You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@vcl.apache.org by Kelly Robinson <is...@langate.gsu.edu> on 2009/12/02 15:52:45 UTC
Re: Granting User Group Privileges
Josh-
We are using affiliations versus group memberships in our LDAP. Is there are way for this to work without having the group memberships in LDAP set up?
Kelly
>>> Josh Thompson <jo...@ncsu.edu> 11/24/2009 11:36 AM >>>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kelly,
You can set up group memberships in LDAP and have them mirrored in to VCL.
You'll need to modify two functions in .ht-inc/authmethods/ldapauth.php in
the web code.
- -find the switch statement toward the bottom of the updateLDAPUser
- -change the EXAMPLE1 case to match the name of your affiliation from the
affiliation table
- -you'll probably want to rename updateEXAMPLE1Groups to also match your
affiliation
- -now, you need to modify the updateEXAMPLE1Groups function
- -where $auth is set, change "EXAMPLE1 LDAP" to match the key in the $authMechs
array from conf.php
- -in the "for" loop at the bottom of the function, you'll need to set the
regular expressions to match what LDAP groups you want mirrored in to VCL
- -the existing examples show three cases:
-all groups directly under the CourseRolls OU are matched
-the Students_Enrolled group under the Students OU is matched
-the Staff group under the IT OU is matched
After making these changes, you should start seeing users automatically get
added to user groups in VCL as they log in. If you have a regular expression
that matches a group in LDAP that you don't already have in VCL, it will be
automatically created.
A couple of points about this:
- -the groups created/managed through this method do not show up on the Manage
Groups page because modifying there membership there would take them out of
sync with LDAP
- -since the groups get created when someone logs in, you cannot grant a group
access somewhere in VCL until at least one user with that group membership
has logged in
- -there is a timeout to be aware of: every LDAP user's information is cached in
the VCL database for 24 hours; so, until that timeout expires, the user's
group memberships in LDAP are not pulled again
Let me know if you need anything clarified.
Josh
On Friday November 20, 2009, Kelly Robinson wrote:
> Is there a way for a user to be automatically listed as a member of a user
> group after logging in through LDAP authentication? I can manually add
> users to a user group through the "Manage Group" section of the VCL
> interface, but is there a more efficient way to automatically give users
> access to resources?
>
> Kelly
- --
- -------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University
Josh_Thompson@ncsu.edu
919-515-5323
my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFLDAuqV/LQcNdtPQMRAnLSAJ9owreyusP4GzKpnAnCBLrFdr/5WQCdGgrJ
sUcCvqH9qhkZOZVc6RVxkFw=
=rrkM
-----END PGP SIGNATURE-----
Re: Granting User Group Privileges
Posted by Josh Thompson <jo...@ncsu.edu>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kelly,
Affiliations in VCL are really just used as a way to know which users and user
groups belong to an institution. Affiliations cannot be directly used to
grant anyone access to anything. That's what user groups are for.
If you really want to stick with the way you are currently doing things (which
may lead to further problems down the road), you can do something similar to
what I mentioned below. However, instead of having a loop that does a
regular expression match on each of the user's LDAP groups, you can just
define a single user group for each affiliation and have the function make
sure the user is in that group.
For user group management in general, I've just finished writing and
documenting a python script that interfaces with the XML RPC API to allow for
user group management from the command line. More info on it here:
http://cwiki.apache.org/VCL/managegroupspy-remotely-managing-user-groups.html
Josh
On Thursday December 03, 2009, Kelly Robinson wrote:
> We don't currrently use group memberships in our LDAP system. The
> differentiation between whether someone is staff/student/faculty is done
> with the use of affiliations, not group memberships.
>
> >>> Josh Thompson <jo...@ncsu.edu> 12/03/2009 9:40 AM >>>
>
> Kelly,
>
> Can you explain this a little further? I don't understand what you mean
> that you are using affiliations instead of group memberships.
>
> Thanks,
> Josh
>
> On Wednesday December 02, 2009, Kelly Robinson wrote:
> > Josh-
> >
> > We are using affiliations versus group memberships in our LDAP. Is there
> > are way for this to work without having the group memberships in LDAP set
> > up?
