plone instance can ping your UCS system.

Last but not least check your ldap config, especially the syntax, on your plone instance. (Further information http://wiki.univention.com/index.php?title=Cool_Solution_-_LDAP_search_user#LDAP_attributes_and_values)

I hope I could help you, if not please let me know it.

Best regards, Marcel