Changes between Version 4 and Version 5 of LdapSupport


Ignore:
Timestamp:
Oct 18, 2014, 1:52:27 PM (10 years ago)
Author:
davea
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • LdapSupport

    v4 v5  
    11= LDAP support =
    22
    3 Goal: a BOINC project (e.g. nanoHUB) can let users authenticate
    4 (in both Web and Manager) using an LDAP server,
    5 using their LDAP UID and password.
     3A BOINC project can let users authenticate (in both Web and Manager) using LDAP.
    64Specifically:
    75
    8  * The web create-account form has an "authenticate with LDAP" link,
    9    which goes to an LDAP-specific form that asks for uid and passwd.
    10  * Similar for login form.
    11  * In BOINC Manager Attach Project wizard, if
     6 * The web login form lets users enter an LDAP ID instead of an email address.
     7 * Similarly in the Manager Attach Project wizard (works only with 7.4.5+ clients).
    128
    13 == Model ==
    14 An account on a BOINC project can optionally have an "external authorizer" (EA), described by
    15  * authorizer type: e.g. LDAP, !OpenAuth
    16  * authorizer URL
    17  * authorizer account ID
     9To enable this, add the following to your '''html/project/project.inc''':
     10{{{
     11define("LDAP_HOST", "ldap1.ssl.berkeley.edu");
     12define("LDAP_BASE_DN", "dc=ssl,dc=berkeley,dc=edu");
     13}}}
     14(with values reflecting your LDAP server).
    1815
    19 Projects can support one or more EAs; this is exported in get_project_config.php.
     16== Implementation ==
    2017
    21 If a user creates an EA account, they shouldn't be aware of a separate BOINC account.
     18For accounts authenticated with LDAP,
     19the '''user.email_addr''' database field has a string of the form
     20'''LDAP:uid''' where uid is the LDAP user ID.
    2221
    23 if an account has an EA, user can remove it, after which they have to login with password.
    2422
    25 if an account doesn't have an EA, user can add it.
    26 
    27 == Web login ==
    28 {{{
    29     login form has "log in with LDAP" link
    30     handler:
    31         authorize account w/ LDAP server
    32         get back email, ID
    33         if acct w/ that email exists
    34             if authorizer info matches, OK
    35             else show error
    36                 "a PROJECT account with that email address exists,
    37                 but isn't configured to log in with LDAP.
    38                 Please log in using email and PROJECT password."
    39         else
    40             create account
    41         if
    42 }}}
    43 
    44 == Client attach ==
    45 {{{
    46    current:
    47       do either lookup_account or create_account w/ email, passwd
    48       create account as needed
    49    new:
    50       GUI, attach form:
    51          "login with LDAP" checkbox
    52          LDAP name, password fields
    53 }}}
    54