> >
> > Kelly
> >
> > >>> Josh Thompson <jo...@ncsu.edu> 11/24/2009 11:36 AM >>>
> >
> > Kelly,
> >
> > You can set up group memberships in LDAP and have them mirrored in to
> > VCL. You'll need to modify two functions in
> > .ht-inc/authmethods/ldapauth.php in the web code.
> >
> > -find the switch statement toward the bottom of the updateLDAPUser
> > -change the EXAMPLE1 case to match the name of your affiliation from the
> > affiliation table
> > -you'll probably want to rename updateEXAMPLE1Groups to also match your
> > affiliation
> > -now, you need to modify the updateEXAMPLE1Groups function
> > -where $auth is set, change "EXAMPLE1 LDAP" to match the key in the
> > $authMechs array from conf.php
> > -in the "for" loop at the bottom of the function, you'll need to set the
> > regular expressions to match what LDAP groups you want mirrored in to VCL
> > -the existing examples show three cases:
> > -all groups directly under the CourseRolls OU are matched
> > -the Students_Enrolled group under the Students OU is matched
> > -the Staff group under the IT OU is matched
> >
> > After making these changes, you should start seeing users automatically
> > get added to user groups in VCL as they log in. If you have a regular
> > expression that matches a group in LDAP that you don't already have in
> > VCL, it will be automatically created.
> >
> > A couple of points about this:
> > -the groups created/managed through this method do not show up on the
> > Manage Groups page because modifying there membership there would take
> > them out of sync with LDAP
> > -since the groups get created when someone logs in, you cannot grant a
> > group access somewhere in VCL until at least one user with that group
> > membership has logged in
> > -there is a timeout to be aware of: every LDAP user's information is
> > cached in the VCL database for 24 hours; so, until that timeout expires,
> > the user's group memberships in LDAP are not pulled again
> >
> > Let me know if you need anything clarified.
> >
> > Josh
> >
> > On Friday November 20, 2009, Kelly Robinson wrote:
> > > Is there a way for a user to be automatically listed as a member of a
> > > user group after logging in through LDAP authentication? I can
> > > manually add users to a user group through the "Manage Group" section
> > > of the VCL interface, but is there a more efficient way to
> > > automatically give users access to resources?
> > >
> > > Kelly
- --
- -------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University
Josh_Thompson@ncsu.edu
919-515-5323
my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFLGBwvV/LQcNdtPQMRAmfCAJ9BJ/mcYopnONg7vm8Iev6cwCMHpwCaArcp
q7IJ4sPRjyT2ETRakXr8qHg=
=QyBw
-----END PGP SIGNATURE-----
Re: Granting User Group Privileges
Posted by Kelly Robinson <is...@langate.gsu.edu>.
We don't currrently use group memberships in our LDAP system. The differentiation between whether someone is staff/student/faculty is done with the use of affiliations, not group memberships.
>>> Josh Thompson <jo...@ncsu.edu> 12/03/2009 9:40 AM >>>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kelly,
Can you explain this a little further? I don't understand what you mean that
you are using affiliations instead of group memberships.
Thanks,
Josh
On Wednesday December 02, 2009, Kelly Robinson wrote:
> Josh-
>
> We are using affiliations versus group memberships in our LDAP. Is there
> are way for this to work without having the group memberships in LDAP set
> up?
>
> Kelly
>
> >>> Josh Thompson <jo...@ncsu.edu> 11/24/2009 11:36 AM >>>
>
> Kelly,
>
> You can set up group memberships in LDAP and have them mirrored in to VCL.
> You'll need to modify two functions in .ht-inc/authmethods/ldapauth.php in
> the web code.
>
> -find the switch statement toward the bottom of the updateLDAPUser
> -change the EXAMPLE1 case to match the name of your affiliation from the
> affiliation table
> -you'll probably want to rename updateEXAMPLE1Groups to also match your
> affiliation
> -now, you need to modify the updateEXAMPLE1Groups function
> -where $auth is set, change "EXAMPLE1 LDAP" to match the key in the
> $authMechs array from conf.php
> -in the "for" loop at the bottom of the function, you'll need to set the
> regular expressions to match what LDAP groups you want mirrored in to VCL
> -the existing examples show three cases:
> -all groups directly under the CourseRolls OU are matched
> -the Students_Enrolled group under the Students OU is matched
> -the Staff group under the IT OU is matched
>
> After making these changes, you should start seeing users automatically get
> added to user groups in VCL as they log in. If you have a regular
> expression that matches a group in LDAP that you don't already have in VCL,
> it will be automatically created.
