Managing user access and security
The system administrator establishes the authentication method when setting up the Trove, so each instance has a single method, determined by the plugin installed. The following methods are available:
- LDAP - if your institution provides an LDAP (Lightweight Directory Access Protocol) service
- Local username and password table
To view or alter the default authentication method, navigate to the install directory, open the config.php file and look for the line that sets plugins, for example:
$ct_config['plugins'] = array('login_openid','uri_samedb');
If your username has Administrator authorisation level, LabTrove includes an Admin options at the top of the user interface. Click Admin to view a list of usernames and their authorisation levels. Note that with version 2.2 of LabTrove you cannot edit any personal details.
A user authenticating with OpenID will have the default authorisation level set by the configuration script. To inspect the default setting, navigate to the install directory, open the config.php file and look for the line that sets openid, for example:
$ct_config['openid'][default_user_type'] = 1;
The system administrator can increase the authorisation level by using the appropriate database function to alter the value of user_type for a specific user in the users table.
To use LDAP authentication, complete the following steps:
- Navigate to the install directory
- Edit the config.php file and add the following lines:
$ct_config['ldap_url'] = "ldaps://adsldap.example.ac.uk"; // The URL of the LDAP server $ct_config['ldap_bind'] = ""; // Set to NULL for an anonymous bind $ct_config['ldap_bind_pass'] = ""; $ct_config['ldap_scope'] = "OU=User, DC=EXAMPLE, DC=AC,DC=UK"; // The scope to run the LDAP search against.
Enable the login_ldap plugin by editing the line that sets plugins as follows:
$ct_config['plugins'] = array('login_ldap','uri_samedb');
To change the authorisation level for an individual user who is authenticating via LDAP, ask the LDAP administrator for your institution to make the change.
To use Shibboleth authentication complete the following steps:
- Navigate to the top-level LabTrove directory.
- Edit the config.php file and add the following line:
$ct_config['plugins'] = array('login_shib','uri_samedb');
- Follow the instructions for Setting up LabTrove as a Shibboleth Service Provider
Username and password
If you want to use local user/password database, you can select the plugin login_localdb. You will need to run the some sql in order to adjust the db to store passwords.
ALTER TABLE `users` ADD `user_pass` VARCHAR(255) NOT NULL AFTER `user_name` ;
In order to set up an intial admin user you have to run
INSERT INTO `users` (`user_id`, `user_name`, `user_pass`, `user_openid`, `user_fname`, `user_email`, `user_image`, `user_type`, `user_enabled`, `user_uid`, `user_notes`) VALUES (, 'admin', ENCRYPT('password'), , 'Admin User', 'firstname.lastname@example.org', , 3, 1, MD5(NOW()), );
This will add a user called 'admin' with the password 'password', You can change this now in the sql or later,
To then manage users you can log in as an administrator and click the Admin link at the top of the page. You will be to add/edit users from there.
LabTrove defines authorisation levels according to the following layered model:
0 None - Users may log into the Trove, but may not view or modify content without administrator approval.
1 View - This is the default level, at which users can view posts but require authentication before adding a comment.
2 User - At this level, users can create posts and also their own E-notebook. Note that LabTrove will check the identity of a user attempting to change an E-notebook setting to ensure that the user is the owner.
3 Editor - At this level, users can read everything in the Trove, but can modify only their own posts or E-notebooks.
4 Admin - At this level, users can edit anything, although every change is attributed by user name.