[SAC] LDAP in Drupal

[Tyler Mitchell (OSGeo)]

On 25-Dec-07, at 10:10 AM, Martin Spott wrote:

> So, this is my simplified proposal about how to make the OSGeo LDAP
> service a bit safer:
>
> 1.) Remove the LDAP Manager permissions from Drupal first;
> 2.) enable reasonable LDAP ACL's and, just in case this still  
> proves to
>     be necessary:
> 3.) fix broken LDAP clients;
> 4.) make the Drupal LDAP module bind to the directory as regular user
>     only;
> 5.) while we are at it: completely disable unencrypted access to the
>     LDAP directory;
> 6.) disable unencrypted HTTP logins on _all_ sites that authenticate
>     against the OSGeo LDAP service;
> 7.) add an appropriate field in the LDAP user entry, request all Wiki
>     users to create an OSGeo login and to enter their current Wiki  
> user
>     name ....  this could relieve us from the need to manually
>     correllate Wiki to OSGeo user accounts  :-)

I have no concern about this approach, but don't know enough to help  
do more than just #1.  If these items can be handled by SAC, then I  
think we will make some significant progress.

The only item that this does not address is that I would like to be  
able to use Drupal to create new accounts as well, that was the other  
reason for using Manager.  This is so that we can register in a  
single spot (i.e. a drupal page) that also collects various  
attributes during registration (i.e. user country, "want to be osgeo  
member", etc).  Is there is a way through LDAP to allow a special  
user to only create new accounts?  If we can do this, I'd be really  
happy :)

Tyler