Evergreen

Bug #1715396
Comment #4

Comment 4 for bug 1715396

Revision history for this message

John Merriam (jmerriam) wrote on 2017-12-08: Re: [Bug 1715396] Re: auth_proxy, native login fails when LDAP unavailable

Hi Dan.

1) I believe that they use the LDAP logins for their patrons to access
the OPAC but have native/local logins for their staff.

2) auth_proxy app_settings in our opensrf.xml:

<open-ils.auth_proxy>
   ...
   <app_settings>
     <enabled>true</enabled>
     <authenticators>
       <authenticator>
         <name>ldap</name>
         <module>OpenILS::Application::AuthProxy::LDAP_Auth</module>
         <hostname>somehost.somedomain.org</hostname>
         <basedn>dc=somedomain,dc=org</basedn>
         <authid>cn=admin_abc,cn=users,dc=somedomain,dc=org</authid>
         <id_attr>AccountName</id_attr>
         <password>Password</password>
         <login_types>
           <type>staff</type>
           <type>opac</type>
         </login_types>
         <org_units>
           <unit>123</unit>
         </org_units>
       </authenticator>
       <authenticator>
         <name>native</name>
       </authenticator>
     </authenticators>
   </app_settings>
</open-ils.auth_proxy>

Let me know if you need me to make that in to an attachment instead.

What didn't make sense to me at first when looking at the code was why
would it be trying the LDAP authenticator at all unless the org_unit
equaled 123?

When I looked at it long enough, it seems to me that what the original code:

if ($authenticator->org_units and $args->{'org'})

is saying is only run this next test:

next unless grep(/^(all|$args->{'org'})$/,
@{$authenticator->{'org_units'}})

if we received an $args->{'org'}.

But, if you look at that 'next unless' test, I don't think we want to
run it only if we received an $args->{'org'}, I think we want to run it
no matter what if there is an $authenticator->org_units

I think the result of the original code is that the system may try all
authenticators if there is not an $args->{'org'} regardless of if there
is an $authenticator->org_units set. Basically ignoring the fact that
there is an <org_units> for the <authenticator> in the config.

I think what my patch does is it says run the 'next unless' test if
there is an $authenticator->org_units regardless of if there is an
$args->{'org'}

But, maybe I'm reading it wrong or there is a better way.

John

Hi Dan.

1) I believe that they use the LDAP logins for their patrons to access 
the OPAC but have native/local logins for their staff.

2) auth_proxy app_settings in our opensrf.xml:

Let me know if you need me to make that in to an attachment instead.

What didn't make sense to me at first when looking at the code was why 
would it be trying the LDAP authenticator at all unless the org_unit 
equaled 123?

When I looked at it long enough, it seems to me that what the original code:

if ($authenticator->org_units and $args->{'org'})

is saying is only run this next test:

next unless grep(/^(all|$args->{'org'})$/, 
@{$authenticator->{'org_units'}})

if we received an $args->{'org'}.

But, if you look at that 'next unless' test, I don't think we want to 
run it only if we received an $args->{'org'}, I think we want to run it 
no matter what if there is an $authenticator->org_units

I think the result of the original code is that the system may try all 
authenticators if there is not an $args->{'org'} regardless of if there 
is an $authenticator->org_units set.  Basically ignoring the fact that 
there is an <org_units> for the <authenticator> in the config.

I think what my patch does is it says run the 'next unless' test if 
there is an $authenticator->org_units regardless of if there is an 
$args->{'org'}

But, maybe I'm reading it wrong or there is a better way.

John