We don't currrently use group memberships in our LDAP system. The
differentiation between whether someone is staff/student/faculty is done with
the use of affiliations, not group memberships.
>>> Josh Thompson <josh_thomp...@ncsu.edu> 12/03/2009 9:40 AM >>>
-----BEGIN PGP SIGNED MESSAGE-----
Can you explain this a little further? I don't understand what you mean that
you are using affiliations instead of group memberships.
On Wednesday December 02, 2009, Kelly Robinson wrote:
> We are using affiliations versus group memberships in our LDAP. Is there
> are way for this to work without having the group memberships in LDAP set
> >>> Josh Thompson <josh_thomp...@ncsu.edu> 11/24/2009 11:36 AM >>>
> You can set up group memberships in LDAP and have them mirrored in to VCL.
> You'll need to modify two functions in .ht-inc/authmethods/ldapauth.php in
> the web code.
> -find the switch statement toward the bottom of the updateLDAPUser
> -change the EXAMPLE1 case to match the name of your affiliation from the
> affiliation table
> -you'll probably want to rename updateEXAMPLE1Groups to also match your
> -now, you need to modify the updateEXAMPLE1Groups function
> -where $auth is set, change "EXAMPLE1 LDAP" to match the key in the
> $authMechs array from conf.php
> -in the "for" loop at the bottom of the function, you'll need to set the
> regular expressions to match what LDAP groups you want mirrored in to VCL
> -the existing examples show three cases:
> -all groups directly under the CourseRolls OU are matched
> -the Students_Enrolled group under the Students OU is matched
> -the Staff group under the IT OU is matched
> After making these changes, you should start seeing users automatically get
> added to user groups in VCL as they log in. If you have a regular
> expression that matches a group in LDAP that you don't already have in VCL,
> it will be automatically created.
> A couple of points about this:
> -the groups created/managed through this method do not show up on the
> Manage Groups page because modifying there membership there would take them
> out of sync with LDAP
> -since the groups get created when someone logs in, you cannot grant a
> group access somewhere in VCL until at least one user with that group
> membership has logged in
> -there is a timeout to be aware of: every LDAP user's information is cached
> in the VCL database for 24 hours; so, until that timeout expires, the
> user's group memberships in LDAP are not pulled again
> Let me know if you need anything clarified.
> On Friday November 20, 2009, Kelly Robinson wrote:
> > Is there a way for a user to be automatically listed as a member of a
> > user group after logging in through LDAP authentication? I can manually
> > add users to a user group through the "Manage Group" section of the VCL
> > interface, but is there a more efficient way to automatically give users
> > access to resources?
> > Kelly
Advanced Computing | VCL Developer
North Carolina State University
my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----