[LON-CAPA-admin] ldap authentication
Stuart Raeburn
raeburn at msu.edu
Wed Jul 28 15:34:00 EDT 2010
Lars,
> There's one setting I don't understand, the "User preference to lock
> name" setting. What does this mean?
Thanks for reporting this. The help file at
/adm/help/Domain_Configuration_Auto_Updates.hlp
needs to be updated to document this functionality (new in 2.9).
This setting is most useful where localenroll.pm has been customized
to define different institutional user statuses/affiliations (e.g.,
Faculty, Staff, Student etc.), and your institutional directory data
includes affiliation for each user (which can then be stored within
the inststatus field within LON-CAPA).
In this case you could, for example, check the checkbox for Faculty in
the "User preference to lock name" row. The result would then be that
any user who was Faculty at your institution would receive an
additional User preference:
"Automatic name changes"
Clicking the link to this display a screen with the following:
"By default, based on your institutional affiliation, your LON-CAPA
account can be automatically updated nightly based on directory
information from your institution.
The following may be updated, unless you disallow updates:
* First Name
* Middle Name
* Last Name
[X] Disallow automatic updates to name information for your LON-CAPA account"
where [X] is a checkbox.
This functionality then allows users to disable automated changes to
the names stored for them within LON-CAPA in cases where Autoupdate is
enabled in the domain, and would otherwise automatically synchronize
names with the corresponding institutional data.
For example TMCC's LDAP might record your name as Lars Jensen, but
within LON-CAPA you might want to be known as Prof Jensen. (An
equivalent request at MSU was the motivation for providing this
functionality).
Although LON-CAPA already always provides a user preference for a
"screen name" that name is settable by anyone, and is the name
displayed in discussion postings/chat etc., but is not the name
displayed at the top of the syllabus, in the course catalog, or on a
user's "About Me" page etc. In addition, some faculty might wish to
post to discussions in a course using a pseudonym, but use a different
"official" name in the syllabus etc.
Stuart Raeburn
Quoting Lars Jensen <ljensen at mail.tmcc.edu>:
> Hi Stuart,
>
> Thanks again for the reply. And thanks for directing me to the
> Autoupdate.pl script. It looks like I can configure everything from
> the DC screens so I don't have to edit the script at all, right.
> There's one setting I don't understand, the "User preference to lock
> name" setting. What does this mean?
>
> Thanks,
> Lars.
>
> On Tue, Jul 27, 2010 at 3:28 PM, Stuart Raeburn <raeburn at msu.edu> wrote:
>> Lars,
>>
>>> In other words, I need to change both the authentication type and the
>>> student-ID in loncapa.
>>
>> Both the authentication type and the student-ID can be changed from the
>> Domain Coordinator's user interface if you upload a CSV file containing the
>> usernames and student-IDs for all the users.
>>
>> However, as a conduit to LDAP has now been established for retrieval of
>> StudentIDs for the tmcc domain I think the simplest thing to do is to only
>> change the authentication method via file upload, in which case your
>> uploaded file will simply be a list of usernames (one username per line) of
>> students for whom you are changing the authentication method.
>>
>> After uploading the file (as DC) you will need to select the "Yes" radio
>> button for:
>>
>> "Change authentication for existing users in domain "tmcc" to these
>> settings?"
>>
>> and you will check the radio button for default authentication to:
>>
>> "Local Authentication with argument"
>>
>> The argument will likely be left blank (this depends on what is expected by
>> your customized localauth.pm).
>>
>> You will want to check the: "No role changes" radio button.
>>
>>> Is there a way to have lon-capa re-read/update the student id of an
>>> existing user from the ldap server, much like loncapa auto-fill the
>>> student-ID of a new user upon first login?
>>
>> You can use the nightly Autoupdate.pl to synchronize user information (first
>> name, middle name, last name, permanentemail, and/or student/employee ID)
>> with user information available from your LDAP directory service. A Domain
>> Coordinator can configure (a) if the Autoupdate script should run; (b)
>> whether any changes should propagate to classlists for courses in which a
>> user has an active or future role; (c) which fields may be changed.
>>
>> In your case you would want the student/employee ID field to change (and
>> possibly others).
>>
>> Autoupdate will use the same routines established in your localenroll.pm to
>> connect to TMCC's LDAP service when gathering information for just one user,
>> except the initial call will be to localenroll::allusers_info() instead of
>> localenroll::get_userinfo().
