[OPEN-ILS-DEV] ***SPAM*** Re: LDAP Authentication Ideas

[Mike Rylander]

On Fri, Dec 4, 2009 at 2:01 PM, Dan Scott <dan at coffeecode.net> wrote:
> On Fri, 2009-12-04 at 11:56 -0500, Mike Rylander wrote:
> <snip>
>> A dojo module with the name matching the application would be supplied
>> along with the backend service and would define the semantics of the
>> call to open-ils.auth.authenticate.complete that it implements.  So,
>> the openils dojo module would look at the protocol order, and for each
>> not spelled "native" it would require that module.  For example:
>> dojo.require('joes.random.ldap.authz.opensrf.application'); ... it
>> would then loop over each, in the order specified, attempting to log
>> the user in using the service-specific dojo plugin, which would supply
>> the correct params to its matching implementation of
>> open-ils.auth.authenticate.complete.
>>
>> Thoughts?
>
> One more wish that I don't think is covered by your napkin - and
> possibly reflecting only Conifer's needs, although as more heterogeneous
> consortia enter the scene it will likely be desired by more than just
> Conifer - it would be nice to be able to associate a particular
> configuration of a given auth method, or set of auth methods, with a
> particular org_unit.
>
> Concrete example: Laurentian University and the University of Windsor
> would both love to use LDAP authentication. But Laurentian needs to
> point at their own LDAP server, and Windsor needs to point at their own
> LDAP server.
>
> Maybe open-ils.auth/app_settings grows a <default> element, with
> optional elements for org_unit shortnames that provide the auth method &
> associated configuration for users based on their home_ou?
>
>

I think that can be covered inside
joes.random.ldap.authz.opensrf.application ("joes" for short...), no?
joes would go looking for whatever it needs (pull the user record and
get the home_ou, get OU settings for that org defining the connection
dsn for that org's LDAP server, etc).  So, in my example, maybe the
protocol names were misleading.  I said <ldap> when a more descriptive
<ou-aware-ldap> name would be better.  Does that help?

My goal right now is to try to sketch out the scaffolding needed to
make auth[z] plugable.  My plan for achieving that goal is to assume
that the details of configuration can be handled by the plugin
services that, ur, plug into a generalized structure, and that they
will have full access to the normal EG backend -- then we can
(hopefully) avoid retooling auth stuff when OAuth or RADIUS is
requested.  They'll just become another service that implements the
right methods and a dojo plugin that constructs the method calls
correctly.

-- 
Mike Rylander
 | VP, Research and Design
 | Equinox Software, Inc. / The Evergreen Experts
 | phone:  1-877-OPEN-ILS (673-6457)
 | email:  miker at esilibrary.com
 | web:  http://www.esilibrary.com