This sounds similar to what we have. The LDAP auth is in the apache config file and works fine. It was just when I added a localaccount matching my username that it failed. I logged out and was not able to log in again with any password that I had set, local or ldap. I renamed the local user ( could not find the delete user ) and was able to log in straight away with my ldap password. This all seems very strange! James -----Original Message----- From: racktables-users-bounce@xxxxxxxxxxxxx [mailto:racktables-users-bounce@xxxxxxxxxxxxx] On Behalf Of Tyler J. Wagner Sent: 18 November 2010 12:27 To: racktables-users@xxxxxxxxxxxxx Subject: [racktables-users] Re: Tagging users Hi James, I do LDAP auth via Apache, and then just have local users. Are you doing it differently? This seems to work just fine. My permissions are as so: allow {$userid_1} allow {root} allow {$tab_default} allow {$page_reports} allow {usa admins} and {usa} allow {uk admins} and {uk} allow {noc_staff} and {$page_ipv4space} Regards, Tyler On Thu, 2010-11-18 at 11:31 +0000, James Osbourn wrote: > Hi Tyler, > > I tried adding myself a local account with a different password. I ended up > locking myself out of the system. It seems that the local user took > precedence over the LDAP user. > > This is going to cause problems when a user is forced to change their > password and suddenly they can't log in to racktables. There must be a way > to do this whether its will local tags or ldap groups that you use to assign > access. > > James > > -----Original Message----- > From: racktables-users-bounce@xxxxxxxxxxxxx > [mailto:racktables-users-bounce@xxxxxxxxxxxxx] On Behalf Of Tyler J. Wagner > Sent: 17 November 2010 14:41 > To: racktables-users@xxxxxxxxxxxxx > Subject: [racktables-users] Re: Tagging users > > On Wed, 2010-11-17 at 11:36 +0000, James Osbourn wrote: > > I have come to an environment where we are using rack tables and have found > > it to be an interesting application. > > > > We are using ldap authentication from and AD domain and I have been asked > > to setup security to grant different groups of users access to different > > object for read and editing purposes. > > > > From what I have read I can great 2 tags one for the users and one for the > > object and then I can grant permissions to user in the users tag to the > > object in the object tag. > > > > However, I cannot see any way to tag users who are not defined locally in > > the database. Am I getting this right or is there a different way to > > achieve this. > > James, > > You are doing the same thing I am. As far as I know, you must create the > users locally, and tag them. You can still use LDAP auth to authenticate > them, and then it uses the matching local user's tags to determine > permissions. > > Regards, > Tyler > -- "Offending fundamentalists isn't my goal – but if it is an inevitable side-effect of defending human rights, so be it." -- Johann Hari