[LON-CAPA-admin] ldap authentication

Stuart Raeburn raeburn at msu.edu
Tue Jul 27 18:28:13 EDT 2010 

Lars,

> In other words, I need to change both the authentication type and  
> the student-ID in loncapa.

Both the authentication type and the student-ID can be changed from  
the Domain Coordinator's user interface if you upload a CSV file  
containing the usernames and student-IDs for all the users.

However, as a conduit to LDAP has now been established for retrieval  
of StudentIDs for the tmcc domain I think the simplest thing to do is  
to only change the authentication method via file upload, in which  
case your uploaded file will simply be a list of usernames (one  
username per line) of students for whom you are changing the  
authentication method.

After uploading the file (as DC) you will need to select the "Yes"  
radio button for:

"Change authentication for existing users in domain "tmcc" to these settings?"

and you will check the radio button for default authentication to:

"Local Authentication with argument"

The argument will likely be left blank (this depends on what is  
expected by your customized localauth.pm).

You will want to check the: "No role changes" radio button.

> Is there a way to have lon-capa re-read/update the student id of an
> existing user from the ldap server, much like loncapa auto-fill the
> student-ID of a new user upon first login?

You can use the nightly Autoupdate.pl to synchronize user information  
(first name, middle name, last name, permanentemail, and/or  
student/employee ID) with user information available from your LDAP  
directory service. A Domain Coordinator can configure (a) if the  
Autoupdate script should run; (b) whether any changes should propagate  
to classlists for courses in which a user has an active or future  
role; (c) which fields may be changed.

In your case you would want the student/employee ID field to change  
(and possibly others).

Autoupdate will use the same routines established in your  
localenroll.pm to connect to TMCC's LDAP service when gathering  
information for just one user, except the initial call will be to  
localenroll::allusers_info() instead of localenroll::get_userinfo().

By default Autoupdate runs at 3.30 am, but you can modify this by  
editing the cron file: /etc/cron.d/loncapa


> In a previous email,
> you outlined two methods for switching users to ldap (see below). The
> problem is that none of these are good when a change of the student-ID
> is involved.
>

Actually, the first of these methods can be used to change the  
studentID and the authentication method, if your uploaded CSV file  
contains fields for username and the new studentID for each student.

In that case you would need to check the checkbox for: "Disable  
Student/Employee ID Safeguard and force change of conflicting IDs  
(only do if you know what you are doing.)" to change the  
student/employee ID.  However, as I suggest above, if you have  
established a conduit to LDAP directory information it is easier to  
use Autoupdate.pl to change the studentIDs for student accounts  
already in your LON-CAPA domain.

The process via file upload would take a significant amount of time  
(see bug 5596).  This will be faster in LON-CAPA 2.10 which  
incorporates the fix to that bug.

For consistency you should also have the student-ID propagate into  
each classlist.  To do this you would check the checkbox for:
"Update student/employee ID in courses in which user is active/future student,
(if forcing change)."

Stuart Raeburn

Quoting Lars Jensen <ljensen at mail.tmcc.edu>:

> Hi Stuart,
>
> Thanks so much helping out with the switch to LDAP. Of course, all the
> existing lon-capa users on schubert are internally authenticated
> before. The question is how to swich them over. We also have another
> change made to all of out students because the college is switching
> student management system from SIS to Peoplesoft. As a result, every
> single student has been assigned a new student-ID. (The usernames of
> almost all students are unchanged during this change.) In other words,
> I need to change both the authentication type and the student-ID in
> loncapa. My questions have to do how to do this. In a previous email,
> you outlined two methods for switching users to ldap (see below). The
> problem is that none of these are good when a change of the student-ID
> is involved.
>
> Is there a way to have lon-capa re-read/update the student id of an
> existing user from the ldap server, much like loncapa auto-fill the
> student-ID of a new user upon first login? If all the student-ID's of
> existing users are changed to blanks, will lon-capa update them from
> the ldap server once the user has been changed to local
> authentication?
>
> Thanks,
> Lars.
>
> On Fri, Jul 24, 2009 at 12:32 PM, Stuart Raeburn <raeburn at msu.edu> wrote:
>>
>> Once you have localauth.pm configured and working you can switch existing
>> users to use LDAP by modifying the authentication type for them to
>> "localauth" (they are probably currently set to internal").  One way to do
>> this is to become the Domain Coordinator and proceed as follows:
>>
>> A. Go to Main Menu
>>
>> B. Clck on "Create users or modify the roles and privileges of users"
>>
>> C. Click on  "Upload a File of Users"
>>
>> upload a file containing usernames of users for whom the authentication
>> mechanism is to be changed.
>>
>>
>> D. On the next page, identify the username field, and in the "Login Type
>> section:
>>
>>  1. Change authentication for existing users in domain "msu" to these
>> settings
>>     to "Yes"
>>
>>  2. Select the radio button for "locally authenticated"
>>
>>  In the "Default domain" set the domain to tmcc (Truckee Meadows)
>>
>>  In the "Setting for assigning roles"
>>  1. Select the radio button for "No role changes"
>>
>>  Click "Update Users".
>>
>> This will take some time to complete.
>>
>> Another way to do this is to run a script at the command line, as the www
>> user which will modify the contents of the
>> /home/httpd/lonUsers/tmcc/$1/$2/$3/$username/passwd files for existing users
>> to be:
>>
>> localauth:
>>
>> (where $1, $2 and $3 are the first, second and third characters in the
>> username, e.g., change the contents of
>> /home/httpd/lonUsers/tmcc/j/e/n/jensen/passwd).
>
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin

More information about the LON-CAPA-admin mailing list