Please login or register to participate.
Wiki Page Active Directory Integration


Get to ZMI Screen for your site. 

Login with admin user (password: Whatever you changed it to, from the default of "secret") at http://<siteURL OR IP address>:8080/manage to get ZMI screen


Open up your site (cynin link) and click portal_quickinstaller


Install LDAP Support

Check the product shown and hit the Install button



Go to /cynin/acl_users and add ACL plugin

For Microsoft Active Directory, this must be : Plone Active Directory plugin, for other services, Plone LDAP plugin would be first choice


Fill in the details for the AD connection...

This is the crucial step, and must be done right, because without successful connection, the plugin will not install and all you'll get is an Error screen. If you do get an error screen, hit Back in your browser, and change what is needed to fix, and try again.

More details follow in further screenshots.


Get details from your AD

For doing this with MSAD specifically, I recommend the SysInternals tool, AD Explorer. You need to use a tool only to determine the values of your DNs for the AD hookup. If you're well versed with your configuration, then just follow along and fill in appropriate values.

So install AD Explorer, open it up, connect to your Active Directory, and go to the DC, navigate to the place where you're storing User data. This is typically (at least in the out-of-box setup), going to be the one highlighted in the screenshot.


Pick up the base DN and paste

The default AD setup has users and groups in the same DN, Users, so do a right-click on the Folder, and copy the value of Distinguished Name, and paste it into both, the Users Base DN and the Groups Base DN fields. Adjust as required for your own setup, if different.


Pick up the DN of the Administrator user and paste

The Plone AD plugin will use this user to connect to your AD, so if you're not particular about it, the Administrator user will do (right click->properties on the Admnistrator user), else substitute any user's DN as appropriate, just make sure at least Read access to the Base DN that you're selecting is available.

Paste the DN into... you guessed it, the Manager DN field. :)



Fill in the remaining fields

  • Fill in the password for the Admin user.
  • Fill in the hostname and port of the AD server in the LDAP Server:port field. The format of this must be either IPAddress:port (as shown), or hostname:port, as per your needs.
  • Check on Read Only unless you want users to be able to modify their AD profile through their profile.
  • Change the default user roles from Anonymous, Member to just Member
  • Fill in an ID and a Title. Whatever you want in this, it doesn't really matter, just as long as you remember it.


... And hit Save

Now depending on validation of the info you filled in, you'll either get the screen shown below, with your newly added item showing in the list, or you'll get an error, if the connection to your AD failed. Diagnose and adjust accordingly, if so by hitting back in your browser and changing what's necessary. Passing this step is crucial for the integration to work.


Turn on all the plugin's methods, hit Update


Click the Properties plugin and move it higher in priority

Select the AD plugin


and click the Up arrow to move it up.


Fix the incorrect Group ID Attribute in Properties Tab

Change from groupid_attr = ObjectGUID to...


... to groupid_attr = sAMAccountName and hit Save.

Yes, the case of the value is important, you have to type it exactly as shown.


Open the Contents tab

...and then open up the nested acl_users object.


Fix the User Object Classes

Change from pilotPerson, uidObject to...


..... to organizationalPerson, as shown. Again, CaSe is important.


Check the Groups tab

You should see all the groups in your AD showing up here, now. Verify that all looks ok, don't change anything.


Verify User lookup

Click the Users tab, fill in a known value and choose the appropriate field, and hit Search.


Verify the Search Results


Click a result and ensure correct Group assignment

The user should have appropriate Groups checked as per "belongs to" relationship.


Login should now be working with AD :)


But you still have to do Schema mapping...

The fullname of the user, the email address is not being mapped to the user yet. You need to map this up properly so that things like notification emails, etc. work properly. Read on...


Go to LDAP Schema tab...

Add displayName as FullName


Add mail as email


Refer to /cynin/portal_metadata and map other fields

Navigate out to /cynin and then to portal_metadata object. Here, you'll see the fields that currently stores against all users.

Note: Some fields are not wired up yet, use this screen for reference only.

The idea is that you can map things like phone numbers, job titles (designation), etc., by matching these fields against the ones stored and in use, in your AD. To add a new mapping, see the name here, compare it with your AD field's name and add a new mapping in LDAP schema screen, as shown for displayName and mail. The rest of the fields are left up to you as per your requirements and usage.

  • If you don't map a field, it won't get filled automatically, but your users will be able to use it normally from their edit profile
  • If you do map a field, and your AD connection is set to Read Only, then users will not be able to edit it
  • If you do map a field, and you AD connection is not set to Read Only, then changes users will make, will make it back to your AD, if the username/password combination you put in the Manager DN field has write permssions


Clear Cache and revisit

If you, like me, wanted to login first to see if it works, then you get to visit the Caches tab to purge all caches, after you do the schema mapping.

Logins are cached as per the setting in the Caches tab, so that your AD is not looked up constantly. Tweak here only if necessary.

Once you map up the schema as per above, your People Directory will come pre-populated with the users from your AD, as shown. If you're setting up a complex Space structure, do note that you can

map groups from AD to local roles on the Sharing tab of a Space - and it should work fine.


