[geeklog-devel] The core of a very simple LDAP plugin, and an LDAP remote authentication class that uses it
Michael Jervis
mjervis at gmail.com
Wed Mar 5 13:25:54 EST 2008
> Btw, here's an intersting little problem on the side: Assume I already
> have a (local) user and want to make them a Remote User (using the LDAP
> module) now. How would I do that?
>
> Mike?
>
> What else, other than adding the user to the Remote Users group (which
> you can't even do from Geeklog since the checkbox is disabled), would
> need to be done?
OK so having a /glance/ at the LDAP module and being full of a head
cold at the moment so highly likely to be missing something...
The LDAP plugin provides AUTHENTICATION of users but not
AUTHORISATION, and is done via being a plugin for the Remote
Authentication module.
The net result will be an entry in gl_users for each LDAP
authenticated user, who will by default inherit the Remote Users group
as all Remote Authentication users do. You will always of course have
a properly local admin user, so, what you would need to do is:
1) Install Geeklog as normal
2) Install the LDAP auth class.
3) Enable remote authentication.
4) Login as your LDAP account to create a local copy of that account.
5) Login as Geeklog's local Admin account.
6) Grant admin/root groups membership to your key LDAP account.
7) Disable non-LDAP based authentication
Job (as we say in Yorkshire) is a good'un. You can then authenticate
via LDAP as a Geeklog Root user and then pass on additional privileges
as required to additional LDAP authenticated users.
How would you migrate a local user to LDAP?
UPDATE gl_users SET remoteusername='(ldapusername)',
remoteservice='LDAP' WHERE uid=(xxx)
Of course if all GL user accounts were mass-migrated into an LDAP repository:
UPDATE gl_users SET remoteusername=username, remoteservice='LDAP' WHERE uid <> 1
(preserving the admin account as a local fallback)
And insert a mapping for them into the Remote Users group.
(Hey, and can we add "As used by MTV" to our advertising, or would
that drive off our traditional user-base? ;-))
More information about the geeklog-devel
mailing list