[Using Sakai] Sakai Instructor Roles/Permissions
Sam Ottenhoff
ottenhoff at longsight.com
Thu Aug 6 14:51:48 PDT 2009
Hi Laura,
It's pretty hard to diagnose without seeing the full jldap-beans.xml,
seeing the debug output, or doing an ldapsearch against your directory.
I would start out with a fresh jldap-beans.xml file. The first part of
your pasted code looks odd. It looks like you override the default
attributeMappings property in the first bean definition
(id="org.sakaiproject.user.api.UserDirectoryProvider"). Your second use
of the attributeMapping property looks correct. But the first use of it
looks incorrect. I would comment it out and try again.
--Sam
Laura McCord wrote:
> I'm still having difficulties mapping the user type to our ldap user
> attribute. I use the same attribute in our uPortal instance without any
> problems but when I include this attribute as a value to the key,
> groupMembership; nothing happens. Even when I set the default to be
> 'student' if nothing is found, still nothing appears. I'm using Sakai
> version 2.5.4 if that helps.
>
> Any further suggestions?
>
> This is what my jldap file looks like:
> ...
> <property name="ldapAttributeMapper">
> <ref
> bean="edu.amc.sakai.user.LdapAttributeMapper" />
> </property>
>
> <property name="attributeMappings">
> <map>
> <entry
> key="login"><value>uid</value></entry>
> <entry
> key="distinguishedName"><value>fullName</value></entry>
> <entry
> key="firstName"><value>givenName</value></entry>
> <entry
> key="lastName"><value>sn</value></entry>
> <entry
> key="email"><value>mail</value></entry>
> <entry
> key="groupMembership"><value>eduPersonAffiliation</value></entry>
> </map>
> </property>
>
> </bean>
>
> <bean id="edu.amc.sakai.user.LdapAttributeMapper"
> class="edu.amc.sakai.user.SimpleLdapAttributeMapper"
> init-method="init"
> singleton="true">
>
> <property name="attributeMappings">
> <map>
> <entry
> key="login"><value>uid</value></entry>
> <entry
> key="firstName"><value>givenName</value></entry>
> <entry
> key="lastName"><value>sn</value></entry>
> <entry
> key="email"><value>mail</value></entry>
> <entry
> key="groupMembership"><value>eduPersonAffiliation</value></entry>
> </map>
> </property>
>
> <property name="userTypeMapper">
> <!-- Select one of the following beans -->
> <!-- ref
> bean="edu.amc.sakai.user.EmptyStringUserTypeMapper" /-->
> <ref
> bean="edu.amc.sakai.user.EntryAttributeToUserTypeMapper" />
> <!-- ref
> bean="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper" /-->
> </property>
>
> </bean>
>
> <!-- EmptyStringUserTypeMapper assigns gives all users an
> empty string as their Sakai "type" -->
> <bean id="edu.amc.sakai.user.EmptyStringUserTypeMapper"
> class="edu.amc.sakai.user.EmptyStringUserTypeMapper"
> singleton="true" />
>
>
> <bean id="edu.amc.sakai.user.EntryAttributeToUserTypeMapper"
> class="edu.amc.sakai.user.EntryAttributeToUserTypeMapper"
> singleton="true">
> <property name="attributeValueToSakaiUserTypeMap">
> <map>
> <entry
> key="faculty"><value>faculty</value></entry>
> <entry
> key="student"><value>student</value></entry>
> </map>
> </property>
>
> <property name="logicalAttributeName">
> <value>eduPersonAffiliation</value>
> </property>
>
> <!-- Optional. Defaults to false -->
> <!-- <property
> name="returnLiteralAttributeValueIfNoMapping">
> <value>false</value>
> </property>
> -->
> <property name="defaultSakaiUserType">
> <value>student</value>
> </property>
>
> </bean>
>
> <bean id="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper"
> class="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper"
> singleton="true">
>
> <!-- Optional. Maps between container RDN values and
> Sakai user types -->
> <!-- property name="rdnToSakaiUserTypeMap">
> <map>
> <entry
> key="facultyStaff"><value>faculty</value></entry>
> <entry
> key="students"><value>student</value></entry>
> </map>
> </property -->
>
> <!-- Optional. Defaults to false. -->
> <!-- property name="returnLiteralRdnValueIfNoMapping">
> <value>false</value>
> </property -->
>
> </bean>
>
> <!-- /// End Sample UserTypeMapper Beans /// -->
>
> </beans>
>
>
> John Leasia wrote:
>
>> Yes that's correct - the account types have to be different in order
>> to be able to perrmit site.add for one type and not permit it for the
>> other. You will also want to create (if not already there)
>> !user.template.<accounttype> realms for each account type you use
>> (using the Admin Realms tool)
>>
>> John
>>
>> Laura McCord wrote:
>>
>>> I only have the following set for site permissions under !user.template
>>> -> .auth:
>>> site.add.usersite
>>>
>>> However, if I include site.add here then that means that students would
>>> be able to add courses too, right? If this is true then I'll have to
>>> figure out how to differentiate between a student, staff, or faculty member.
>>>
>>> Thanks,
>>> Laura
>>>
>>>
>>> John Leasia wrote:
>>>
>>>
>>>> If the account type is empty, then the account should be checking the
>>>> !user.template realm for determining whether they can create sites or
>>>> not (via the site.add or site.add.course permission for the .auth role
>>>> in that realm). If you put in some account type for the user, then it
>>>> will pick up the permission from the !user.template.<accounttype>
>>>> realm if there is one, otherwise it should check just !user.template.