So set your's up, let's see if you can get it to work properly. :)

Let us know if you have any ideas, suggestions about this or if you get stuck in a problem with the AD integration, just post up a new discussion with the details.

A stepwise walkthrough for setting up integrated authentication with MSAD for authentication, group assignment and user schema field synchronization.
Comments (34)
gump103 Nov 09, 2009 05:39 PM
Just wondering if its posible to configure cynin for SSO as well.
dhiraj Nov 10, 2009 08:08 AM
SSO. Hmm... as you can see with the sites it's definitely possible. It does require quite a bit of varied expertise and know-how, though. SSO setup is a no-no for the easily intimidated. :)

Please start a new discussion topic for this and tell us what you want to accomplish, in as much detail as possible.

For we currently have an SSO between Drupal 6.x, Redmine and
mgarner Dec 15, 2009 10:21 PM
Using MSAD i can only get a hand full of users to show up and a portion of my groups.
mgarner Dec 15, 2009 11:34 PM
Problem Fixed. My OU's are stuctured different from the instructions. I had a sub OU that all my users are in. I was using this bind (CN=Users,DC=mydomain,DC=us)i switched to this one and it worked.OU=Standard Users,OU=Dept Groups,DC=mydomain,DC=us. Great tutorial BTW.
dhiraj Dec 30, 2009 08:17 AM
Thanks! :)

So you had pointed the Users and Group OUs to the top-level and it was not working fully?

Weird. The normal behavior mode is "SUBTREE" where any matches from any descending structure should be returned, for all queries.

Or was it some other top-level branch of the AD tree altogether?
andrebrown Feb 04, 2010 04:29 AM
I noticed that if I delete an LDAP user account from Cynin, it delete's the account in the LDAP directory. However, if I create an account in Cynin, it doesn't create an account in the LDAP directory. Why does this only work one way?
dhiraj Feb 04, 2010 08:44 AM
Hmmm.... that's easily explained: There is no LDAP user account *create* facility, yet. I do believe I'd seen a plone product that would allow user management - but since we're recommending read-only MSAD ATM, this hasn't been looked into.

The reason that delete works is because knows that it's an AD user and when you administratively ask to delete the user, the choice is either to say not-can-do, or to go ahead and delete it.

In the case of create user, will create a "normal" user, one that it can manage fully, in the internal source_users implementation.
tomasz May 26, 2010 11:06 AM
I use this guide to add openLDAP support (also our openldap acts as domain controler with samba). I succesfully added plone openldap plugin. But when i get to this step ""Fix the incorrect Group ID Attribute in Properties Tab from groupid_attr = ObjectGUID to sAMAccountName", view from guide is different one I have. So, what file i edit by hand to change this manually ?
tomasz May 26, 2010 11:23 AM
Im adding (v313) OpenLDAP plugin. Seems like this guide is for older version. Because picture for "Fix the incorrect Group ID Attribute in Properties Tab" step is completely diferent for v313. What is other way to change groupid_attr ?
amandahla May 31, 2010 07:06 PM
Does "User Object Classes" is right? The organizationalPerson doesnt work for me...Any help?
ymhing Jun 08, 2010 04:06 AM
For those that wanted to exclude other objects within the AD, i.e just User profile only, you can put the following at the "Additional user search filter" field : (&(objectCategory=person)(objectClass=user))
pac22 Jun 17, 2010 09:10 PM
Hi, i am running a Test Pilot in our University (UTN) in Campana, Argentina.
I have everything working properly with AD, I wanted to see if he could give access (login) only to a group of AD, such that only group members of GG_CynFRD group can log into Cyn.In

Thanks in advance, Cristian.
ybizeul Jul 29, 2010 09:40 AM
I just noticed a BIG issue, I'd like to know if people using accents have the same issue :
For a user having an accent in his CN, If I look at his properties and the list of groups he belongs to, that's ok.
But if I go the the group properties, I only see users NOT having accents in their name. The effect is that the effective privileges of the user when he logs in ignores this group belonging.

That is a very big issue if I'm not alone !
physikal Aug 27, 2010 06:53 PM
My AD structure is as follows:
 > Location1.OU
    > Computers
    > Users
> Location2.OU
    > Computers
    > Users

And so on. So in order to grab all users, I have to enter the root dn. so dc=domain, dc=com. So it is grabbing ALL users. But my problem is it is grabbing all objects, computers, servers, etc. So when browsing the "People" section of it is showing a bunch of computer names and server names. Any way around this?
deadlines Nov 23, 2010 07:49 PM
You would need to either restructure your AD OU's, or use a search filter as ymhing suggests above. Search filters were the one thing I was hoping to see more documentation on. Otherwise, these instructions work great for MSAD.
simeonhiq Mar 09, 2011 04:23 AM
Hi, Just working through this How-To, and I'm at the part 'Fix the incorrect Group ID Attribute in Properties Tab'. My freshly installed copy doesn't show these attributes.

