Versions Compared

Old Version 6

changes.mady.by.user James G. Reidy

Saved on

compared with

New Version 7

changes.mady.by.user James G. Reidy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The module is based on Adam Smith's work in the cul_common module. It uses cul_common's api for accessing LDAP data.
  • culauth contains
    • a form for the login dialog
    • a block to display the form in,
    • various hooks to catch the login
    • the login code
    • administrative form code to maintain a permit group setting
  • To trigger the CUWebAuth authentication, culauth jumps to a .php file in a protected directory using drupal_goto. Since the directory is protected, CUWebAuth takes over and presents the Cornell login dialog before the user gets to the .php file. The directory is protected by an .htaccess file containing this:
    Panel

    AuthName CORNELL
    AuthType All
    require valid-user

  • The actual .php file adds 2 cookies that tells culauth what the user's netid is.
    1. The user's netID
    2. A hash that confirms the other cookie was added by culauth
  • Given the authorized netid, the module creates a Drupal user account with that netid. No roles are assigned to the user.
  • Once the Drupal account is created, the authorized user can log in without a password - just click the log in button.
  • The CUWebAuth cookie expires at the end of the browser session. To log in after browser restart the user should have to go through CUWebAuth again. See these issues regarding ending sessions on various browsers and platforms.
  • With the default setup, the Drupal login session does not expire on browser restart. You can get in a situation where you are logged in to Drupal but there is no CUWebAuth cookie. This is not good. I think we should change our settings.php files to arrange for terminating Drupal login when the browser closes with:
    Panel

    ini_set('session.cookie_lifetime', 0);

  • culauth requires a module called Automated Logout that kills the Drupal session after an hour of inactivity. (The administrator of the site must remember to turn on this feature in the Automated Logout settings.)
  • The /admin/user/settings should be set to 'Only site administrators can create new user accounts.'. We don't want people who can log in via CUWebAuth creating accounts with their netid as a user name. We want to verify that they are still in the 'library' group whenever they log in.
  • This system works with the regular Drupal logins also. User #1 uses the regular login. Users outside of Cornell can be given accounts by the admin if necessary.
  • Here are some details about the culauth module.