-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I really need to get this documented...

You need to edit .ht-inc/authmethods/ldapauth.php

The updateLDAPUser function gets called when a user logs in and 
user.lastupdated from the database for that user is > 24 hours old.  Toward 
the end of that function, you'll see a switch statement that matches on the 
user's affiliation.  There is some example code in place.  You just need to 
modify it to meet your needs.

First, change the case for EXAMPLE1 to match your affiliation.  Then, change 
the name of the updateEXAMPLE1Groups function to match your affiliation as 
well.  Now, you want to modify the newly named function (it's at the bottom 
of the file).  Change "EXAMPLE1 LDAP" at the top of the function to match 
what you have for your LDAP entry in conf.php.

Next, you need to figure out what attribute your LDAP server is using to 
present group information for each user.  If you are using AD, it is probably 
memberof.  If not (I think NDS uses groupmembership), you'll need to change 
all occurances of 'memberof' in the function to that attribute.

Finally, modify the preg_match statements in the for loop to match whatever 
groups you want automatically mirrored into VCL.  In the examples given, all 
groups directly under the "OU=CourseRolls,DC=example1,DC=com" container will 
be matched and the "CN=Students_Enrolled,OU=Students,DC=example1,DC=com" 
and "CN=Staff,OU=IT,DC=example1,DC=com" groups will be matched.

A few things to note - the groups won't exist in VCL until someone that is a 
member of the group logs in.  After that, you can assign rights to the group 
and everyone else that is a member of the group will automatically have 
whatever rights the group has.  This isn't optimal, but I haven't had a 
chance to come up with a good solution yet.  What people normally do to deal 
with this is to have a certain user that they add to all groups.  Then, to 
get a new group pulled in, they just log in with that user.  Another thing to 
note is that these groups don't show up under the Manage Groups portion of 
the site.  This is because they are automatically managed and you shouldn't 
be modifying anything about them on that page.  The groups will however show 
up anywhere you see a drop-down list for selecting a user group for 
something.

Josh

On Thursday February 18, 2010, Jonathon Taylor wrote:
> Hello,
>
> We have LDAP authentication configured.  People are able to authenticate
> and after authentication I can see an entry in the vcl user table.  What
> options do we have to configure default permissions?  For example, say we
> wanted all of our students to be able to check out any image by default. 
> Do groups defined within VCL for a given affiliation correspond to LDAP
> groups?  Or, do we have to manually/script adding users to these groups?  I
> noticed that there is a "global" group for the local affiliation, is this a
> special keyword that we can apply to our LDAP affiliation?
>
> On a somewhat related topic, what is the user's email address used for?
>
> Thanks for any help!  Sorry for so many questions.
>
> Jonathon Taylor
> CSU East Bay
- -- 
- -------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University

josh_thomp...@ncsu.edu
919-515-5323

my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFLfah6V/LQcNdtPQMRAmAdAJ4kMmh86wipCiIhcHsSHREe0pKylQCfcNQq
Z6/T4ih3kvcNfxHmBCHwUak=
=bL14
-----END PGP SIGNATURE-----

Reply via email to