<<TableOfContents>>

-----

= What is it about? =

This page explains some setup details of the [[https://systemausfall.org]] drupal installation regarding the authentication and authorization module [[http://drupal.org/project/ldap_integration|ldap_integration]].

At the end of this page, you will find specific instructions for managing drupal rules on ''systemausfall.org''.

----

= ldapauth =

This module provides authentication service for drupal.

That means:
 * users can login without registration, if their account exists in a given ldap directory
 * no need for users to maintain separate passwords for different services of a site

== Setup ==
The inital setup is quite simple:
 * install the ldapauth module
 * go to ''Site configuration -> LDAP authentication''
 * create a new setup with an arbitraty name
 * enter the name or IP of the ldap server
 * define the base of the ldap tree, that should be used for looking up users. For systemausfall this is: {{{
sc=mailAccount,ou=people,o=neofaxe,dc=systemausfall,dc=org
}}}
 * define the ldap attribute of a user object, that contains the username (used for login). For systemausfall this would be ''cn''
 * define the ldap attribute of the user object, that contains the mail address (optional)

If your ldap server does not accept anonymous user lookups, then you may need to store credentials for an appropriate ldap account, that should do the lookup.

The password check of the user is always done via an ldap ''bind'' request.

Now you should be able to login with a user, that does not exist in the drupal user registry (if he exists in the ldap directory).

== Maintainance ==
This module does not really require maintainance.


= ldapgroups =

This module allows you to map ldap groups to drupal roles.

The module supports a wide variety of ldap structures for user/group relationships, e.g.:
 * the DN of a user object contains the name of its group (one-dimensional hierachie)
 * user objects contain references to group objects
 * group objects contain references to user objects

Beware A: the mapping only works, _before_ the first login of the user. Thus it is a nice feature to define permissions of future users, before they start to use the drupal installation.

Beware B: the following steps use the third of the three mapping strategies of ''ldapgroups'' mentioned above. See [[http://drupal.org/node/118112|Configuration of ldap groups module]] for details.

== Setup ==

=== ldap directory ===

 * create an ldap object for a drupal role of a drupal site - this may involve changes of the ldap scheme of your directory
 * an example drupal role could be the following: {{{
# sao, drupal, Services, foo, systemausfall.org
dn: cn=bar-admin,sc=drupal,ou=Services,o=foo,dc=systemausfall,dc=org
objectClass: SAOservice
objectClass: drupalService
cn: sao
name: admin group of the bar drupal installation
}}}
 * add references to the appropriate ldap objects to this group object: {{{
admin: cn=john,ou=People,o=foo,dc=systemausfall,dc=org
}}}
 * during the first (!) login of this user, it will automatically become part of the drupal role ''bar-admin''
 * beware:
  * this only works for ldap authenticated users
  * remove a user, if he logged in before his ldap membership was defined

=== drupal setup ===
 * ''Site configuration -> LDAP groups''
 * edit your previously created "ldapauth" setup
 * skip the start of the page and go to ''Group by entry'':
  * set the top base DN of your ldap directory, that contains your drupal authentication groups, e.g.: {{{
sc=drupal,ou=Services,o=foo,dc=systemausfall,dc=org
}}}
  * set the attribute, that refers to user objects, e.g.: ''admin'' (in the example above)
 * now every new user, that logs in and is part of this group, should see automatically aquire the role ''bar-admin''
 * the permissions of this role need to be configured before, of course


== Maintainance ==

You should be aware, that the the group assignments of each user are stored by drupal. Thus it will not notice, you removed an ldap user from its ldap group object. The same goes for users, who were created by drupal _before_ they were added to an ldap group object.

Manual synchronization is necessary in these cases.

= administrating drupal rules on systemausfall.org =

 1. create a new service for a new drupal role for a specific web site: {{{
ldap-admin.sh service_add drupal foo-admin "this is the admin group of the drupal installation foo"
}}}
 1. add admins to this group: {{{
ldap-admin.sh service_add_admin drupal foo-admin john
}}}
 1. configure the ldapgroups settings for the site, e.g.: {{{
cn=foo-admin,sc=drupal,ou=Services,o=neofaxe,dc=systemausfall,dc=org
adminOfService
}}}
 1. create a drupal role ''foo-admin'' (or do an initial login with one of the admin accounts)
 1. assign permissions to the ''foo-admin'' drupal role