-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kelly,

Can you explain this a little further?  I don't understand what you mean that 
you are using affiliations instead of group memberships.

Thanks,
Josh

On Wednesday December 02, 2009, Kelly Robinson wrote:
> Josh-
>
> We are using affiliations versus group memberships in our LDAP.  Is there
> are way for this to work without having the group memberships in LDAP set
> up?
>
> Kelly
>
> >>> Josh Thompson <josh_thomp...@ncsu.edu> 11/24/2009 11:36 AM >>>
>
> Kelly,
>
> You can set up group memberships in LDAP and have them mirrored in to VCL.
> You'll need to modify two functions in .ht-inc/authmethods/ldapauth.php in
> the web code.
>
> -find the switch statement toward the bottom of the updateLDAPUser
> -change the EXAMPLE1 case to match the name of your affiliation from the
> affiliation table
> -you'll probably want to rename updateEXAMPLE1Groups to also match your
> affiliation
> -now, you need to modify the updateEXAMPLE1Groups function
> -where $auth is set, change "EXAMPLE1 LDAP" to match the key in the
> $authMechs array from conf.php
> -in the "for" loop at the bottom of the function, you'll need to set the
> regular expressions to match what LDAP groups you want mirrored in to VCL
> -the existing examples show three cases:
>   -all groups directly under the CourseRolls OU are matched
>   -the Students_Enrolled group under the Students OU is matched
>   -the Staff group under the IT OU is matched
>
> After making these changes, you should start seeing users automatically get
> added to user groups in VCL as they log in.  If you have a regular
> expression that matches a group in LDAP that you don't already have in VCL,
> it will be automatically created.
>
> A couple of points about this:
> -the groups created/managed through this method do not show up on the
> Manage Groups page because modifying there membership there would take them
> out of sync with LDAP
> -since the groups get created when someone logs in, you cannot grant a
> group access somewhere in VCL until at least one user with that group
> membership has logged in
> -there is a timeout to be aware of: every LDAP user's information is cached
> in the VCL database for 24 hours; so, until that timeout expires, the
> user's group memberships in LDAP are not pulled again
>
> Let me know if you need anything clarified.
>
> Josh
>
> On Friday November 20, 2009, Kelly Robinson wrote:
> > Is there a way for a user to be automatically listed as a member of a
> > user group after logging in through LDAP authentication?  I can manually
> > add users to a user group through the "Manage Group" section of the VCL
> > interface, but is there a more efficient way to automatically give users
> > access to resources?
> >
> > Kelly
- -- 
- -------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University

josh_thomp...@ncsu.edu
919-515-5323

my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFLF83RV/LQcNdtPQMRAli0AJ9yuPBu4b+nqagru+Vn3YSuzaJyTQCffQDM
IgIqkqzAnX89S3nmUmuoMmI=
=7YtQ
-----END PGP SIGNATURE-----

Reply via email to