From: Jeff Davis <jdavis@sitka.bclibraries.ca>
Date: Wed, 28 Oct 2020 21:16:00 +0000 (-0700)
Subject: LP#1901940: Docs: Add bind_attr and restrict_by_home_ou to AuthProxy example config
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=b2db8ffadb4afd8fe170e07bc244efa4f0510d28;p=working%2FEvergreen.git

LP#1901940: Docs: Add bind_attr and restrict_by_home_ou to AuthProxy example config

Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca>
---

diff --git a/docs/modules/admin/pages/authentication_proxy.adoc b/docs/modules/admin/pages/authentication_proxy.adoc
index 9cdaaeee7e..388d905754 100644
--- a/docs/modules/admin/pages/authentication_proxy.adoc
+++ b/docs/modules/admin/pages/authentication_proxy.adoc
@@ -25,6 +25,7 @@ In order to activate Authentication Proxy, the Evergreen system administrator wi
 	<basedn>ou=people,dc=domain,dc=com</basedn>
 	<authid>cn=username,ou=specials,dc=domain,dc=com</authid>
 	<id_attr>uid</id_attr>
+	<bind_attr>uid</bind_attr>
 	<password>my_ldap_password_for_authid_user</password>
 	<login_types>
 		<type>staff</type>
@@ -34,6 +35,7 @@ In order to activate Authentication Proxy, the Evergreen system administrator wi
 		<unit>103</unit>
 		<unit>104</unit>
 	</org_units>
+	<restrict_by_home_ou>false</restrict_by_home_ou>
 </authenticator>
 ----
 +
@@ -43,9 +45,11 @@ In order to activate Authentication Proxy, the Evergreen system administrator wi
 * *_basedn_* :  Location of the data on your authentication server used to authenticate users.
 * *_authid_* : Administrator ID information used to connect to the Authentication server.
 * *_id_attr_* : Field name in the authenticator matching the username in the Evergreen database.
+* *_bind_attr_* : Field name in the authenticator matching the username used to login.  Not required unless the login username differs from the Evergreen username (see "Using arbitrary LDAP usernames" below).
 * *_password_* : Administrator password used to connect to the authentication server. Password for the *_authid_*.
 * *_login_types_* : Specifies which types of logins will use this authenticator. This might be useful if staff use a different LDAP directory than general users.   
 * *_org_units_* : Specifies which org units will use the authenticator. This is useful in a consortium environment where libraries will use separate authentication systems.
+* *_restrict_by_home_ou_* : When set to "true", permits authentication only when the user's home library is one of the org units specified under *_org_units_*.
 +
 . Restart Evergreen and Apache to activate configuration changes. 
    
@@ -88,8 +92,7 @@ for Library A.  Nothing prevents the server from reporting that your
 student number is 000000, even if that Evergreen username is already in
 use by another patron at Library B.  We want to ensure that Authentication Proxy
 does not use Library A's LDAP server to log you in as the Library B
-patron.  For this reason, a new `restrict_by_home_ou` setting has been
-added to Authentication Proxy config.  When enabled, this setting restricts LDAP
+patron.  To prevent this, set the `restrict_by_home_ou` setting to "true".  This restricts LDAP
 authentication to users belonging to a library served by that LDAP
 server (i.e. the user's home library must match the LDAP server's
 `org_units` setting in `opensrf.xml`).  Use of this setting is strongly