Version 4 (modified by 10 years ago) (diff) | ,
---|
LDAP support
Goal: a BOINC project (e.g. nanoHUB) can let users authenticate (in both Web and Manager) using an LDAP server, using their LDAP UID and password. Specifically:
- The web create-account form has an "authenticate with LDAP" link, which goes to an LDAP-specific form that asks for uid and passwd.
- Similar for login form.
- In BOINC Manager Attach Project wizard, if
Model
An account on a BOINC project can optionally have an "external authorizer" (EA), described by
- authorizer type: e.g. LDAP, OpenAuth
- authorizer URL
- authorizer account ID
Projects can support one or more EAs; this is exported in get_project_config.php.
If a user creates an EA account, they shouldn't be aware of a separate BOINC account.
if an account has an EA, user can remove it, after which they have to login with password.
if an account doesn't have an EA, user can add it.
Web login
login form has "log in with LDAP" link handler: authorize account w/ LDAP server get back email, ID if acct w/ that email exists if authorizer info matches, OK else show error "a PROJECT account with that email address exists, but isn't configured to log in with LDAP. Please log in using email and PROJECT password." else create account if
Client attach
current: do either lookup_account or create_account w/ email, passwd create account as needed new: GUI, attach form: "login with LDAP" checkbox LDAP name, password fields