Hash: SHA1


Affiliations in VCL are really just used as a way to know which users and user 
groups belong to an institution.  Affiliations cannot be directly used to 
grant anyone access to anything.  That's what user groups are for.

If you really want to stick with the way you are currently doing things (which 
may lead to further problems down the road), you can do something similar to 
what I mentioned below.  However, instead of having a loop that does a 
regular expression match on each of the user's LDAP groups, you can just 
define a single user group for each affiliation and have the function make 
sure the user is in that group.

For user group management in general, I've just finished writing and 
documenting a python script that interfaces with the XML RPC API to allow for 
user group management from the command line.  More info on it here:



On Thursday December 03, 2009, Kelly Robinson wrote:
> We don't currrently use group memberships in our LDAP system.  The
> differentiation between whether someone is staff/student/faculty is done
> with the use of affiliations, not group memberships.
> >>> Josh Thompson <josh_thomp...@ncsu.edu> 12/03/2009 9:40 AM >>>
> Kelly,
> Can you explain this a little further?  I don't understand what you mean
> that you are using affiliations instead of group memberships.
> Thanks,
> Josh
> On Wednesday December 02, 2009, Kelly Robinson wrote:
> > Josh-
> >
> > We are using affiliations versus group memberships in our LDAP.  Is there
> > are way for this to work without having the group memberships in LDAP set
> > up?
> >
> > Kelly
> >
> > >>> Josh Thompson <josh_thomp...@ncsu.edu> 11/24/2009 11:36 AM >>>
> >
> > Kelly,
> >
> > You can set up group memberships in LDAP and have them mirrored in to
> > VCL. You'll need to modify two functions in
> > .ht-inc/authmethods/ldapauth.php in the web code.
> >
> > -find the switch statement toward the bottom of the updateLDAPUser
> > -change the EXAMPLE1 case to match the name of your affiliation from the
> > affiliation table
> > -you'll probably want to rename updateEXAMPLE1Groups to also match your
> > affiliation
> > -now, you need to modify the updateEXAMPLE1Groups function
> > -where $auth is set, change "EXAMPLE1 LDAP" to match the key in the
> > $authMechs array from conf.php
> > -in the "for" loop at the bottom of the function, you'll need to set the
> > regular expressions to match what LDAP groups you want mirrored in to VCL
> > -the existing examples show three cases:
> >   -all groups directly under the CourseRolls OU are matched
> >   -the Students_Enrolled group under the Students OU is matched
> >   -the Staff group under the IT OU is matched
> >
> > After making these changes, you should start seeing users automatically
> > get added to user groups in VCL as they log in.  If you have a regular
> > expression that matches a group in LDAP that you don't already have in
> > VCL, it will be automatically created.
> >
> > A couple of points about this:
> > -the groups created/managed through this method do not show up on the
> > Manage Groups page because modifying there membership there would take
> > them out of sync with LDAP
> > -since the groups get created when someone logs in, you cannot grant a
> > group access somewhere in VCL until at least one user with that group
> > membership has logged in
> > -there is a timeout to be aware of: every LDAP user's information is
> > cached in the VCL database for 24 hours; so, until that timeout expires,
> > the user's group memberships in LDAP are not pulled again
> >
> > Let me know if you need anything clarified.
> >
> > Josh
> >
> > On Friday November 20, 2009, Kelly Robinson wrote:
> > > Is there a way for a user to be automatically listed as a member of a
> > > user group after logging in through LDAP authentication?  I can
> > > manually add users to a user group through the "Manage Group" section
> > > of the VCL interface, but is there a more efficient way to
> > > automatically give users access to resources?
> > >
> > > Kelly
- -- 
- -------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University


my GPG/PGP key can be found at pgp.mit.edu
Version: GnuPG v1.4.6 (GNU/Linux)


Reply via email to