Re: One account for modifying directory and wiki

[William Brown <wibrown@redhat.com>]

On Fri, 2017-11-17 at 07:46 -0500, John Lewis wrote:
> On Fri, 2017-11-17 at 12:51 +1000, William Brown wrote:
> > On Thu, 2017-11-16 at 11:26 -0500, John Lewis wrote:
> > > I want to have one account for modifying both a LDAP directory
> > > and
> > > a
> > > Mediawiki. What tactic would you you use to do it?
> > 
> > I'm not sure this is a tough issue: the access controls are
> > seperate
> > in
> > these cases.
> > 
> > On one hand from the LDAP directory management side, you only need
> > the
> > ACI/ACL's in place on the config/tree that would allow writes to
> > appropriate locations. There is plenty of docs on aci/acl placement
> > and
> > construction for this.
> > 
> > From the mediawiki side, you can search users and use an ldap
> > backend
> > to do password checks (binds) and then use groups to provide
> > authorization control as to "who" can access the wiki.
> > 
> > I hope that helps you,
> 
> Is that configuration self serviceable, as in the user can request
> their own account with the permissions I deem them to have?

What do you mean by this? As in "make it so anyone can login to the
wiki"? Just don't add access controls IE group membership or filter
tests in the media wiki ldap config. Then "anyone with a valid ldap
account" can login, with NO aci changes needed for openldap,

Hope that helps, if I recall, media wiki has great ldap connection
docs,



-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Australia/Brisbane