Dear Samuele,
Thank you again for the thorough explanation. We were hoping to use
an existing apache groups file (which is already in use by other
systems and services) with normal Invenio users, but I certainly
understand the benefits of controlling everything through the web
interface. One option might be to create a system for automatically
updating Invenio groups based on our apache group file, or
alternatively, updating our apache groups file based on our Invenio
CLEO group. Hopefully I'll be able to work this out myself, but I
would welcome any suggestions you might have.
Thanks again,
Devin
On Jun 26, 2008, at 12:56 PM, Samuele Kaplun wrote:
On Thursday 26 June 2008, Devin Bougie wrote:
While (at the moment) everything with WebAccess seems to be working
properly, I just have one more (probably foolish) question about how
the apache groups work. For example, user "csj6" (using our
W4restrict external authentication) is a member of the "cleo" group
in
the CFG_APACHE_GROUP_FILE. Should this make him a part of the "cleo"
role (which contains "allow apache_group "cleo"") or does he still
have to be added to the Invenio CLEO group?
About your question, things with Apache are a bit complex.
You should consider Apache users as a whole different way of
authentication
in CDS Invenio.
I'll go in details even if maybe you already know everything I'm
going to say.
Apache users are explicitly listed in the file pointed by
CFG_APACHE_PASSWORD_FILE (in invenio.conf) managed with the htpasswd
Apache
tool. In practice each row contain a username and a hashed password.
These users can be connected to Apache groups by means of the file
pointed by
CFG_APACHE_GROUP_FILE (in invenio.conf), which I understand you're
already
working on.
Apache users are totally disconnected from normal users (in your case,
W4restrict or CLASSE EDMS (internal)).
In fact you can login at the same time with an Apache user (by
following some
link to a restricted collection that uses a role implying an Apache
group)
and with your W4restrict authentication.
That means that if you want to have a user called "csj6" that
belongs to an
Apache Group you should add it to the CFG_APACHE_PASSWORD_FILE. The
fact that
is also registered in W4restrict, from the point of view of the
system, is a
pure coincidence.
In fact we are supporting apache groups just for historical reasons,
but we
would like to move away from this since they can't be integrated
very well in
the system. If you're building your system from scratch you can
happily not
use apache groups and use instead the local CDS Invenio group which
are
completely controllable from the web interface.
In fact your "cleo" role could have just had "allow group "cleo""
without any
reference to Apache and this should have been enough. (and the user
"csj6"
with W4restrict authentication should have been member of the "cleo"
Invenio
group.)
I'm sorry in case I have been not clear. Let me know in case of any
other
doubts. For the mailing list I've noticed that today there were some
technical troubles, but for further email we can use again the
mailing list.
Best regards,
Samuele
--
.O.
..O
OOO
