[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [phpGroupWare-users] Re: LDAP and batch create users
From: |
Dave Hall |
Subject: |
Re: [phpGroupWare-users] Re: LDAP and batch create users |
Date: |
Fri, 05 Jan 2007 11:12:09 +1100 |
On Wed, 2007-01-03 at 10:38 -0700, Raymond Chan wrote:
>
> Dave,
>
> Thanks for the helpful reply. Sorry I did not get back to you until
> now since I've been away for a while, but now I'm back trying to
> revisit my PHPgw issues again.
>
I hope you enjoyed the break
> WARNING: this is an extremely long message, and I sincerely thank you
> for your time. I've got all these questions and ideas floating in my
> mind and hope someone can advise me on the best course of action...
No problem. We are here to help.
> Here it goes:
>
> You're correct in the sense that with me having at least 80 groups,
> that it may not be the best idea to put them all in separate
> domains--what if Professor A from domain 1 wants to all of a sudden
> share some files with Professor B from domain 55? The original
> thought to keep all groups in separate domains is because each is
> essentially a separate entity, but there will be rare occasions when
> they want to cross share. However, if this happens, there is no way
> to easily migrate a user from a different domain into a certain other
> domain to address the above problem, right?
>
Yes, that is a downside of this approach.
> Another issue with having so many domains is a huge drop down menu I
> will get for 80 groups. You put up a good point that I can have an
> auto-detect based on server host name in my VirtualHost config in
> Apache. However, cyber security policies have been tightening up at
> my University and they want everything in SSL now, and as far as I
> know I cannot have a SSL certificate for so many "sites" (phpgw
> domains) I will be hosting. I'd have to do some fancy stuff like
> using IP Aliasing for as many domains that I have to host multiple
> sites on a single IP through SSL.
>
You can use a "wildcard ssl certificate", such as
*.groupware.dept.uni.edu I know some unis run their own internal
certificate authority. Maybe check with someone at uni who deal with
SSL to ensure you can be issued a wildcard cert.
If you can use a wildcard certificate then you should be ok. Just
create an SSL vhost something like:
NameVirtualHost 10.20.30.40:443
<VirtualHost 10.20.30.40:443>
ServerName groupware.dept.uni.edu
ServerAlias *.groupware.dept.uni.edu
SSLEngine on
SSLCertificateFile /path/to/groupware.dept.uni.edu.cert
SSLCertificateKeyFile /path/to/groupware.dept.uni.edu.key
DocumentRoot /path/to/docroot
# and so on
</VirtualHost>
Then in the dns simply add a wildcard CNAME entry like so:
*.groupware.dept.uni.edu CNAME groupware.dept.uni.edu
May be shorted depends on zone file configuration
> Do you foresee a problem in putting every group (perhaps 100+) in the
> same domain? I figure this is the only solution that will accommodate
> the flexibility I need. I can then create groups for each Professor's
> Lab and add all of this professor's employees to his/her group. Then
> I will set appropriate ACLs so that each group can only see their own
> stuff (files, calendars, etc). Does this seem plausible?
This won't be a problem.
> The main reason I wanted everyone under separate domains is so that
> I can assign a designated "lab manager" as admin within each group to
> take care of creating any new users within their group if the
> professor hires anyone new, and to maintain their own site. If I put
> everyone under the same domain, I will have to be the one that will
> have to manage users within at least 80 groups. This will get very
> time consuming and hairy.
>
You could code a custom app which creates new users and adds them to
groups the user has rights to. This might make life a little easier for
you.
> And as far as batch creating users...if I can grab the data from our
> LDAP and script out what user in supposed to be in what group... I
> don't know where to begin to batch create any users into PHPgw from
> these results w/ the appropriate group and app ACLs.
>
It is pretty easy. You would just need to add the user then add the
rights with the right userid. If you really need it and are nice to me,
I might be able to come up with some psuedo code to help get you
started :)
> Any advice about any of this is appreciated. I know I have a lot of
> general issues, and I thank you very much for your time and offering
> such a intuitive and easy to use software package and your help in
> supporting it. I've already gotten some good feedback from the one
> group I've been testing phpGW with (and these people are NOT tech
> savvy at all).
Glad to hear someone likes it :) I don't mind trying to help.
Cheers
Dave