phpgroupware-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [phpGroupWare-users] Re: LDAP and batch create users


From: Dave Hall
Subject: Re: [phpGroupWare-users] Re: LDAP and batch create users
Date: Fri, 05 Jan 2007 11:12:09 +1100

On Wed, 2007-01-03 at 10:38 -0700, Raymond Chan wrote:
> 
> Dave,
> 
> Thanks for the helpful reply.  Sorry I did not get back to you until
> now since I've been away for a while, but now I'm back trying to
> revisit my PHPgw issues again.  
> 

I hope you enjoyed the break

> WARNING: this is an extremely long message, and I sincerely thank you
> for your time.  I've got all these questions and ideas floating in my
> mind and hope someone can advise me on the best course of action...

No problem.  We are here to help.

>  Here it goes:
> 
> You're correct in the sense that with me having at least 80 groups,
> that it may not be the best idea to put them all in separate
> domains--what if Professor A from domain 1 wants to all of a sudden
> share some files with Professor B from domain 55?  The original
> thought to keep all groups in separate domains is because each is
> essentially a separate entity, but there will be rare occasions when
> they want to cross share.  However, if this happens, there is no way
> to easily migrate a user from a different domain into a certain other
> domain to address the above problem, right?
> 

Yes, that is a downside of this approach.

> Another issue with having so many domains is a huge drop down menu I
> will get for 80 groups.  You put up a good point that I can have an
> auto-detect based on server host name in my VirtualHost config in
> Apache.  However, cyber security policies have been tightening up at
> my University and they want everything in SSL now, and as far as I
> know I cannot have a SSL certificate for so many "sites" (phpgw
> domains) I will be hosting.  I'd have to do some fancy stuff like
> using IP Aliasing for as many domains that I have to host multiple
> sites  on a single IP through SSL.
> 

You can use a "wildcard ssl certificate", such as
*.groupware.dept.uni.edu  I know some unis run their own internal
certificate authority.  Maybe check with someone at uni who deal with
SSL to ensure you can be issued a wildcard cert.

If you can use a wildcard certificate then you should be ok.  Just
create an SSL vhost something like:

NameVirtualHost 10.20.30.40:443
<VirtualHost 10.20.30.40:443>
        ServerName groupware.dept.uni.edu
        ServerAlias *.groupware.dept.uni.edu
        SSLEngine on
        SSLCertificateFile /path/to/groupware.dept.uni.edu.cert
        SSLCertificateKeyFile /path/to/groupware.dept.uni.edu.key
        DocumentRoot /path/to/docroot
        # and so on
</VirtualHost>

Then in the dns simply add a wildcard CNAME entry like so:

*.groupware.dept.uni.edu  CNAME groupware.dept.uni.edu

May be shorted depends on zone file configuration

> Do you foresee a problem in putting every group (perhaps 100+) in the
> same domain?  I figure this is the only solution that will accommodate
> the flexibility I need.  I can then create groups for each Professor's
> Lab and add all of this professor's employees to his/her group.  Then
> I will set appropriate ACLs so that each group can only see their own
> stuff (files, calendars, etc).  Does this seem plausible?

This won't be a problem.

>   The main reason I wanted everyone under separate domains is so that
> I can assign a designated "lab manager" as admin within each group to
> take care of creating any new users within their group if the
> professor hires anyone new, and to maintain their own site.  If I put
> everyone under the same domain, I will have to be the one that will
> have to manage users within at least 80 groups.  This will get very
> time consuming and hairy.
> 

You could code a custom app which creates new users and adds them to
groups the user has rights to.  This might make life a little easier for
you.

> And as far as batch creating users...if I can grab the data from our
> LDAP and script out what user in supposed to be in what group... I
> don't know where to begin to batch create any users into PHPgw from
> these results w/ the appropriate group and app ACLs.
> 

It is pretty easy.  You would just need to add the user then add the
rights with the right userid.  If you really need it and are nice to me,
I might be able to come up with some psuedo code to help get you
started :)

> Any advice about any of this is appreciated.  I know I have a lot of
> general issues, and I thank you very much for your time and offering
> such a intuitive and easy to use software package and your help in
> supporting it.  I've already gotten some good feedback from the one
> group I've been testing phpGW with (and these people are NOT tech
> savvy at all).

Glad to hear someone likes it :)  I don't mind trying to help.

Cheers

Dave





reply via email to

[Prev in Thread] Current Thread [Next in Thread]