Excellent! Thanks for this information. We actually do not have LDAP groups implemented but have a single-valued field called "affiliation" I can use to distinguish between students and faculty. I'll give this a shot.
-Jonathon On Thu, Feb 18, 2010 at 12:52 PM, Josh Thompson <josh_thomp...@ncsu.edu>wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I really need to get this documented... > > You need to edit .ht-inc/authmethods/ldapauth.php > > The updateLDAPUser function gets called when a user logs in and > user.lastupdated from the database for that user is > 24 hours old. Toward > the end of that function, you'll see a switch statement that matches on the > user's affiliation. There is some example code in place. You just need to > modify it to meet your needs. > > First, change the case for EXAMPLE1 to match your affiliation. Then, > change > the name of the updateEXAMPLE1Groups function to match your affiliation as > well. Now, you want to modify the newly named function (it's at the bottom > of the file). Change "EXAMPLE1 LDAP" at the top of the function to match > what you have for your LDAP entry in conf.php. > > Next, you need to figure out what attribute your LDAP server is using to > present group information for each user. If you are using AD, it is > probably > memberof. If not (I think NDS uses groupmembership), you'll need to change > all occurances of 'memberof' in the function to that attribute. > > Finally, modify the preg_match statements in the for loop to match whatever > groups you want automatically mirrored into VCL. In the examples given, > all > groups directly under the "OU=CourseRolls,DC=example1,DC=com" container > will > be matched and the "CN=Students_Enrolled,OU=Students,DC=example1,DC=com" > and "CN=Staff,OU=IT,DC=example1,DC=com" groups will be matched. > > A few things to note - the groups won't exist in VCL until someone that is > a > member of the group logs in. After that, you can assign rights to the > group > and everyone else that is a member of the group will automatically have > whatever rights the group has. This isn't optimal, but I haven't had a > chance to come up with a good solution yet. What people normally do to > deal > with this is to have a certain user that they add to all groups. Then, to > get a new group pulled in, they just log in with that user. Another thing > to > note is that these groups don't show up under the Manage Groups portion of > the site. This is because they are automatically managed and you shouldn't > be modifying anything about them on that page. The groups will however > show > up anywhere you see a drop-down list for selecting a user group for > something. > > Josh > > On Thursday February 18, 2010, Jonathon Taylor wrote: > > Hello, > > > > We have LDAP authentication configured. People are able to authenticate > > and after authentication I can see an entry in the vcl user table. What > > options do we have to configure default permissions? For example, say we > > wanted all of our students to be able to check out any image by default. > > Do groups defined within VCL for a given affiliation correspond to LDAP > > groups? Or, do we have to manually/script adding users to these groups? > I > > noticed that there is a "global" group for the local affiliation, is this > a > > special keyword that we can apply to our LDAP affiliation? > > > > On a somewhat related topic, what is the user's email address used for? > > > > Thanks for any help! Sorry for so many questions. > > > > Jonathon Taylor > > CSU East Bay > - -- > - ------------------------------- > Josh Thompson > Systems Programmer > Advanced Computing | VCL Developer > North Carolina State University > > josh_thomp...@ncsu.edu > 919-515-5323 > > my GPG/PGP key can be found at pgp.mit.edu > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFLfah6V/LQcNdtPQMRAmAdAJ4kMmh86wipCiIhcHsSHREe0pKylQCfcNQq > Z6/T4ih3kvcNfxHmBCHwUak= > =bL14 > -----END PGP SIGNATURE----- >