Forums / Setup & design / LDAP questions

LDAP questions

« 
Previous topic
|
Setup & design
|
Next topic
 »
Author Message

francis Nart

Monday 20 June 2005 6:46:42 am

Hi,

we need a LDAP config but I don't quite get it.

We have one eZ install, we configure eZ so that it gets its login info from an LDAP server.
Problem is, where are the rights/rules infos ? In eZ ? If so, what's the point of using LDAP if we have to duplicate the user in eZ with all the info ?

Am I missing something here ?

thanks for your help.

Arran Price

Monday 20 June 2005 7:04:43 pm

Hi Francis,
Im not using LDAP with ezpublish but my understanding (and Im sure and hope someone will point out if Im wrong), is that yes you do store the roles/permissions inside ezpublish.
The poing in using ldap with ezpublish is simply to allow the same username/password to be managed across multiple applications from a single point. This is in most cases a big benefit.

Arran

Romain Chartier

Tuesday 21 June 2005 12:24:26 am

Hi,

If you set your site.ini as:

#LoginHandler[]=Standard
LoginHandler[]=LDAP

Then, LDAP is only used by ez the first time the user connects on the site. This creates a new user in DB. Then, when you want to modify user's password, it only modifies the DB and not LDAP.

When you want to log in with the new password, it doesn't work but with the old one (recorded into LDAP), it works.

It depends from your configuration, but when I use both login handlers, both passwords works to log in.

LoginHandler[]=Standard
LoginHandler[]=LDAP

Does anybody know if a modification of ez has been built to make user password updates changes into LDAP from ez?

Jonny Bergkvist

Tuesday 21 June 2005 1:35:30 am

Hi!

Changing LDAP-passwords from eZ is not supported in the LDAPHandler (but it is of course possible to make support for it).

I made a general howto on LDAP-setup, read it if you need some guidelines:
http://ez.no/community/user_groups/ezug_edu/forum_of_ezug_edu/creating_av_secure_ldap_enabled_ez_site

francis Nart

Wednesday 22 June 2005 5:40:26 am

Hello Jonny,

First of all, thanks for your reply and the link to your pdf doc.
But my question is still the same. Apparently, the rules/permissions still are in eZ and there is no sync between the LDAP and eZ (am I right ?). If that's so...why using it for you need to create your users in eZ AND in LDAP ?

Or I am missing something here !
Or is it possible to set permissions only using groups in LDAP so :

1 - create groups of users in eZ with permissions on content

2 - use LDAP to connect and use the groups in LDAP ?

Is it possible ? Is it a solution ?

Again : if users have to be duplicated manually , I only see drawbacks...

Thanks

Francis.

Mikael Johansson

Tuesday 28 June 2005 2:54:25 am

I'm just getting started with eZpublish, but here is an idea (that I'm partly using already):

What we are doing is that that when people login for the first time, a ldap query is done for the user's name, e-mail and group. The user is then added to the eZpublish database with correct group and other details.

At subsequent logins, only the information in the eZpublish database is used (no ldap query is made)

This works well if your ldap directory is fairly static, but I don't think it would be hard to do the query every time the user logs in and update the database accordingly.

I have based the code that adds users at login time on http://www.ez.no/community/forum/developer/adding_multiple_users

The code is called from within myLoginHandler (see http://ez.no/ez_publish/documentation/configuration/configuration/login_handler)

Mikael Johansson, Sweden

francis Nart

Tuesday 28 June 2005 3:01:52 am

thanks Mikael.