[pmwiki-users] ldap configuration

Gary Spivey gspivey at georgefox.edu
Thu Dec 21 09:53:41 CST 2006


> -----Original Message-----
> From: pmwiki-users-bounces at pmichaud.com [mailto:pmwiki-users-
> bounces at pmichaud.com] On Behalf Of Patrick R. Michaud
> Sent: Wednesday, December 20, 2006 2:03 PM
> To: Matt Vance
> Cc: pmwiki-users at pmichaud.com
> Subject: Re: [pmwiki-users] ldap configuration
> 
> On Wed, Dec 20, 2006 at 02:57:30PM -0600, Matt Vance wrote:
> > I'm working with a pmwiki installation that has been set up at a
> > university. In the initial phase, only the professors on a
particular
> > committee were entering content. They would now like to open it up
to
> > editing by all faculty and for browsing by everyone. We have an LDAP
> > server and we've been able to configure pmwiki to authenticate
against
> > it, using the following LDAP setting:
> >
> >     ldap://ldap1.stedwards.edu/dc=stedwards,dc=edu?uid
> >
> > . . . but we've been running into trouble trying to limit editing to
> > just the faculty group. There is an email group within ldap
> > (emailGroup=staff), but despite having tried a dozen or so
variations to
> > the ldap setting above, none have produced the desired results. Can
> > anyone help me to come up with the correct LDAP setting?
> 
> PmWiki's built-in LDAP authenticator doesn't have support for LDAP
> groups (yet).  I'll have to do a bit of thinking about how to
> develop a group specifier for LDAP groups.... it takes a fair bit
> more processing and specification to handle LDAP groups.  From
> the PmWiki end it becomes a two (or more) stage process: (1)
Authenticate
> the username and password, then check the username for membership
> in any desired groups.
> 
> Pm
> 

I had this same problem at my University, so I wrote the ExternAuthUser
module. I have pmwiki "embedded" in my website and I do LDAP
authentication via a php module. That LDAP authentication sets some php
session variables - including group, and using those functions, I can do
group/user privileges on an page. I currently have it set up so that the
group privileges are defined in a config file, but all the page
privileges can be set by whoever has attribute access to a given page. I
also changed the attribute pages to have checkboxes for each privilege
based on the possible groups, so that I can simply give access for
read/edit/upload/attribute privilege to
faculty/staff/employee/adjunct/student/alumni/anyone - and you can also
use the standard user field entry for any page - where the username
comes from a php variable.

Patrick, is it possible that pmwiki could handle LDAP groups the same
way - simply by setting some session variables? Of course, it would have
to be tuned to the users LDAP setup, but that seems like a given for any
solution.

Here is my populate script
  function ldap_populate ($ds,$username) {
    $_SESSION['username']=$username;
    $_SESSION['authenticated']=1;

    $sr=ldap_search($ds, "ou=People,dc=engr,dc=georgefox,dc=edu",
"uid=$username ");  
    $info = ldap_get_entries($ds, $sr);
    if ($info["count"] > 1)  {
      // If the count is greater than 1, something is wicked wrong
      // But, I am not going to check for this at this juncture. I don't
      // know that it is possible 
      echo "Something is wrong with your LDAP entry";
      echo " - please see your web administator";
      exit(0);
    }

    $_SESSION['uidNumber'] = $info[0]["uidnumber"][0];
    $_SESSION['firstName'] = $info[0]["givenname"][0];
    $_SESSION['lastName'] = $info[0]["sn"][0];
    $_SESSION['name'] = $info[0]["cn"][0];
    $_SESSION['email'] = $info[0]["mail"][0];
    $_SESSION['gid'] = $info[0]["gidnumber"][0];
    $_SESSION['authentication_level'] = $info[0]["gidnumber"][0];
    $_SESSION['groups'] = array();

    // Now see if the user is in any higher ranking groups
    // and fetch the group name
    $sr=ldap_search($ds, "ou=Group,dc=engr,dc=georgefox,dc=edu", 
                         "memberUid=$username");  
    $info = ldap_get_entries($ds, $sr);
    for ($i=0; $i<$info["count"]; $i++) {
       $gidNumber = $info[$i]["gidnumber"][0];
       if ($gidNumber > $_SESSION['authentication_level']) {
          $_SESSION['authentication_level'] = $gidNumber;
       }
       if ($gidNumber == $_SESSION['gid']) {
          $_SESSION['group'] = $info[$i]["cn"][0];
       }
       array_push($_SESSION['groups'],$info[$i]["cn"][0]);
    }
    return(1);
  }


-Gary




More information about the pmwiki-users mailing list