We use the local-part of the email address to authenticate against the LDAP
server.
In the VirtualHost sections of Apache, we can use SetEnv to force the
physical_loc to match the org unit ID(s) specified in opensrf.xml; for
example:
SetEnv physical_loc 103
At Laurentian, all usernames will be lowercase. This will prevent mismatches
like the user entering "dscott" and the database having the value "DScott" (in
that we're going to force all of the Laurentian user names in the database to
lower case).
Add an ou_host_name parameter for TPAC login forms
If set, and the incoming username does not already include an '@' symbol
(a very simple attempt to detect if we're already dealing with an email
address), then append '@' + the ou_host_name value to the username for
authentication purposes.
The rationale is that in a large consortium, you might want to enable
users to log in with short usernames (like 'fred'), but you also want to
avoid conflicts between short usernames at different organizational
units. Thus, create the users with the email equivalent of their
usernames, like 'fred@br1.example.com' and 'fred@br4.example.com', and
let the templates for the TPAC in br1 and br4 contain a hidden input
field to append the appropriate email hostname.
Truth be told, this is probably most appropriate for a large consortium
containing two or more academic institutions that hope to use LDAP
authentication rather than native authentication, and therefore have
LDAP CNs that map to email addresses of CN@hostname that can then be
mapped to actor.usr.usrname (and actor.usr.email, of course).