From: Jeff Davis <jdavis@sitka.bclibraries.ca>
Date: Fri, 21 Jun 2019 23:25:04 +0000 (-0700)
Subject: LP#1786552: AuthProxy: release note for LDAP bind_user and restrict_by_home_ou
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=c542d830236a89ec3e20fcc89c5fc83a1608bfe5;p=contrib%2FConifer.git

LP#1786552: AuthProxy: release note for LDAP bind_user and restrict_by_home_ou

Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca>
Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
---

diff --git a/docs/RELEASE_NOTES_NEXT/Administration/ldap_bind_user.adoc b/docs/RELEASE_NOTES_NEXT/Administration/ldap_bind_user.adoc
new file mode 100644
index 0000000000..20f7f82e47
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/Administration/ldap_bind_user.adoc
@@ -0,0 +1,34 @@
+AuthProxy Support for Arbitrary LDAP Usernames
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+AuthProxy now supports LDAP-based login with a username that is
+different from your Evergreen username.
+
+This feature may be useful for libraries that use an LDAP server for
+single sign-on (SSO).  Let's say you are a post-secondary library using
+student or employee numbers as Evergreen usernames, but you want people
+to be able to login to Evergreen with their SSO credentials, which may
+be different from their student/employee number.  To support this,
+AuthProxy can now be configured to accept your SSO username on login,
+use it to look up your student/employee number on the LDAP server, and
+log you in as the appropriate Evergreen user.
+
+For this to work, in the AuthProxy configuration for your LDAP server in
+opensrf.xml, set "bind_attr" to the LDAP field containing your LDAP
+username, and "id_attr" to the LDAP field containing your student or
+employee number (or whatever other value is used as your Evergreen
+username).  If "bind_attr" is not set, Evergreen will assume that your
+LDAP username and Evergreen username are the same.
+
+Now, let's say your LDAP server is only an authoritative auth provider
+for Library A.  Nothing prevents the server from reporting that your
+student number is 000000, even if that Evergreen username is already in
+use by another patron at Library B.  We want to ensure that AuthProxy
+does not use Library A's LDAP server to log you in as the Library B
+patron.  For this reason, a new "restrict_by_home_ou" setting has been
+added to AuthProxy config.  When enabled, this setting restricts LDAP
+authentication to users belonging to a library served by that LDAP
+server (i.e. the user's home library must match the LDAP server's
+"org_units" setting in opensrf.xml).  Use of this setting is strongly
+recommended.
+