1 AuthProxy Support for Arbitrary LDAP Usernames
2 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
4 AuthProxy now supports LDAP-based login with a username that is
5 different from your Evergreen username.
7 This feature may be useful for libraries that use an LDAP server for
8 single sign-on (SSO). Let's say you are a post-secondary library using
9 student or employee numbers as Evergreen usernames, but you want people
10 to be able to login to Evergreen with their SSO credentials, which may
11 be different from their student/employee number. To support this,
12 AuthProxy can now be configured to accept your SSO username on login,
13 use it to look up your student/employee number on the LDAP server, and
14 log you in as the appropriate Evergreen user.
16 For this to work, in the AuthProxy configuration for your LDAP server in
17 opensrf.xml, set "bind_attr" to the LDAP field containing your LDAP
18 username, and "id_attr" to the LDAP field containing your student or
19 employee number (or whatever other value is used as your Evergreen
20 username). If "bind_attr" is not set, Evergreen will assume that your
21 LDAP username and Evergreen username are the same.
23 Now, let's say your LDAP server is only an authoritative auth provider
24 for Library A. Nothing prevents the server from reporting that your
25 student number is 000000, even if that Evergreen username is already in
26 use by another patron at Library B. We want to ensure that AuthProxy
27 does not use Library A's LDAP server to log you in as the Library B
28 patron. For this reason, a new "restrict_by_home_ou" setting has been
29 added to AuthProxy config. When enabled, this setting restricts LDAP
30 authentication to users belonging to a library served by that LDAP
31 server (i.e. the user's home library must match the LDAP server's
32 "org_units" setting in opensrf.xml). Use of this setting is strongly
projects / working / Evergreen.git / blob