>
> A couple of points about this:
> -the groups created/managed through this method do not show up on the
> Manage Groups page because modifying there membership there would take them
> out of sync with LDAP
> -since the groups get created when someone logs in, you cannot grant a
> group access somewhere in VCL until at least one user with that group
> membership has logged in
> -there is a timeout to be aware of: every LDAP user's information is cached
> in the VCL database for 24 hours; so, until that timeout expires, the
> user's group memberships in LDAP are not pulled again
>
> Let me know if you need anything clarified.
>
> Josh
>
> On Friday November 20, 2009, Kelly Robinson wrote:
> > Is there a way for a user to be automatically listed as a member of a
> > user group after logging in through LDAP authentication? I can manually
> > add users to a user group through the "Manage Group" section of the VCL
> > interface, but is there a more efficient way to automatically give users
> > access to resources?
> >
> > Kelly
- --
- -------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University
Josh_Thompson@ncsu.edu
919-515-5323
my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFLF83RV/LQcNdtPQMRAli0AJ9yuPBu4b+nqagru+Vn3YSuzaJyTQCffQDM
IgIqkqzAnX89S3nmUmuoMmI=
=7YtQ
-----END PGP SIGNATURE-----
Re: Granting User Group Privileges
Posted by Josh Thompson <jo...@ncsu.edu>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kelly,
Can you explain this a little further? I don't understand what you mean that
you are using affiliations instead of group memberships.
Thanks,
Josh
On Wednesday December 02, 2009, Kelly Robinson wrote:
> Josh-
>
> We are using affiliations versus group memberships in our LDAP. Is there
> are way for this to work without having the group memberships in LDAP set
> up?
>
> Kelly
>
> >>> Josh Thompson <jo...@ncsu.edu> 11/24/2009 11:36 AM >>>
>
> Kelly,
>
> You can set up group memberships in LDAP and have them mirrored in to VCL.
> You'll need to modify two functions in .ht-inc/authmethods/ldapauth.php in
> the web code.
>
> -find the switch statement toward the bottom of the updateLDAPUser
> -change the EXAMPLE1 case to match the name of your affiliation from the
> affiliation table
> -you'll probably want to rename updateEXAMPLE1Groups to also match your
> affiliation
> -now, you need to modify the updateEXAMPLE1Groups function
> -where $auth is set, change "EXAMPLE1 LDAP" to match the key in the
> $authMechs array from conf.php
> -in the "for" loop at the bottom of the function, you'll need to set the
> regular expressions to match what LDAP groups you want mirrored in to VCL
> -the existing examples show three cases:
> -all groups directly under the CourseRolls OU are matched
> -the Students_Enrolled group under the Students OU is matched
> -the Staff group under the IT OU is matched
>
> After making these changes, you should start seeing users automatically get
> added to user groups in VCL as they log in. If you have a regular
> expression that matches a group in LDAP that you don't already have in VCL,
> it will be automatically created.
>
> A couple of points about this:
> -the groups created/managed through this method do not show up on the
> Manage Groups page because modifying there membership there would take them
> out of sync with LDAP
> -since the groups get created when someone logs in, you cannot grant a
> group access somewhere in VCL until at least one user with that group
> membership has logged in
> -there is a timeout to be aware of: every LDAP user's information is cached
> in the VCL database for 24 hours; so, until that timeout expires, the
> user's group memberships in LDAP are not pulled again
>
> Let me know if you need anything clarified.
>
> Josh
>
> On Friday November 20, 2009, Kelly Robinson wrote:
> > Is there a way for a user to be automatically listed as a member of a
> > user group after logging in through LDAP authentication? I can manually
> > add users to a user group through the "Manage Group" section of the VCL
> > interface, but is there a more efficient way to automatically give users
> > access to resources?
> >
> > Kelly
- --
- -------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University
Josh_Thompson@ncsu.edu
919-515-5323
my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFLF83RV/LQcNdtPQMRAli0AJ9yuPBu4b+nqagru+Vn3YSuzaJyTQCffQDM
IgIqkqzAnX89S3nmUmuoMmI=
=7YtQ
-----END PGP SIGNATURE-----