Comment 7 for bug 1715396

I'm marking this bug as High priority since it can break login globally.

My consortium is in a similar situation to John's. We have one library that wants to use LDAP, and the rest should always use native login. The current inclusive-by-default behavior, where every authenticator is applied when no org argument is supplied, is highly undesirable for us. There should be a setting that governs whether auth_proxy is inclusive or exclusive. I'll see if I can put together a branch for this.

Regarding org-less logins, I presume that initial staff client login (prior to registering a workstation) does not have an org parameter? So if you're not running all authenticators by default, you'd need to use native login in order to register a workstation. That's a reasonable tradeoff for my organization, but it would be cool if we had a way to supply an org param for that use case.

I agree with Dan that LDAP should fail gracefully regardless.