Menu

#2763 use of different user authentication methods

open
nobody
None
1
2023-06-05
2023-05-31
Anonymous
No

Hello,

the user administration should be possible over several ways.

a) Read access => all campus IP addresses.
b) bookings of rooms => authentication via ldap ( type="ldap")
c) admins => authentication local database ( type="db" )

Is it possible to implement this?

Many greetings

Discussion

  • Campbell Morrison

    Campbell Morrison - 2023-05-31

    Are you not able to specify admins using an LDAP group? If not, then would you be able to use the config file to specify admins? If not, then you'd need to modify MRBS.

     

  • Anonymous

    Anonymous - 2023-06-01

    Hello,

    we can try this.

    However, this immediately leads to the next questions for us.

    If we set up the following groups.
    - MRBS-Admin
    - MRBS-Booker

    How can I achieve that automatically the users, which reach rights depending on the LDAP group.

    Many greetings

     

  • Campbell Morrison

    Campbell Morrison - 2023-06-01

    You can do that using the $ldap_base_dn, $ldap_filter and $ldap_admin_group_dn config settings. See systemdefaults.inc.php for more details.

     

  • Anonymous

    Anonymous - 2023-06-02

    We now have the users and admins in different groups. With this we can limit the rights.

    What is still open now is the access for the admin which can also set up rooms.

    Would you have an idea which setting I have forgotten ?

     

  • Campbell Morrison

    Campbell Morrison - 2023-06-02

    Have you set the following?

    // The DN of the LDAP group that MRBS admins must be in. If this is defined
// then the $auth["admin"] is not used.
// This can be an array.
$ldap_admin_group_dn = 'cn=admins,ou=whoever,dc=example,dc=com';

// The LDAP attribute that holds group membership details. Used with
// $ldap_admin_group_dn, above.
// This can be an array.
$ldap_group_member_attrib = 'memberof';
     

  • Anonymous

    Anonymous - 2023-06-05

    The entries are present and working.

    The users of the group have admin rights, but cannot edit the rooms and users.
    This probably has to do with the fact that we adjusted the permissions as follows:

    $vocab_override['en']['level_0'] = 'none';
    $vocab_override['en']['level_1'] = 'view';
    $vocab_override['en']['level_2'] = 'user';
    $vocab_override['en']['level_3'] = 'admin';
    //
    // Customize the level default only 2
    $max_level = 3;
    //
    // adjust from which level the users can be edited
    $min_user_editing_level = 3;
    // display users only for admins
    // both lines necessary
    $min_user_viewing_level = 3;

    Many greetings

     

  • Campbell Morrison

    Campbell Morrison - 2023-06-05

    Ah yes, you are correct. I have now fixed this in the latest development code in 1ba4156. You can patch your system by applying the same changes to your lib/MRBS/Auth/AuthLdap.php file.

     

  • Campbell Morrison

    Campbell Morrison - 2023-06-05

    Actually you don't need to change your system. You just need to remove those changes from your config file, as those changes are meaningless with LDAP as there is no user editing anyway.