Josh- We are using affiliations versus group memberships in our LDAP. Is there are way for this to work without having the group memberships in LDAP set up?
Kelly >>> Josh Thompson <josh_thomp...@ncsu.edu> 11/24/2009 11:36 AM >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kelly, You can set up group memberships in LDAP and have them mirrored in to VCL. You'll need to modify two functions in .ht-inc/authmethods/ldapauth.php in the web code. - -find the switch statement toward the bottom of the updateLDAPUser - -change the EXAMPLE1 case to match the name of your affiliation from the affiliation table - -you'll probably want to rename updateEXAMPLE1Groups to also match your affiliation - -now, you need to modify the updateEXAMPLE1Groups function - -where $auth is set, change "EXAMPLE1 LDAP" to match the key in the $authMechs array from conf.php - -in the "for" loop at the bottom of the function, you'll need to set the regular expressions to match what LDAP groups you want mirrored in to VCL - -the existing examples show three cases: -all groups directly under the CourseRolls OU are matched -the Students_Enrolled group under the Students OU is matched -the Staff group under the IT OU is matched After making these changes, you should start seeing users automatically get added to user groups in VCL as they log in. If you have a regular expression that matches a group in LDAP that you don't already have in VCL, it will be automatically created. A couple of points about this: - -the groups created/managed through this method do not show up on the Manage Groups page because modifying there membership there would take them out of sync with LDAP - -since the groups get created when someone logs in, you cannot grant a group access somewhere in VCL until at least one user with that group membership has logged in - -there is a timeout to be aware of: every LDAP user's information is cached in the VCL database for 24 hours; so, until that timeout expires, the user's group memberships in LDAP are not pulled again Let me know if you need anything clarified. Josh On Friday November 20, 2009, Kelly Robinson wrote: > Is there a way for a user to be automatically listed as a member of a user > group after logging in through LDAP authentication? I can manually add > users to a user group through the "Manage Group" section of the VCL > interface, but is there a more efficient way to automatically give users > access to resources? > > Kelly - -- - ------------------------------- Josh Thompson Systems Programmer Advanced Computing | VCL Developer North Carolina State University josh_thomp...@ncsu.edu 919-515-5323 my GPG/PGP key can be found at pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFLDAuqV/LQcNdtPQMRAnLSAJ9owreyusP4GzKpnAnCBLrFdr/5WQCdGgrJ sUcCvqH9qhkZOZVc6RVxkFw= =rrkM -----END PGP SIGNATURE-----