From c542d830236a89ec3e20fcc89c5fc83a1608bfe5 Mon Sep 17 00:00:00 2001 From: Jeff Davis Date: Fri, 21 Jun 2019 16:25:04 -0700 Subject: [PATCH] LP#1786552: AuthProxy: release note for LDAP bind_user and restrict_by_home_ou Signed-off-by: Jeff Davis Signed-off-by: Galen Charlton --- .../Administration/ldap_bind_user.adoc | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 docs/RELEASE_NOTES_NEXT/Administration/ldap_bind_user.adoc diff --git a/docs/RELEASE_NOTES_NEXT/Administration/ldap_bind_user.adoc b/docs/RELEASE_NOTES_NEXT/Administration/ldap_bind_user.adoc new file mode 100644 index 0000000000..20f7f82e47 --- /dev/null +++ b/docs/RELEASE_NOTES_NEXT/Administration/ldap_bind_user.adoc @@ -0,0 +1,34 @@ +AuthProxy Support for Arbitrary LDAP Usernames +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +AuthProxy now supports LDAP-based login with a username that is +different from your Evergreen username. + +This feature may be useful for libraries that use an LDAP server for +single sign-on (SSO). Let's say you are a post-secondary library using +student or employee numbers as Evergreen usernames, but you want people +to be able to login to Evergreen with their SSO credentials, which may +be different from their student/employee number. To support this, +AuthProxy can now be configured to accept your SSO username on login, +use it to look up your student/employee number on the LDAP server, and +log you in as the appropriate Evergreen user. + +For this to work, in the AuthProxy configuration for your LDAP server in +opensrf.xml, set "bind_attr" to the LDAP field containing your LDAP +username, and "id_attr" to the LDAP field containing your student or +employee number (or whatever other value is used as your Evergreen +username). If "bind_attr" is not set, Evergreen will assume that your +LDAP username and Evergreen username are the same. + +Now, let's say your LDAP server is only an authoritative auth provider +for Library A. Nothing prevents the server from reporting that your +student number is 000000, even if that Evergreen username is already in +use by another patron at Library B. We want to ensure that AuthProxy +does not use Library A's LDAP server to log you in as the Library B +patron. For this reason, a new "restrict_by_home_ou" setting has been +added to AuthProxy config. When enabled, this setting restricts LDAP +authentication to users belonging to a library served by that LDAP +server (i.e. the user's home library must match the LDAP server's +"org_units" setting in opensrf.xml). Use of this setting is strongly +recommended. + -- 2.43.2