Topics covered: LDAP code/configuration sharing - Justin Filoseta & Alfred Bacon; Faculty profiles in Mercury - Joanie Chembars; and GRS & Do-It-Yourself roles - Bert Bee-Lindgren.
I. LDAP code & resource sharing - Justin Filoseta
Hacked code for LDAP in Drupal 6 demo-ed
- Phrase of the day: "LDAP tickles Drupal".
- 2nd best phrase: "Adelle is a great arm-twister"
FOUR (4) places to get people/profile data at GT:
- ldap.gatech.edu: only gives directory information, does fuzzing so might match more than you want it to
- whitepages.gatech.edu (open LDAP): does not fuzz, and no service acct needed to access directory info. Does not contain mail codes, office room numbers, various titles for faculty.
- GTAD (Tech's Windows Active Directory): gtad02.ad.gatech.edu. Must get a service account (not your primary gtaccount) to use, but is easy to get access to. Justin recommends getting 2 service accounts, so can use one when updating password for other. Helpful for getting departments, and don't need to store passwords to use. Edits you make will not stick (are overwritten). Can use GSSAPI (SASL).
- GTED (Tech's Enterprise Directory): Must get a service account, and also permissions for specific fields from data stewards. Hardest to get access to (with its sensitive information), but has best definitions of PEOPLE (unique identity) vs. ACCOUNTS (of which one person might have many, even just with their aliases). Tips: request WAY ahead of time; request ALL data you MIGHT need. Form to request access from data stewards.
Issues with LDAP & Drupal
- NOT easy to map GRS groups to Drupal roles
- Drupal automatically creates a drupal Role for every group (unless you tell it to do otherwise)
- LDAP has lots of repeated keys (lots of accounts for just one user, for example)
- Drupal stores ALL users in ITS DATABASE, and you can't get around that.
- Drupal automatically creates a drupal user for each ACCOUNT (instead of each PERSON/IDENTITY)
- LDAP module doesn't activate until USER logs in (so can't pre-populate with all users from permitted group). [Justin's hacky module allows a "fake" login, so user doesn't have to create an account and THEN go get permissions]
- Does not play well with the easier-to-install CAS authentication system, because it is a separate system.
II. LDAP configuration sharing - Alfred Bacon
- Maps LDAP entitlements to Drupal roles in LDAP module interface.
- Maps LDAP attributes to Drupal fields in module interface.
- Uses organic groups module to let people only edit their departments section of the intranet.
- Module now has ability to sync roles! (Runs nightly cron job, automatically adds new employees to intranet.)
- Uses an LDAP query to filter out only those roles that should access their intranet.
III. Faculty profiles in Mercury - Joanie Chembars
- Joanie gets access to secondary titles of faculty for website pages, using faculty profiles at hg.gatech.edu
IV. GRS & Do-It-Yourself roles - Bert Bee-Lindgren
Bert shows us the magic of GRS (GT Roles Service): a service that lets you make your OWN groups (as queries using other groups, or by creating your own 'flags') and get them into GTED!
- Roles are not overwritten (unless you set them to expire)
- Roles propogate from GTED to GTAD, too!
- Roles can be used to create Sympa mailing lists.
- Role example: fine-distinctions of what makes a "faculty" member or "employee" for your use case.
- GRS located at: roles.iam.gatech.edu
- Justin runs nightly diffs from GRS to catch any changes.
- After setting up a 'group' in GRS based on Alfred's LDAP query, all you need to put into the Drupal LDAP module is just: a short directory path wherein you've defined your group in GRS.
- There might be performance gains if you defined groups in GRS instead of doing LDAP queries (indexed subset already exists in GRS).
- Bert's helpful glossary of terms used in account and identity management at Tech.
- Technical description of GTED, including detailed Excel spreadsheets of the data Schema and data Dictionary, which list attributes (and a smaller cheat sheet PDF of most common attributes).