Group Management Tool

The Group Management Tool (GMT) is an easy to install PHP web application that can be used to create and manage groups of Shibboleth users with custom roles in order to use them for access control and authorization.

By automatically generating Apache .htaccess files and/or Shibboleth XMLAccessControl files, the GMT can restrict access to web server directories or locations on the same host based on the unique ID of a Shibboleth user. Group, role and user information can also be queried by other hosts via PHP, Perl or Java modules coming with the GMT. This allows other applications to integrate the GMT's easy and straight-forward user management functions. No database is needed because the GMT stores all the information in easy to edit flat text files.

For a brief overview, see the GMT presentation or download the current GMT documentation.

Feature requests

  • API Function to query the role of a user (done)
  • Add user page shall optionally show only users from the same home organization/domain (done)
  • Support for multiple groups in one .htaccess file (done)
  • Support for XML Access control files (done)
  • SOAP as GMT interface protocol (REST-like protocol is used instead and libraries for PHP, PERL and JAVA are available)
  • API Write function to create groups, add/delete users via API calls from a remote host
  • Assign group membership depending on Shibboleth attributes

Please send bugs, feedback and feature requests to aai@switch.ch.

Versions

GMT 1.3.1 (2010-01-14)

This version includes the following new features:

  • Bug fix in the updateRecord function of the MySQL storage handler

Download AAIgmt 1.3.1

Just replace your current installation with this versions. No further changes should be needed. As of now there is no script to migrate data stored in text files to a MySQL database.

GMT 1.3 (2009-12-18)

This version includes the following new features:

  • Added storage handler to store user data in a MySQL database instead in CSV files

Just replace your current installation with this versions. No further changes should be needed. As of now there is no script to migrate data stored in text files to a MySQL database.

GMT 1.2.1 (2009-06-03)

This version includes the following fixes and corrections:

  • Fixed a bug in the installation script that prevented the example modules files from being written if permissions were not set correctly. Thanks to Hans Zandbelt from SURFnet for reporting this.
  • Some more small CSS improvments
  • Group passwords are not shown anymore completely on the group settings page. Only the first three characters are shown in clear.
  • The dummy placeholder entries in .htaccess files and XML access control files generated by the GMT now use the correct unique identifiere attribute name but for security reasons contain a random attribute value to check for.

Just replace your current installation with this versions. No further changes should be needed.

GMT 1.2 (2009-04-15)

This version includes the following new features:

  • API modules now support write functions
  • Small CSS improvments based on user feedback

Just replace your current installation with this versions. No further changes should be needed.

GMT 1.1 (2008-11-07)

This version includes the following new features:

  • API modules now support getErrorCode function
  • GMT now supports attribute based group joining with regular expressions

Just replace your current installation with this versions. No further changes should be needed.

GMT 1.0.1 (2008-02-13)

Mostly a bug fix release:

  • Fixed two minor typos in addGroup.php and a comment in the configuration file
  • Fixed regex in getSecondLevelDomain
  • Fixed behaviour of addUsers.php when the restrictUserList option is activated
  • Removed the outer table of some pages and made the layout use DIVs and CSS instead

Just replace your current installation with this versions. No further changes should be needed.

GMT 1.0 (2007-10-04)

This version includes the following new features:

  • New and more secure protocol for the query module that can be used on external hosts
  • A Java module (so now there are modules for Perl, PHP and Java)
  • Dynamic generation of XMLAccess Control files for Shibboleth in addition to .htaccess files for Apache
  • New security/privacy features that allow to hide the listing of users
  • Custom roles can now be defined within three role classes. These roles then can be used in external applications that use the modules.
  • Sending emails to users that are removed from a group is now optional

Since the protocol for the modules has changed, you must replace all gmt_mod.php and gmt_mod.pm modules with the new ones. However, it's not necessary to adapt any code that uses these modules.

GMT 0.9 (2007-02-19)

This is another pre 1.0 release that underwent major structural changes which were necessary to add some of the features below. Therefore, it is not possible to directly upgrade from version 0.8. If you nevertheless want to upgrade your old version, the procedure is as follows:

  1. Make a backup of the existing GMT 0.8 installation
  2. Install GMT 0.9
  3. Use the GMTconverter script to convert the GMT 0.8 group files to the GMT 0.9 format
  4. Remove and add again all .htaccess files in the GMT in order to bring them to the new format
  5. Replace any PHP/PERL GMT modules you already have been using with the new ones from GMT 0.9

New features of GMT 0.9

  • Self-registration with group password
  • Application URL for each group
  • Refinement of the role model for group administrators
  • Better input validation
  • Logging
  • Improved manual
  • Cleaned up code
  • Version control
  • Store email addresses if they are available

Downloads

GMT 0.8

The goal of this initial version is to get feedback, bug reports and suggestions for improvements. Although the main functionalities should be working, there are a lot of things that still can be optimized or that could be added. The code and the file structure designed by the original author, Davide Marchetti, were modified moderately.