From c542d830236a89ec3e20fcc89c5fc83a1608bfe5 Mon Sep 17 00:00:00 2001
From: Jeff Davis <jdavis@sitka.bclibraries.ca>
Date: Fri, 21 Jun 2019 16:25:04 -0700
Subject: [PATCH] LP#1786552: AuthProxy: release note for LDAP bind_user and
 restrict_by_home_ou

Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca>
Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
---
 .../Administration/ldap_bind_user.adoc             | 34 ++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 docs/RELEASE_NOTES_NEXT/Administration/ldap_bind_user.adoc

diff --git a/docs/RELEASE_NOTES_NEXT/Administration/ldap_bind_user.adoc b/docs/RELEASE_NOTES_NEXT/Administration/ldap_bind_user.adoc
new file mode 100644
index 0000000000..20f7f82e47
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/Administration/ldap_bind_user.adoc
@@ -0,0 +1,34 @@
+AuthProxy Support for Arbitrary LDAP Usernames
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+AuthProxy now supports LDAP-based login with a username that is
+different from your Evergreen username.
+
+This feature may be useful for libraries that use an LDAP server for
+single sign-on (SSO).  Let's say you are a post-secondary library using
+student or employee numbers as Evergreen usernames, but you want people
+to be able to login to Evergreen with their SSO credentials, which may
+be different from their student/employee number.  To support this,
+AuthProxy can now be configured to accept your SSO username on login,
+use it to look up your student/employee number on the LDAP server, and
+log you in as the appropriate Evergreen user.
+
+For this to work, in the AuthProxy configuration for your LDAP server in
+opensrf.xml, set "bind_attr" to the LDAP field containing your LDAP
+username, and "id_attr" to the LDAP field containing your student or
+employee number (or whatever other value is used as your Evergreen
+username).  If "bind_attr" is not set, Evergreen will assume that your
+LDAP username and Evergreen username are the same.
+
+Now, let's say your LDAP server is only an authoritative auth provider
+for Library A.  Nothing prevents the server from reporting that your
+student number is 000000, even if that Evergreen username is already in
+use by another patron at Library B.  We want to ensure that AuthProxy
+does not use Library A's LDAP server to log you in as the Library B
+patron.  For this reason, a new "restrict_by_home_ou" setting has been
+added to AuthProxy config.  When enabled, this setting restricts LDAP
+authentication to users belonging to a library served by that LDAP
+server (i.e. the user's home library must match the LDAP server's
+"org_units" setting in opensrf.xml).  Use of this setting is strongly
+recommended.
+
-- 
2.11.0