I have only [Optional Prefix] and [title]. I tried adding the attributes in but get an 'Invalid or duplicate property id' error. This suggests that the property does exist, but I just can't see it? I am (admin) so??

Any ideas? Pushing on down the how-to, I can evaluate the list of groups okay, but can't bring back any users.

ldavim May 31, 2011 01:01 PM
 have the same problem as simeonhiq :(
tango Sep 06, 2011 11:48 PM
Thank you very much for the guide.

I have setup as mentioned, under the cynin page (special care not to do it under the root page). I am pretty sure that everything is done as described (tried 5 times), I can query both users and groups successfully without any problems. But when I try to login, cynin says that username or password is incorrect. Somehow it does not get activated on the logon page.

Can you help me on how to diagnose? Cannot find where to look.

fjgsols Sep 29, 2011 10:33 AM
Great write up of the AD install, the "Additional user search filter" field : (&(objectCategory=person)(objectClass=user)) filtered out all the unwanted computer accounts just leaving the users.
huy0007 Oct 21, 2011 08:55 PM
Does anyone know why a user fat finger their password only once and his/her account would be locked out on the first failed attempt when we integrate with AD? Is there a setting to avoid this? Our AD is setup to lock out the account after 3 failed attempts.
dhandler Jan 17, 2012 03:13 PM
I am having an issue with my MS AD groups. After following the directions I am able to query and display the AD users, but get an error when trying to show the groups (I think I have too many?). In my AD, the groups and users are in the same container (CN=USERS,DN=CORP,DN=MyCompany,DN=NET)
Has anybody had a similar problem. Unfortunately, after messing around with it, I completed borked my install and couldn't even login anymore to get the error details to share, so I did a reinstall. Before I go and start mucking around again, I was looking to see if anybody had a similar experience and how they might have gotten past it. Maybe using the generic LDAP connection instead of the specific AD.

Thanks in advance.
patmis Apr 12, 2012 12:12 PM
When I wan't to change something in LDAPUserFolder at /ipo/acl_users/ I get this error:

Traceback (innermost last):
  Module ZPublisher.Publish, line 119, in publish
  Module ZPublisher.mapply, line 88, in mapply
  Module ZPublisher.Publish, line 42, in call_object
  Module Products.LDAPUserFolder.LDAPUserFolder, line 464, in manage_edit
  Module Products.LDAPUserFolder.LDAPDelegate, line 262, in connect
INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece', 'desc': 'Invalid credentials'}

Need help!!!!!
bakchy Jul 05, 2012 04:03 PM
Hi there.
I am testin the product, but when I go to address:8080/manage asks for a passwd. I tried "siteadmin"/"secret" and tried to create a new user inside cynin to give "admin rights" to him.
None user can auth in this screen. What I have to do? Any sugestion?

Thanks for help.
amitgupta Aug 25, 2012 08:57 AM
Interesting post. I have been wondering about this issue,so thanks for posting.
<a href="[…]/a>"thanks"
tgelhardt Oct 02, 2012 10:31 PM
I followed each step to the point. I have reached the end of the guide and my "People Directory" is still blank. I'm able to log in using AD credentials. I have go back through step by step and everything appears to be set correctly. Please help!
doverton Nov 15, 2012 10:55 PM
tgelhardt, how did you fix the problem? I have having the same issue.
lurch Nov 29, 2012 07:43 AM
Is it possible at all to filter groups?
Our AD has all our security groups in one OU, but I only need a few of them for this and the rest just cause mess.
lurch Nov 29, 2012 07:43 AM
Is it possible at all to filter groups?
Our AD has all our security groups in one OU, but I only need a few of them for this and the rest just cause mess.
lurch Nov 29, 2012 07:43 AM
Is it possible at all to filter groups?
Our AD has all our security groups in one OU, but I only need a few of them for this and the rest just cause mess.
asankolli Dec 24, 2012 09:57 AM
Our AD structure is defined as follows
 > Location1.OU
    > Computers
    > Users
> Location2.OU
    > Computers
    > Users
> LocationN.OU
    > Computers
    > Users

I can not use the root dn as it has sensitive information. Is there a way to define multiple Location OUs to grab all users?
gr3go1r3 Apr 15, 2013 05:13 PM

  Following this tutorial, im still facing some trouble with user's email address import from the AD. Basically, imports the CN and groups but no email address :(
It's a bit strange cause under Zope, when i search for an user info, i do have his email address, displayName...etc
I put everything i could under /cynin/portal_metadata/properties (CN,mail...etc)
What could be wrong?
juliom Jan 16, 2014 03:32 AM
I have AD working great but problem is now how the heck do I delete user from Cynin? I remove the user from AD but yet they remain on the site in "people directory" even though they no longer exist. Help? The whole "delete" button is greyed out and I think that only work when its a local user not AD user.
benny32 Dec 29, 2016 08:28 PM
I get all the way to the part about Change from pilotPerson, uidObject to organizationalPerson and then I get Site Error

An error was encountered while publishing this resource.

Error Value: {'info': '000020D6: SvcErr: DSID-031007DF, problem 5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'}. Where am I going wrong here?