You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@vcl.apache.org by Jonathon Taylor <jo...@csueastbay.edu> on 2010/02/18 20:04:04 UTC
Default LDAP User Permissions
Hello,
We have LDAP authentication configured. People are able to authenticate and
after authentication I can see an entry in the vcl user table. What options
do we have to configure default permissions? For example, say we wanted all
of our students to be able to check out any image by default. Do groups
defined within VCL for a given affiliation correspond to LDAP groups? Or,
do we have to manually/script adding users to these groups? I noticed that
there is a "global" group for the local affiliation, is this a special
keyword that we can apply to our LDAP affiliation?
On a somewhat related topic, what is the user's email address used for?
Thanks for any help! Sorry for so many questions.
Jonathon Taylor
CSU East Bay
Re: Default LDAP User Permissions
Posted by Jonathon Taylor <jo...@gmail.com>.
Excellent! Thanks for this information. We actually do not have LDAP
groups implemented but have a single-valued field called "affiliation" I can
use to distinguish between students and faculty. I'll give this a shot.
-Jonathon
On Thu, Feb 18, 2010 at 12:52 PM, Josh Thompson <jo...@ncsu.edu>wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I really need to get this documented...
>
> You need to edit .ht-inc/authmethods/ldapauth.php
>
> The updateLDAPUser function gets called when a user logs in and
> user.lastupdated from the database for that user is > 24 hours old. Toward
> the end of that function, you'll see a switch statement that matches on the
> user's affiliation. There is some example code in place. You just need to
> modify it to meet your needs.
>
> First, change the case for EXAMPLE1 to match your affiliation. Then,
> change
> the name of the updateEXAMPLE1Groups function to match your affiliation as
> well. Now, you want to modify the newly named function (it's at the bottom
> of the file). Change "EXAMPLE1 LDAP" at the top of the function to match
> what you have for your LDAP entry in conf.php.
>
> Next, you need to figure out what attribute your LDAP server is using to
> present group information for each user. If you are using AD, it is
> probably
> memberof. If not (I think NDS uses groupmembership), you'll need to change
> all occurances of 'memberof' in the function to that attribute.
>
> Finally, modify the preg_match statements in the for loop to match whatever
> groups you want automatically mirrored into VCL. In the examples given,
> all
> groups directly under the "OU=CourseRolls,DC=example1,DC=com" container
> will
> be matched and the "CN=Students_Enrolled,OU=Students,DC=example1,DC=com"
> and "CN=Staff,OU=IT,DC=example1,DC=com" groups will be matched.
>
> A few things to note - the groups won't exist in VCL until someone that is
> a
> member of the group logs in. After that, you can assign rights to the
> group
> and everyone else that is a member of the group will automatically have
> whatever rights the group has. This isn't optimal, but I haven't had a
> chance to come up with a good solution yet. What people normally do to
> deal
> with this is to have a certain user that they add to all groups. Then, to
> get a new group pulled in, they just log in with that user. Another thing
> to
> note is that these groups don't show up under the Manage Groups portion of
> the site. This is because they are automatically managed and you shouldn't
> be modifying anything about them on that page. The groups will however
> show
> up anywhere you see a drop-down list for selecting a user group for
> something.
>
> Josh
>
> On Thursday February 18, 2010, Jonathon Taylor wrote:
> > Hello,
> >
> > We have LDAP authentication configured. People are able to authenticate
> > and after authentication I can see an entry in the vcl user table. What
> > options do we have to configure default permissions? For example, say we
> > wanted all of our students to be able to check out any image by default.
> > Do groups defined within VCL for a given affiliation correspond to LDAP
> > groups? Or, do we have to manually/script adding users to these groups?
> I
> > noticed that there is a "global" group for the local affiliation, is this
> a
> > special keyword that we can apply to our LDAP affiliation?
> >
> > On a somewhat related topic, what is the user's email address used for?
> >
> > Thanks for any help! Sorry for so many questions.
> >
> > Jonathon Taylor
> > CSU East Bay
> - --
> - -------------------------------
> Josh Thompson
> Systems Programmer
> Advanced Computing | VCL Developer
> North Carolina State University
>
> Josh_Thompson@ncsu.edu
> 919-515-5323
>
> my GPG/PGP key can be found at pgp.mit.edu
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFLfah6V/LQcNdtPQMRAmAdAJ4kMmh86wipCiIhcHsSHREe0pKylQCfcNQq
> Z6/T4ih3kvcNfxHmBCHwUak=
> =bL14
> -----END PGP SIGNATURE-----
>
Re: Default LDAP User Permissions
Posted by Josh Thompson <jo...@ncsu.edu>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I really need to get this documented...
You need to edit .ht-inc/authmethods/ldapauth.php
The updateLDAPUser function gets called when a user logs in and
user.lastupdated from the database for that user is > 24 hours old. Toward
the end of that function, you'll see a switch statement that matches on the
user's affiliation. There is some example code in place. You just need to
modify it to meet your needs.
First, change the case for EXAMPLE1 to match your affiliation. Then, change
the name of the updateEXAMPLE1Groups function to match your affiliation as
well. Now, you want to modify the newly named function (it's at the bottom
of the file). Change "EXAMPLE1 LDAP" at the top of the function to match
what you have for your LDAP entry in conf.php.
Next, you need to figure out what attribute your LDAP server is using to
present group information for each user. If you are using AD, it is probably
memberof. If not (I think NDS uses groupmembership), you'll need to change
all occurances of 'memberof' in the function to that attribute.
Finally, modify the preg_match statements in the for loop to match whatever
groups you want automatically mirrored into VCL. In the examples given, all
groups directly under the "OU=CourseRolls,DC=example1,DC=com" container will
be matched and the "CN=Students_Enrolled,OU=Students,DC=example1,DC=com"
and "CN=Staff,OU=IT,DC=example1,DC=com" groups will be matched.
A few things to note - the groups won't exist in VCL until someone that is a
member of the group logs in. After that, you can assign rights to the group
and everyone else that is a member of the group will automatically have
whatever rights the group has. This isn't optimal, but I haven't had a
chance to come up with a good solution yet. What people normally do to deal
with this is to have a certain user that they add to all groups. Then, to
get a new group pulled in, they just log in with that user. Another thing to
note is that these groups don't show up under the Manage Groups portion of
the site. This is because they are automatically managed and you shouldn't
be modifying anything about them on that page. The groups will however show
up anywhere you see a drop-down list for selecting a user group for
something.
Josh
On Thursday February 18, 2010, Jonathon Taylor wrote:
> Hello,
>
> We have LDAP authentication configured. People are able to authenticate
> and after authentication I can see an entry in the vcl user table. What
> options do we have to configure default permissions? For example, say we
> wanted all of our students to be able to check out any image by default.
> Do groups defined within VCL for a given affiliation correspond to LDAP
> groups? Or, do we have to manually/script adding users to these groups? I
> noticed that there is a "global" group for the local affiliation, is this a
> special keyword that we can apply to our LDAP affiliation?
>
> On a somewhat related topic, what is the user's email address used for?
>
> Thanks for any help! Sorry for so many questions.
>
> Jonathon Taylor
> CSU East Bay
- --
- -------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University
Josh_Thompson@ncsu.edu
919-515-5323
my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFLfah6V/LQcNdtPQMRAmAdAJ4kMmh86wipCiIhcHsSHREe0pKylQCfcNQq
Z6/T4ih3kvcNfxHmBCHwUak=
=bL14
-----END PGP SIGNATURE-----