Managing user access and security

From LabTrove Documentation
Jump to: navigation, search

Contents

Authentication methods

The system administrator establishes the authentication method when setting up the Trove, so each instance has a single method, determined by the plugin installed. The following methods are available:

  • OpenID
  • LDAP - if your institution provides an LDAP (Lightweight Directory Access Protocol) service
  • Local username and password table
  • Shibboleth

To view or alter the default authentication method, navigate to the install directory, open the config.php file and look for the line that sets plugins, for example:

$ct_config['plugins'] = array('login_openid','uri_samedb');

If your username has Administrator authorisation level, LabTrove includes an Admin options at the top of the user interface. Click Admin to view a list of usernames and their authorisation levels. Note that with version 2.2 of LabTrove you cannot edit any personal details.

OpenID

A user authenticating with OpenID will have the default authorisation level set by the configuration script. To inspect the default setting, navigate to the install directory, open the config.php file and look for the line that sets openid, for example:

$ct_config['openid'][default_user_type'] = 1;

The system administrator can increase the authorisation level by using the appropriate database function to alter the value of user_type for a specific user in the users table.

LDAP

To use LDAP authentication, complete the following steps:

  1. Navigate to the install directory
  2. Edit the config.php file and add the following lines:
$ct_config['ldap_url'] = "ldaps://adsldap.example.ac.uk";      // The URL of the LDAP server
$ct_config['ldap_bind'] = ""; 		                       // Set to NULL for an anonymous bind
$ct_config['ldap_bind_pass'] = "";
$ct_config['ldap_scope'] = "OU=User, DC=EXAMPLE, DC=AC,DC=UK"; // The scope to run the LDAP search against.
// LDAP to users table mappings
$ct_config['ldap_nmap']['uname'] = "cn";
$ct_config['ldap_nmap']['dname'] = "displayname";
$ct_config['ldap_nmap']['email'] = "mail";
$ct_config['ldap_nmap']['uidsalt'] = "distinguishedname";
// Optional LDAP configuration
// $ct_config['ldap_protocol_version'] = 3;  // Use particular protocol version of LDAP.
// $ct_config['ldap_username_field'] = "uid"; // Use alternative username field to cn.

//If you want to restrict users to a LDAP Group you can use ldap_member (which is an array so can have multiple groups)
//distinguishedname: full group name
//login: true/false members in this group can login
//list: true/false members in this group will be in the Add User dialog of the security group page
// $ct_config['ldap_member'][] = array('distinguishedname'=>"CN=GROUPNAME,DC=EXAMPLE, DC=COM",'login'=>true,'list'=>false);

//If you want to add additional LDAP users, who are not in a specific group you can use ldap_user (which is an array so can have multiple users)
// $ct_config['ldap_user'][] = array('distinguishedname'=>"CN=USERNAME,DC=EXAMPLE, DC=COM",'login'=>true,'list'=>false);

Enable the login_ldap plugin by editing the line that sets plugins as follows:

$ct_config['plugins'] = array('login_ldap','uri_samedb');

Adding Admin Users

To change the authorisation level for an individual user who is authenticating via LDAP, to make then admin users, you will need to manually update the database as follows:

1. Access the MySQL command line prompt for this database, replacing USER and DATABASE with the value defined for Y and Z in config.php and then using the password defined for X when prompted:

 mysql -u USER -p DATABASE

2. Assuming you know the username of the user (i.e. what that they in the username box when they login), substitute USERNAME for this in the following command:

 UPDATE users SET user_type = 3 WHERE user_name = 'USERNAME';

If this is successful you should get a response like:

 Query OK, 1 row affected (0.00 sec)
 Rows matched: 1  Changed: 1  Warnings: 0

3. To exit the MySQL prompt type exit and press enter.

Shibboleth

To use Shibboleth authentication complete the following steps:

  1. Navigate to the top-level LabTrove directory.
  2. Edit the config.php file and add the following line:
    $ct_config['plugins'] = array('login_shib','uri_samedb');
  3. Follow the instructions for Setting up LabTrove as a Shibboleth Service Provider

Username and password

If you want to use local user/password database, you can select the plugin login_localdb. You will need to run the some sql in order to adjust the db to store passwords.

ALTER TABLE  `users` ADD  `user_pass` VARCHAR(255) NOT NULL AFTER  `user_name` ;

In order to set up an intial admin user you have to run

INSERT INTO `users` (`user_id`, `user_name`, `user_pass`, `user_openid`, `user_fname`, `user_email`, `user_image`, `user_type`, `user_enabled`, `user_uid`, `user_notes`) 
 VALUES ('', 'admin', ENCRYPT('password'), '', 'Admin User', 'info@example.org', '', 3, 1, MD5(NOW()), '');

This will add a user called 'admin' with the password 'password', You can change this now in the sql or later,

To then manage users you can log in as an administrator and click the Admin link at the top of the page. You will be to add/edit users from there.

Authorisation levels

LabTrove defines authorisation levels according to the following layered model:

0 None - Users may log into the Trove, but may not view or modify content without administrator approval.

1 View - This is the default level, at which users can view posts but require authentication before adding a comment.

2 User - At this level, users can create posts and also their own Notebook. Note that LabTrove will check the identity of a user attempting to change an Notebook setting to ensure that the user is the owner.

3 Editor - At this level, users can read everything in the Trove, but can modify only their own posts or Notebooks.

4 Admin - At this level, users can edit anything, although every change is attributed by user name.


Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox