LDAP Access Control

Owned by Brian Keese
Last updated: Mar 02, 2017 by Jon Cameron
1 min read

Avalon can be configured to grant item view access to members of LDAP groups.

The minimal requirement to make this work is the definition constants Avalon::GROUP_LDAP and Avalon::GROUP_LDAP_TREE in an initializer file. For example:

config/initializers/ldap.rb
require 'net/ldap'

module Avalon
	GROUP_LDAP = Net::LDAP.new
	GROUP_LDAP.host = 'ads.example.edu'
	GROUP_LDAP.authenticate 'cn=user,ou=Accounts,dc=ads,dc=example,dc=edu', 'password'

	GROUP_LDAP_TREE = 'dc=ads,dc=example,dc=edu'
end

When configured this way, every time a user logs into Avalon, LDAP is queried to determine the groups to which they belong. If the LDAP repository has a nested group structure, that structure will be searched recursively to determine all groups and sub-groups of which the user is a member.

When editing the access control for a media object, members of any group in the LDAP repository can be given access. To do this, the user begins typing the group name in the External Group box. Matching groups will be presented from which to choose. Once the appropriate group is selected, it is added by clicking the Add button

This works well with most ADS implementations of LDAP, but further configuration and some code overrides will be required for other LDAP implementations.

In particular, LDAP-related methods in app/models/user.rb and app/models/external_group.rb may need to be overridden.