How to create new privilege - MRBS-1.11.0

[jberanek]

Hello, good afternoon. I want to create a new privilege called "gatekeeper" and that it can create rooms and see users.

I am using MRBS version 1.11.0.

Reported by: viper007

Original Ticket: mrbs/patches/120

[jberanek]

See https://sourceforge.net/p/mrbs/patches/119/. What exactly do you want to do? Do you want all users to be able to create rooms, or just some?

Original comment by: campbell-m

[jberanek]

I need to create a privilege to assign to a user named "gatekeeper". MRBS has the privileges: none, user and administration. I want to create a new privilege called "gatekeeper" with permissions to sections; that is to say that the user with "gatekeeper" privilege can access, create, edit, delete: rooms and areas. That can create reservation reports.

Original comment by: viper007

[jberanek]

So they can do everything except create and edit users? Do you want them to be able to edit and delete other people's bookings? And what authentication type are you using?

Original comment by: campbell-m

[jberanek]

exactly! they cannot create or edit users. Of course they can edit and delete other people's reservations. I am using authentication by db

Original comment by: viper007

[jberanek]

I think you should be able to do this by setting in your config file

$max_level = 3;
$min_user_editing_level = 3;

and then editing the function is_admin() in mrbs_auth.inc and changing the line

  $required_level = (isset($max_level) ? $max_level : 2);

to

  $required_level = 2;

This will allow four levels (0, 1, 2 and 3) of user. You'll need to manually change the level of one of your admins from 2 to 3 in the user table so that they are able to create other users.

Original comment by: campbell-m

[jberanek]

Original comment by: viper007

[jberanek]

Hello, is it possible to obtain a similar result but using ldap ?

Original comment by: lidiometri

[jberanek]

What do you want to do in LDAP, as there is no ability to edit users anyway when using LDAP?

Original comment by: campbell-m

[jberanek]

Good morning, I use the roles branch.

I used google as a translator.

I work in an Italian school. I have about 1600 students, 250 teachers and 80 various staff. We use Google's Ldap. I'm in the testing phase.

Sorry for the long message.

Teachers change often. when the new teacher arrives, it is added to the LDAP and assigned to the Group = "Teachers". This group is used as a mailing list for all general communications.

A) I wish all but a few teachers could only see. (done by creating a role that can only see and assigned to the Teachers group).

B) Some of the miscellaneous staff and some teachers, can only insert and modify everyone's commitments but not insert or modify, Areas, Rooms, Users and Groups. This staff is placed in a group = "Activities".

Here I find a problem, the teacher who is in the group = "Teachers" and also in the group = "Activities" has only the vision. I wouldn't want to create a group just to deny the modification to the Teachers, but if there is no other way I will.

C) Group administrators can do everything. This is already possible.

Thanks for your patience.

Original comment by: lidiometri

[jberanek]

Here I find a problem, the teacher who is in the group = "Teachers" and also in the group = "Activities" has only the vision. I wouldn't want to create a group just to deny the modification to the Teachers, but if there is no other way I will.

I think that what's needed is the concept of configurable default permissions, either in the config file or through a web page. At the moment the default is that ordinary users have 'write' permissions. But if the default were that ordinary users have 'read' permissions only then you could achieve what you want to do. Until that configuration option appears then you can modify the code by changing line 98 of lib/MRBS/Location.php from

      $result->permission = $result::WRITE;

to

      $result->permission = $result::READ;

Then you can grant write permission to the role used by the Activities group and you don't need to have a role for the Teachers because they will have the default permissions.

Original comment by: campbell-m

[jberanek]

Good morning. Thanks for the help, it worked fine.

I have one more request, the system is very slow in retrieving information from LDAP. Not only at the time of login but also every time you operate.

Also it seems to me that there is a problem when setting in config.inc.php the variable $ldap_base_dn. I do this to limit the search to only users who can access the system.

If the variable is set $ldap_base_dn = array ('ou=Teachers,ou=Users,dc=myschool,dc=it', 'ou=Staff,ou=Administrative, ou=Users,dc=myschool,dc=it'); the system finds users in Teachers and in Staff and authenticates them. If I set the variable $ldap_base_dn = array ('ou=Teachers,ou=Users,dc=myschool,dc=it', 'ou=Administrative, ou=Users,dc=myschool,dc=it'); the system finds users in Teachers and Administratives but does not authenticate Staff users.

Thank you for your patience

Original comment by: lidiometri

[jberanek]

Could you post your config settings for LDAP here please, omitting any confidential data?

Original comment by: campbell-m

[jberanek]

// 'auth_ldap' configuration settings // I used stunnel

$ldap_host = "localhost"; $ldap_port = 1636; $ldap_v3 = true; $ldap_tls = false; $ldap_base_dn = array('ou=Docenti,ou=Users,dc=myschool,dc=it', 'ou=GESTORI,ou=Users,dc=myschool,dc=it', 'ou=COLLABORATORI,ou=AMMINISTRATIVO,ou=Users,dc=myschool,dc=it'); $ldap_user_attrib = "uid";

////////////////////////////////////// $ldap_dn_search_dn = "Myuser"; $ldap_dn_search_password = "Mypassword"; ////////////////////////////////////////

$ldap_deref = LDAP_DEREF_SEARCHING; $ldap_get_user_email = true; $ldap_email_attrib = 'mail'; $ldap_name_attrib = 'cn';

// The DN of the LDAP group that MRBS admins must be in. If this is defined $ldap_admin_group_dn = 'cn=agenda,ou=Groups,dc=myschool,dc=it'; $ldap_group_member_attrib = 'memberof'; $ldap_unbind_between_attempts = false; $ldap_suppress_invalid_credentials = false; $ldap_debug = false; $ldap_debug_attributes = false;

Original comment by: lidiometri

[jberanek]

@jberanek John - any ideas?

Original comment by: campbell-m