LDAP: Bind user option
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
My reading of the LDAP code is as follows:
1. When a user logs in, a $username is passed to the LDAP code
2. The field $idattr is searched in the LDAP for a value matching $username
3. If this is found, the password is authenticated against the LDAP
4. Return boolean value if auth succeeded or not
Problem:
Let's say I'm a post-secondary library that uses ActiveDirectory. On campus I generally use my LDAP username "jsmith" (ActiveDirectory's sAMAccountName or uid) to login to services. I would like to be able to use this for SSO to Evergreen.
Unfortunately I'm also part of a consortia. Because the consortia contains many users, it's possible that "jsmith" is already taken as a username.
As a workaround we could use barcodes for usernames in Evergreen to avoid username collisions, but it means users will need to sign on with their barcode, whereas they use "jsmith" everywhere else on campus.
Unfortunately, it's not currently possible to easily solve this in Evergreen -- the Evergreen username must be found in an LDAP field.
I'd suggest have two settings:
- the existing $idattr
- another setting let's call $binduser
The initial authproxy should then make a Bind request to the LDAP with the $binduser, and if the Bind succeeds, return $idattr from the LDAP, for use by Evergreen to look up the EG user. (or something like that).
Thus in Evergreen, all my users could have a barcode as a username. The $idattr would be the field in LDAP containing the barcode. However, the $binduser could be sAMAccountName, meaning users would use their regular username to do the actual login.
Changed in evergreen: | |
milestone: | none → 3.3-beta1 |
Changed in evergreen: | |
milestone: | 3.3-beta1 → 3.3-rc |
Changed in evergreen: | |
milestone: | 3.3-rc → 3.next |
Changed in evergreen: | |
milestone: | 3.next → 3.4-beta1 |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
Working branch user/jeffdavis/ lp1786552- ldap-bind- user has an untested first pass at implementing this feature:
http:// git.evergreen- ils.org/ ?p=working/ Evergreen. git;a=shortlog; h=refs/ heads/user/ jeffdavis/ lp1786552- ldap-bind- user