We are using affiliations versus group memberships in our LDAP.  Is there are 
way for this to work without having the group memberships in LDAP set up?


>>> Josh Thompson <> 11/24/2009 11:36 AM >>>
Hash: SHA1


You can set up group memberships in LDAP and have them mirrored in to VCL.  
You'll need to modify two functions in .ht-inc/authmethods/ldapauth.php in 
the web code.

- -find the switch statement toward the bottom of the updateLDAPUser
- -change the EXAMPLE1 case to match the name of your affiliation from the 
affiliation table
- -you'll probably want to rename updateEXAMPLE1Groups to also match your 
- -now, you need to modify the updateEXAMPLE1Groups function
- -where $auth is set, change "EXAMPLE1 LDAP" to match the key in the 
array from conf.php
- -in the "for" loop at the bottom of the function, you'll need to set the 
regular expressions to match what LDAP groups you want mirrored in to VCL
- -the existing examples show three cases:
  -all groups directly under the CourseRolls OU are matched
  -the Students_Enrolled group under the Students OU is matched
  -the Staff group under the IT OU is matched

After making these changes, you should start seeing users automatically get 
added to user groups in VCL as they log in.  If you have a regular expression 
that matches a group in LDAP that you don't already have in VCL, it will be 
automatically created.

A couple of points about this:
- -the groups created/managed through this method do not show up on the Manage 
Groups page because modifying there membership there would take them out of 
sync with LDAP
- -since the groups get created when someone logs in, you cannot grant a group 
access somewhere in VCL until at least one user with that group membership 
has logged in
- -there is a timeout to be aware of: every LDAP user's information is cached 
the VCL database for 24 hours; so, until that timeout expires, the user's 
group memberships in LDAP are not pulled again

Let me know if you need anything clarified.


On Friday November 20, 2009, Kelly Robinson wrote:
> Is there a way for a user to be automatically listed as a member of a user
> group after logging in through LDAP authentication?  I can manually add
> users to a user group through the "Manage Group" section of the VCL
> interface, but is there a more efficient way to automatically give users
> access to resources?
> Kelly
- -- 
- -------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University 

my GPG/PGP key can be found at
Version: GnuPG v1.4.6 (GNU/Linux)


Reply via email to