>>>>
>>>> What site.* permissions do you have set for the .auth role in the
>>>> !user.template realm?
>>>>
>>>> John
>>>>
>>>> Laura McCord wrote:
>>>>
>>>>
>>>>> No, that didn't work. I'm wondering if it is an LDAP issue like you
>>>>> suggest. When I look under 'Account' while I'm logged in as a faculty
>>>>> member I get an empty User Type. Should this be populated with 'faculty'
>>>>> or 'Instructor'? How is this information populated?
>>>>>
>>>>> Thanks,
>>>>> Laura
>>>>>
>>>>>
>>>>>
>>>>> Kara Stiles wrote:
>>>>>
>>>>>
>>>>>
>>>>>> site.add.course doesn't exist until 2.6.
>>>>>>
>>>>>> In 2.5 and other prior versions, all you need in order to create a course site is the site.add perm in your !user.template.xxxxx realm.
>>>>>>
>>>>>> If that doesn't work and you try the memory trick (step 5 below), it might be LDAP related.
>>>>>>
>>>>>> This config change may prove upsetting to some if your faculty members have the same user account type as the students. :)
>>>>>>
>>>>>> Kara Stiles
>>>>>> Senior Functional Consultant
>>>>>> rSmart
>>>>>> http://www.rsmart.com
>>>>>> ICQ: 396517169
>>>>>>
>>>>>> ----- Original Message -----
>>>>>> From: "Laura McCord" <mccordl at southwestern.edu>
>>>>>> To: "Kara Stiles" <kara.stiles at rsmart.com>
>>>>>> Sent: Tuesday, August 4, 2009 9:55:46 AM GMT -07:00 U.S. Mountain Time (Arizona)
>>>>>> Subject: Re: [Using Sakai] Sakai Instructor Roles/Permissions
>>>>>>
>>>>>> Hi Kara,
>>>>>>
>>>>>> Yes, I remember you. You came down here with Kim, right? So glad to hear
>>>>>> from you.
>>>>>>
>>>>>> Thanks for the help. I did notice that I do not have a site.add.course
>>>>>> permission setting. I only have the following permissions for site: Do
>>>>>> I need to create a permission? If so, how do I do that?
>>>>>>
>>>>>> site.add
>>>>>>
>>>>>> site.add.usersite
>>>>>>
>>>>>> site.del
>>>>>>
>>>>>> site.upd
>>>>>>
>>>>>> site.upd.grp.mbrshp
>>>>>>
>>>>>> site.upd.site.mbrshp
>>>>>>
>>>>>> site.viewRoster
>>>>>>
>>>>>> site.visit
>>>>>>
>>>>>> site.visit.unp
>>>>>>
>>>>>>
>>>>>> -Laura
>>>>>>
>>>>>> Kara Stiles wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Hi Laura,
>>>>>>>
>>>>>>> I remember meeting you long ago when I was a new staff member at Unicon.
>>>>>>>
>>>>>>> I'm at rSmart now.
>>>>>>>
>>>>>>> The user's ability to create new sites depends on the site.add and the site.add.course permission.
>>>>>>>
>>>>>>> 1. Go to the Realms tool in the admin workspace
>>>>>>> 2. Locate and select the !user.template.maintain realm (Alternatively, if your faculty members have the "registered" account type, you should select !user.template.registered instead)
>>>>>>> 3. Locate and select the .auth role
>>>>>>> 4. Click the site.add box and the site.add.course box and save your changes
>>>>>>> 5. You may need to go to the memory tool in the admin space and clear all caches for this to take immediate effect.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Kara
>>>>>>>
>>>>>>> Kara Stiles
>>>>>>> Senior Functional Consultant
>>>>>>> rSmart
>>>>>>> http://www.rsmart.com
>>>>>>> ICQ: 396517169
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>> From: "Laura McCord" <mccordl at southwestern.edu>
>>>>>>> To: sakai-user at collab.sakaiproject.org
>>>>>>> Sent: Tuesday, August 4, 2009 9:17:37 AM GMT -07:00 U.S. Mountain Time (Arizona)
>>>>>>> Subject: [Using Sakai] Sakai Instructor Roles/Permissions
>>>>>>>
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I need assistance with how Instructor roles are defined. When a faculty
>>>>>>> member logs in they are not given permission to add a new site. How do I
>>>>>>> grant them access to this ability?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Laura
>>>>>>> _______________________________________________
>>>>>>> sakai-user mailing list
>>>>>>> sakai-user at collab.sakaiproject.org
>>>>>>> http://collab.sakaiproject.org/mailman/listinfo/sakai-user
>>>>>>>
>>>>>>> TO UNSUBSCRIBE: send email to sakai-user-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> sakai-user mailing list
>>>>> sakai-user at collab.sakaiproject.org
>>>>> http://collab.sakaiproject.org/mailman/listinfo/sakai-user
>>>>>
>>>>> TO UNSUBSCRIBE: send email to sakai-user-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>>>>>
>>>>>
>>>>>
>>>
>>>
>
> _______________________________________________
> sakai-user mailing list
> sakai-user at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-user
>
> TO UNSUBSCRIBE: send email to sakai-user-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>
More information about the sakai-user
mailing list