[LON-CAPA-admin] ldap authentication

[Lars Jensen]

Hi Stuart,

Thanks again for the reply. And thanks for directing me to the
Autoupdate.pl script. It looks like I can configure everything from
the DC screens so I don't have to edit the script at all, right.
There's one setting I don't understand, the "User preference to lock
name" setting. What does this mean?

Thanks,
Lars.

On Tue, Jul 27, 2010 at 3:28 PM, Stuart Raeburn <raeburn at msu.edu> wrote:
> Lars,
>
>> In other words, I need to change both the authentication type and the
>> student-ID in loncapa.
>
> Both the authentication type and the student-ID can be changed from the
> Domain Coordinator's user interface if you upload a CSV file containing the
> usernames and student-IDs for all the users.
>
> However, as a conduit to LDAP has now been established for retrieval of
> StudentIDs for the tmcc domain I think the simplest thing to do is to only
> change the authentication method via file upload, in which case your
> uploaded file will simply be a list of usernames (one username per line) of
> students for whom you are changing the authentication method.
>
> After uploading the file (as DC) you will need to select the "Yes" radio
> button for:
>
> "Change authentication for existing users in domain "tmcc" to these
> settings?"
>
> and you will check the radio button for default authentication to:
>
> "Local Authentication with argument"
>
> The argument will likely be left blank (this depends on what is expected by
> your customized localauth.pm).
>
> You will want to check the: "No role changes" radio button.
>
>> Is there a way to have lon-capa re-read/update the student id of an
>> existing user from the ldap server, much like loncapa auto-fill the
>> student-ID of a new user upon first login?
>
> You can use the nightly Autoupdate.pl to synchronize user information (first
> name, middle name, last name, permanentemail, and/or student/employee ID)
> with user information available from your LDAP directory service. A Domain
> Coordinator can configure (a) if the Autoupdate script should run; (b)
> whether any changes should propagate to classlists for courses in which a
> user has an active or future role; (c) which fields may be changed.
>
> In your case you would want the student/employee ID field to change (and
> possibly others).
>
> Autoupdate will use the same routines established in your localenroll.pm to
> connect to TMCC's LDAP service when gathering information for just one user,
> except the initial call will be to localenroll::allusers_info() instead of
> localenroll::get_userinfo().
>
> By default Autoupdate runs at 3.30 am, but you can modify this by editing
> the cron file: /etc/cron.d/loncapa
>
>
>> In a previous email,
>> you outlined two methods for switching users to ldap (see below). The
>> problem is that none of these are good when a change of the student-ID
>> is involved.
>>
>
> Actually, the first of these methods can be used to change the studentID and
> the authentication method, if your uploaded CSV file contains fields for
> username and the new studentID for each student.
>
> In that case you would need to check the checkbox for: "Disable
> Student/Employee ID Safeguard and force change of conflicting IDs (only do
> if you know what you are doing.)" to change the student/employee ID.
>  However, as I suggest above, if you have established a conduit to LDAP
> directory information it is easier to use Autoupdate.pl to change the
> studentIDs for student accounts already in your LON-CAPA domain.
>
> The process via file upload would take a significant amount of time (see bug
> 5596).  This will be faster in LON-CAPA 2.10 which incorporates the fix to
> that bug.
>
> For consistency you should also have the student-ID propagate into each
> classlist.  To do this you would check the checkbox for:
> "Update student/employee ID in courses in which user is active/future
> student,
> (if forcing change)."
>
> Stuart Raeburn
>
> Quoting Lars Jensen <ljensen at mail.tmcc.edu>:
>
>> Hi Stuart,
>>
>> Thanks so much helping out with the switch to LDAP. Of course, all the
>> existing lon-capa users on schubert are internally authenticated
>> before. The question is how to swich them over. We also have another
>> change made to all of out students because the college is switching
>> student management system from SIS to Peoplesoft. As a result, every
>> single student has been assigned a new student-ID. (The usernames of
>> almost all students are unchanged during this change.) In other words,
>> I need to change both the authentication type and the student-ID in
>> loncapa. My questions have to do how to do this. In a previous email,
>> you outlined two methods for switching users to ldap (see below). The
>> problem is that none of these are good when a change of the student-ID
>> is involved.
>>
>> Is there a way to have lon-capa re-read/update the student id of an
>> existing user from the ldap server, much like loncapa auto-fill the
>> student-ID of a new user upon first login? If all the student-ID's of
>> existing users are changed to blanks, will lon-capa update them from
>> the ldap server once the user has been changed to local
>> authentication?
>>
>> Thanks,
>> Lars.
>>
>> On Fri, Jul 24, 2009 at 12:32 PM, Stuart Raeburn <raeburn at msu.edu> wrote:
>>>
>>> Once you have localauth.pm configured and working you can switch existing
>>> users to use LDAP by modifying the authentication type for them to
>>> "localauth" (they are probably currently set to internal").  One way to
>>> do
>>> this is to become the Domain Coordinator and proceed as follows:
>>>
>>> A. Go to Main Menu
>>>
>>> B. Clck on "Create users or modify the roles and privileges of users"
>>>
>>> C. Click on  "Upload a File of Users"
>>>
>>> upload a file containing usernames of users for whom the authentication
>>> mechanism is to be changed.
>>>
>>>
>>> D. On the next page, identify the username field, and in the "Login Type
>>> section:
>>>
>>>  1. Change authentication for existing users in domain "msu" to these
>>> settings
>>>     to "Yes"
>>>
>>>  2. Select the radio button for "locally authenticated"
>>>
>>>  In the "Default domain" set the domain to tmcc (Truckee Meadows)
>>>
>>>  In the "Setting for assigning roles"
>>>  1. Select the radio button for "No role changes"
>>>
>>>  Click "Update Users".
>>>
>>> This will take some time to complete.
>>>
>>> Another way to do this is to run a script at the command line, as the www
>>> user which will modify the contents of the
>>> /home/httpd/lonUsers/tmcc/$1/$2/$3/$username/passwd files for existing
>>> users
>>> to be:
>>>
>>> localauth:
>>>
>>> (where $1, $2 and $3 are the first, second and third characters in the
>>> username, e.g., change the contents of
>>> /home/httpd/lonUsers/tmcc/j/e/n/jensen/passwd).
>>
>> _______________________________________________
>> LON-CAPA-admin mailing list
>> LON-CAPA-admin at mail.lon-capa.org
>> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>
>
>
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>