>>
>> By default Autoupdate runs at 3.30 am, but you can modify this by editing
>> the cron file: /etc/cron.d/loncapa
>>
>>
>>> In a previous email,
>>> you outlined two methods for switching users to ldap (see below). The
>>> problem is that none of these are good when a change of the student-ID
>>> is involved.
>>>
>>
>> Actually, the first of these methods can be used to change the studentID and
>> the authentication method, if your uploaded CSV file contains fields for
>> username and the new studentID for each student.
>>
>> In that case you would need to check the checkbox for: "Disable
>> Student/Employee ID Safeguard and force change of conflicting IDs (only do
>> if you know what you are doing.)" to change the student/employee ID.
>> However, as I suggest above, if you have established a conduit to LDAP
>> directory information it is easier to use Autoupdate.pl to change the
>> studentIDs for student accounts already in your LON-CAPA domain.
>>
>> The process via file upload would take a significant amount of time (see bug
>> 5596). This will be faster in LON-CAPA 2.10 which incorporates the fix to
>> that bug.
>>
>> For consistency you should also have the student-ID propagate into each
>> classlist. To do this you would check the checkbox for:
>> "Update student/employee ID in courses in which user is active/future
>> student,
>> (if forcing change)."
>>
>> Stuart Raeburn
>>
>> Quoting Lars Jensen <ljensen at mail.tmcc.edu>:
>>
>>> Hi Stuart,
>>>
>>> Thanks so much helping out with the switch to LDAP. Of course, all the
>>> existing lon-capa users on schubert are internally authenticated
>>> before. The question is how to swich them over. We also have another
>>> change made to all of out students because the college is switching
>>> student management system from SIS to Peoplesoft. As a result, every
>>> single student has been assigned a new student-ID. (The usernames of
>>> almost all students are unchanged during this change.) In other words,
>>> I need to change both the authentication type and the student-ID in
>>> loncapa. My questions have to do how to do this. In a previous email,
>>> you outlined two methods for switching users to ldap (see below). The
>>> problem is that none of these are good when a change of the student-ID
>>> is involved.
>>>
>>> Is there a way to have lon-capa re-read/update the student id of an
>>> existing user from the ldap server, much like loncapa auto-fill the
>>> student-ID of a new user upon first login? If all the student-ID's of
>>> existing users are changed to blanks, will lon-capa update them from
>>> the ldap server once the user has been changed to local
>>> authentication?
>>>
>>> Thanks,
>>> Lars.
>>>
>>> On Fri, Jul 24, 2009 at 12:32 PM, Stuart Raeburn <raeburn at msu.edu> wrote:
>>>>
>>>> Once you have localauth.pm configured and working you can switch existing
>>>> users to use LDAP by modifying the authentication type for them to
>>>> "localauth" (they are probably currently set to internal"). One way to
>>>> do
>>>> this is to become the Domain Coordinator and proceed as follows:
>>>>
>>>> A. Go to Main Menu
>>>>
>>>> B. Clck on "Create users or modify the roles and privileges of users"
>>>>
>>>> C. Click on "Upload a File of Users"
>>>>
>>>> upload a file containing usernames of users for whom the authentication
>>>> mechanism is to be changed.
>>>>
>>>>
>>>> D. On the next page, identify the username field, and in the "Login Type
>>>> section:
>>>>
>>>> 1. Change authentication for existing users in domain "msu" to these
>>>> settings
>>>> to "Yes"
>>>>
>>>> 2. Select the radio button for "locally authenticated"
>>>>
>>>> In the "Default domain" set the domain to tmcc (Truckee Meadows)
>>>>
>>>> In the "Setting for assigning roles"
>>>> 1. Select the radio button for "No role changes"
>>>>
>>>> Click "Update Users".
>>>>
>>>> This will take some time to complete.
>>>>
>>>> Another way to do this is to run a script at the command line, as the www
>>>> user which will modify the contents of the
>>>> /home/httpd/lonUsers/tmcc/$1/$2/$3/$username/passwd files for existing
>>>> users
>>>> to be:
>>>>
>>>> localauth:
>>>>
>>>> (where $1, $2 and $3 are the first, second and third characters in the
>>>> username, e.g., change the contents of
>>>> /home/httpd/lonUsers/tmcc/j/e/n/jensen/passwd).
>>>
>>> _______________________________________________
>>> LON-CAPA-admin mailing list
>>> LON-CAPA-admin at mail.lon-capa.org
>>> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>>
>>
>>
>> _______________________________________________
>> LON-CAPA-admin mailing list
>> LON-CAPA-admin at mail.lon-capa.org
>> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>>
More information about the LON-CAPA-admin
mailing list