-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David,
Look over the "Mirroring LDAP User Groups" section on this page: http://vcl.apache.org/docs/ldapauth.html You have to actually modify the php code as described there to get groups from LDAP (AD) mirrored into your VCL system. Once set up, when a user logs in to VCL, some information about him is pulled from LDAP. That includes user group membership if your LDAP system makes that available. The list of user groups of which the user is a member are parsed by the function you create. Any groups that match the regular expressions you set up are created if they don't exist, and the user is then added to those groups, and removed from any other LDAP based groups not in the list of groups. Any user groups that are created this was have their initialmaxtime, totalmaxtime, and maxextendtime fields set from the default values in your database. The idea here is that you establish an initial set of user groups and their privileges in VCL. Once set up, any users logging in for the first time already have their access set up for them. Any user groups created from LDAP have the 'custom' field set to 0 in the database. They show up as 'Federated' groups on the Manage Groups page. You are allowed to edit the group attributes, but not the membership via the web interface since the membership is automatically managed to reflect the LDAP membership. If you aren't seeing the Federated groups on the Manage Groups page, you need to add the "Manage Federated User Groups" user group permission to one of your user groups on the Privileges->Additional User Permissions page. I've never managed the LDAP server end of this. So, I can't provide any guidance on how to set up the groups in AD or something like Open LDAP. Josh On Monday, August 04, 2014 11:29:10 AM David DeMizio wrote: > Hello, > > I'm just now getting into setting up groups and privileges as I'm going to > put a small lab in Prod just containing linux images. I read a couple of > post on Ldap but I'm still not clear on the correlation between the Manage > groups menu from VCL interface and the LDAP groups. I noticed that Manage > groups allow you to set initial max time and so forth, so how do I > associate a particular AD group or AD user with a group in VCL so I can > set these initial max times etc.. I want initial max time to be 2 hours but > the ability for students to extend up to 1 hour, total of 3 hours. Thank > you - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlPftSQACgkQV/LQcNdtPQONrwCdFHnuRxcpalNEHPHhvHHMlDb2 I6kAn0SMkLFw8j+iarOscu9halcPuNHt =4WjI -----END PGP SIGNATURE-----
