Default LDAP User Permissions

[Jonathon Taylor <jo...@csueastbay.edu>]

Hello,

We have LDAP authentication configured.  People are able to authenticate and
after authentication I can see an entry in the vcl user table.  What options
do we have to configure default permissions?  For example, say we wanted all
of our students to be able to check out any image by default.  Do groups
defined within VCL for a given affiliation correspond to LDAP groups?  Or,
do we have to manually/script adding users to these groups?  I noticed that
there is a "global" group for the local affiliation, is this a special
keyword that we can apply to our LDAP affiliation?

On a somewhat related topic, what is the user's email address used for?

Thanks for any help!  Sorry for so many questions.

Jonathon Taylor
CSU East Bay

Re: Default LDAP User Permissions

[Jonathon Taylor <jo...@gmail.com>]

Excellent!  Thanks for this information.  We actually do not have LDAP
groups implemented but have a single-valued field called "affiliation" I can
use to distinguish between students and faculty.  I'll give this a shot.

-Jonathon

On Thu, Feb 18, 2010 at 12:52 PM, Josh Thompson <jo...@ncsu.edu>wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I really need to get this documented...
>
> You need to edit .ht-inc/authmethods/ldapauth.php
>
> The updateLDAPUser function gets called when a user logs in and
> user.lastupdated from the database for that user is > 24 hours old.  Toward
> the end of that function, you'll see a switch statement that matches on the
> user's affiliation.  There is some example code in place.  You just need to
> modify it to meet your needs.
>
> First, change the case for EXAMPLE1 to match your affiliation.  Then,
> change
> the name of the updateEXAMPLE1Groups function to match your affiliation as
> well.  Now, you want to modify the newly named function (it's at the bottom
> of the file).  Change "EXAMPLE1 LDAP" at the top of the function to match
> what you have for your LDAP entry in conf.php.
>
> Next, you need to figure out what attribute your LDAP server is using to
> present group information for each user.  If you are using AD, it is
> probably
> memberof.  If not (I think NDS uses groupmembership), you'll need to change
> all occurances of 'memberof' in the function to that attribute.
>
> Finally, modify the preg_match statements in the for loop to match whatever
> groups you want automatically mirrored into VCL.  In the examples given,
> all
> groups directly under the "OU=CourseRolls,DC=example1,DC=com" container
> will
> be matched and the "CN=Students_Enrolled,OU=Students,DC=example1,DC=com"
> and "CN=Staff,OU=IT,DC=example1,DC=com" groups will be matched.
>
> A few things to note - the groups won't exist in VCL until someone that is
> a
> member of the group logs in.  After that, you can assign rights to the
> group
> and everyone else that is a member of the group will automatically have
> whatever rights the group has.  This isn't optimal, but I haven't had a
> chance to come up with a good solution yet.  What people normally do to
> deal
> with this is to have a certain user that they add to all groups.  Then, to
> get a new group pulled in, they just log in with that user.  Another thing
> to
> note is that these groups don't show up under the Manage Groups portion of
> the site.  This is because they are automatically managed and you shouldn't
> be modifying anything about them on that page.  The groups will however
> show
> up anywhere you see a drop-down list for selecting a user group for
> something.
>
> Josh
>
> On Thursday February 18, 2010, Jonathon Taylor wrote:
> > Hello,
> >
> > We have LDAP authentication configured.  People are able to authenticate
> > and after authentication I can see an entry in the vcl user table.  What
> > options do we have to configure default permissions?  For example, say we
> > wanted all of our students to be able to check out any image by default.
> > Do groups defined within VCL for a given affiliation correspond to LDAP
> > groups?  Or, do we have to manually/script adding users to these groups?
>  I
> > noticed that there is a "global" group for the local affiliation, is this
> a
> > special keyword that we can apply to our LDAP affiliation?
> >
> > On a somewhat related topic, what is the user's email address used for?
> >
> > Thanks for any help!  Sorry for so many questions.
> >
> > Jonathon Taylor
> > CSU East Bay
> - --
> - -------------------------------
> Josh Thompson
> Systems Programmer
> Advanced Computing | VCL Developer
> North Carolina State University
>
> Josh_Thompson@ncsu.edu
> 919-515-5323
>
> my GPG/PGP key can be found at pgp.mit.edu
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFLfah6V/LQcNdtPQMRAmAdAJ4kMmh86wipCiIhcHsSHREe0pKylQCfcNQq
> Z6/T4ih3kvcNfxHmBCHwUak=
> =bL14
> -----END PGP SIGNATURE-----
>

Re: Default LDAP User Permissions

[Josh Thompson <jo...@ncsu.edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I really need to get this documented...

You need to edit .ht-inc/authmethods/ldapauth.php

The updateLDAPUser function gets called when a user logs in and 
user.lastupdated from the database for that user is > 24 hours old.  Toward 
the end of that function, you'll see a switch statement that matches on the 
user's affiliation.  There is some example code in place.  You just need to 
modify it to meet your needs.

First, change the case for EXAMPLE1 to match your affiliation.  Then, change 
the name of the updateEXAMPLE1Groups function to match your affiliation as 
well.  Now, you want to modify the newly named function (it's at the bottom 
of the file).  Change "EXAMPLE1 LDAP" at the top of the function to match 
what you have for your LDAP entry in conf.php.

Next, you need to figure out what attribute your LDAP server is using to 
present group information for each user.  If you are using AD, it is probably 
memberof.  If not (I think NDS uses groupmembership), you'll need to change 
all occurances of 'memberof' in the function to that attribute.

Finally, modify the preg_match statements in the for loop to match whatever 
groups you want automatically mirrored into VCL.  In the examples given, all 
groups directly under the "OU=CourseRolls,DC=example1,DC=com" container will 
be matched and the "CN=Students_Enrolled,OU=Students,DC=example1,DC=com" 
and "CN=Staff,OU=IT,DC=example1,DC=com" groups will be matched.

A few things to note - the groups won't exist in VCL until someone that is a 
member of the group logs in.  After that, you can assign rights to the group 
and everyone else that is a member of the group will automatically have 
whatever rights the group has.  This isn't optimal, but I haven't had a 
chance to come up with a good solution yet.  What people normally do to deal 
with this is to have a certain user that they add to all groups.  Then, to 
get a new group pulled in, they just log in with that user.  Another thing to 
note is that these groups don't show up under the Manage Groups portion of 
the site.  This is because they are automatically managed and you shouldn't 
be modifying anything about them on that page.  The groups will however show 
up anywhere you see a drop-down list for selecting a user group for 
something.

Josh

On Thursday February 18, 2010, Jonathon Taylor wrote:
> Hello,
>
> We have LDAP authentication configured.  People are able to authenticate
> and after authentication I can see an entry in the vcl user table.  What
> options do we have to configure default permissions?  For example, say we
> wanted all of our students to be able to check out any image by default. 
> Do groups defined within VCL for a given affiliation correspond to LDAP
> groups?  Or, do we have to manually/script adding users to these groups?  I
> noticed that there is a "global" group for the local affiliation, is this a
> special keyword that we can apply to our LDAP affiliation?
>
> On a somewhat related topic, what is the user's email address used for?
>
> Thanks for any help!  Sorry for so many questions.
>
> Jonathon Taylor
> CSU East Bay
- -- 
- -------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University

Josh_Thompson@ncsu.edu
919-515-5323

my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFLfah6V/LQcNdtPQMRAmAdAJ4kMmh86wipCiIhcHsSHREe0pKylQCfcNQq
Z6/T4ih3kvcNfxHmBCHwUak=
=bL14
-----END PGP SIGNATURE-----