Let me know if you need me to make that in to an attachment instead.
What didn't make sense to me at first when looking at the code was why
would it be trying the LDAP authenticator at all unless the org_unit
equaled 123?
When I looked at it long enough, it seems to me that what the original code:
if ($authenticator->org_units and $args->{'org'})
is saying is only run this next test:
next unless grep(/^(all|$args->{'org'})$/,
@{$authenticator->{'org_units'}})
if we received an $args->{'org'}.
But, if you look at that 'next unless' test, I don't think we want to
run it only if we received an $args->{'org'}, I think we want to run it
no matter what if there is an $authenticator->org_units
I think the result of the original code is that the system may try all
authenticators if there is not an $args->{'org'} regardless of if there
is an $authenticator->org_units set. Basically ignoring the fact that
there is an <org_units> for the <authenticator> in the config.
I think what my patch does is it says run the 'next unless' test if
there is an $authenticator->org_units regardless of if there is an
$args->{'org'}
But, maybe I'm reading it wrong or there is a better way.
Hi Dan.
1) I believe that they use the LDAP logins for their patrons to access
the OPAC but have native/local logins for their staff.
2) auth_proxy app_settings in our opensrf.xml:
<open-ils. auth_proxy> true</enabled> ators>
<authenticator>
<name> ldap</name>
<module> OpenILS: :Application: :AuthProxy: :LDAP_Auth< /module>
<hostname> somehost. somedomain. org</hostname>
<basedn> dc=somedomain, dc=org< /basedn>
<authid> cn=admin_ abc,cn= users,dc= somedomain, dc=org< /authid>
<id_attr> AccountName< /id_attr>
<password> Password< /password>
<login_ types>
<type> staff</ type>
<type> opac</type>
</login_ types>
<org_ units>
<unit> 123</unit>
</org_ units>
</authenticator >
<authenticator>
<name> native< /name>
</authenticator > authenticators> ils.auth_ proxy>
...
<app_settings>
<enabled>
<authentic
</
</app_settings>
</open-
Let me know if you need me to make that in to an attachment instead.
What didn't make sense to me at first when looking at the code was why
would it be trying the LDAP authenticator at all unless the org_unit
equaled 123?
When I looked at it long enough, it seems to me that what the original code:
if ($authenticator ->org_units and $args->{'org'})
is saying is only run this next test:
next unless grep(/^ (all|$args- >{'org' })$/, r->{'org_ units'} })
@{$authenticato
if we received an $args->{'org'}.
But, if you look at that 'next unless' test, I don't think we want to >org_units
run it only if we received an $args->{'org'}, I think we want to run it
no matter what if there is an $authenticator-
I think the result of the original code is that the system may try all >org_units set. Basically ignoring the fact that
authenticators if there is not an $args->{'org'} regardless of if there
is an $authenticator-
there is an <org_units> for the <authenticator> in the config.
I think what my patch does is it says run the 'next unless' test if >org_units regardless of if there is an
there is an $authenticator-
$args->{'org'}
But, maybe I'm reading it wrong or there is a better way.
John