Excellent!  Thanks for this information.  We actually do not have LDAP
groups implemented but have a single-valued field called "affiliation" I can
use to distinguish between students and faculty.  I'll give this a shot.


On Thu, Feb 18, 2010 at 12:52 PM, Josh Thompson <josh_thomp...@ncsu.edu>wrote:

> Hash: SHA1
> I really need to get this documented...
> You need to edit .ht-inc/authmethods/ldapauth.php
> The updateLDAPUser function gets called when a user logs in and
> user.lastupdated from the database for that user is > 24 hours old.  Toward
> the end of that function, you'll see a switch statement that matches on the
> user's affiliation.  There is some example code in place.  You just need to
> modify it to meet your needs.
> First, change the case for EXAMPLE1 to match your affiliation.  Then,
> change
> the name of the updateEXAMPLE1Groups function to match your affiliation as
> well.  Now, you want to modify the newly named function (it's at the bottom
> of the file).  Change "EXAMPLE1 LDAP" at the top of the function to match
> what you have for your LDAP entry in conf.php.
> Next, you need to figure out what attribute your LDAP server is using to
> present group information for each user.  If you are using AD, it is
> probably
> memberof.  If not (I think NDS uses groupmembership), you'll need to change
> all occurances of 'memberof' in the function to that attribute.
> Finally, modify the preg_match statements in the for loop to match whatever
> groups you want automatically mirrored into VCL.  In the examples given,
> all
> groups directly under the "OU=CourseRolls,DC=example1,DC=com" container
> will
> be matched and the "CN=Students_Enrolled,OU=Students,DC=example1,DC=com"
> and "CN=Staff,OU=IT,DC=example1,DC=com" groups will be matched.
> A few things to note - the groups won't exist in VCL until someone that is
> a
> member of the group logs in.  After that, you can assign rights to the
> group
> and everyone else that is a member of the group will automatically have
> whatever rights the group has.  This isn't optimal, but I haven't had a
> chance to come up with a good solution yet.  What people normally do to
> deal
> with this is to have a certain user that they add to all groups.  Then, to
> get a new group pulled in, they just log in with that user.  Another thing
> to
> note is that these groups don't show up under the Manage Groups portion of
> the site.  This is because they are automatically managed and you shouldn't
> be modifying anything about them on that page.  The groups will however
> show
> up anywhere you see a drop-down list for selecting a user group for
> something.
> Josh
> On Thursday February 18, 2010, Jonathon Taylor wrote:
> > Hello,
> >
> > We have LDAP authentication configured.  People are able to authenticate
> > and after authentication I can see an entry in the vcl user table.  What
> > options do we have to configure default permissions?  For example, say we
> > wanted all of our students to be able to check out any image by default.
> > Do groups defined within VCL for a given affiliation correspond to LDAP
> > groups?  Or, do we have to manually/script adding users to these groups?
>  I
> > noticed that there is a "global" group for the local affiliation, is this
> a
> > special keyword that we can apply to our LDAP affiliation?
> >
> > On a somewhat related topic, what is the user's email address used for?
> >
> > Thanks for any help!  Sorry for so many questions.
> >
> > Jonathon Taylor
> > CSU East Bay
> - --
> - -------------------------------
> Josh Thompson
> Systems Programmer
> Advanced Computing | VCL Developer
> North Carolina State University
> josh_thomp...@ncsu.edu
> 919-515-5323
> my GPG/PGP key can be found at pgp.mit.edu
> Version: GnuPG v1.4.6 (GNU/Linux)
> iD8DBQFLfah6V/LQcNdtPQMRAmAdAJ4kMmh86wipCiIhcHsSHREe0pKylQCfcNQq
> Z6/T4ih3kvcNfxHmBCHwUak=
> =bL14

Reply via email to