[OPEN-ILS-DEV] ***SPAM*** Re: LDAP Authentication Ideas

[Dan Scott]

On Fri, 2009-12-04 at 11:56 -0500, Mike Rylander wrote:
<snip>
> A dojo module with the name matching the application would be supplied
> along with the backend service and would define the semantics of the
> call to open-ils.auth.authenticate.complete that it implements.  So,
> the openils dojo module would look at the protocol order, and for each
> not spelled "native" it would require that module.  For example:
> dojo.require('joes.random.ldap.authz.opensrf.application'); ... it
> would then loop over each, in the order specified, attempting to log
> the user in using the service-specific dojo plugin, which would supply
> the correct params to its matching implementation of
> open-ils.auth.authenticate.complete.
> 
> Thoughts?

One more wish that I don't think is covered by your napkin - and
possibly reflecting only Conifer's needs, although as more heterogeneous
consortia enter the scene it will likely be desired by more than just
Conifer - it would be nice to be able to associate a particular
configuration of a given auth method, or set of auth methods, with a
particular org_unit.

Concrete example: Laurentian University and the University of Windsor
would both love to use LDAP authentication. But Laurentian needs to
point at their own LDAP server, and Windsor needs to point at their own
LDAP server.

Maybe open-ils.auth/app_settings grows a <default> element, with
optional elements for org_unit shortnames that provide the auth method &
associated configuration for users based on their home_ou?