[OPEN-ILS-DEV] SPAM Re: LDAP Authentication Ideas

Fri Dec 4 14:38:40 EST 2009

Dan/Mike,

We'd have the same requirements here at NRCan Library, since we could forsee being in a consortial environment somewhere down the road. And as noted in an earlier thread http://markmail.org/message/kkqmk6n4to7xj6ay we have users with and without LDAP access (but I think that seems covered in the 'napkin' sketch)..

George Duimovich
NRCan Library / Bibliothèque de RNCan

-----Original Message-----
From: open-ils-dev-bounces at list.georgialibraries.org [mailto:open-ils-dev-bounces at list.georgialibraries.org] On Behalf Of Dan Scott
Sent: December 4, 2009 14:01
To: Evergreen Development Discussion List
Subject: Re: [OPEN-ILS-DEV] ***SPAM*** Re: LDAP Authentication Ideas

On Fri, 2009-12-04 at 11:56 -0500, Mike Rylander wrote:
<snip>
> A dojo module with the name matching the application would be supplied 
> along with the backend service and would define the semantics of the 
> call to open-ils.auth.authenticate.complete that it implements.  So, 
> the openils dojo module would look at the protocol order, and for each 
> not spelled "native" it would require that module.  For example:
> dojo.require('joes.random.ldap.authz.opensrf.application'); ... it 
> would then loop over each, in the order specified, attempting to log 
> the user in using the service-specific dojo plugin, which would supply 
> the correct params to its matching implementation of 
> open-ils.auth.authenticate.complete.
> 
> Thoughts?

One more wish that I don't think is covered by your napkin - and possibly reflecting only Conifer's needs, although as more heterogeneous consortia enter the scene it will likely be desired by more than just Conifer - it would be nice to be able to associate a particular configuration of a given auth method, or set of auth methods, with a particular org_unit.

Concrete example: Laurentian University and the University of Windsor would both love to use LDAP authentication. But Laurentian needs to point at their own LDAP server, and Windsor needs to point at their own LDAP server.

Maybe open-ils.auth/app_settings grows a <default> element, with optional elements for org_unit shortnames that provide the auth method & associated configuration for users based on their home_ou?