migrating or onboarding existing users using LDAP and groups based ACLs

Nick Coghlan ncoghlan at gmail.com
Wed May 27 22:46:26 EDT 2015


On 27 May 2015 at 23:41, Thomas De Schampheleire
<patrickdepinguin at gmail.com> wrote:
> It does nothing for the groups though.

I haven't needed to do anything like this for Kallithea, but Todd's
problem sounds very similar to one we had to deal with for
beaker-project.org.

Rather than building the ability to retrieve group details from LDAP
directly into the main web service, we instead wrote a
"beaker-refresh-ldap" script that is installed on the main server, and
hence can be configured by administators to run periodically in cron
to sync the group membership in Beaker with the relevant LDAP groups:
https://beaker-project.org/docs/admin-guide/interface.html#groups

If the sysadmin knows LDAP has changed in a way relevant to the
service, then they can also force the sync script to run immediately.

The implementation details are thoroughly Beaker specific (as the
script runs on the server and manipulates the database directly:
https://git.beaker-project.org/cgit/beaker/tree/Server/bkr/server/tools/refresh_ldap.py),
but I expect something similar would likely work for Kallithea as
well.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia


More information about the kallithea-general mailing list