= LDAP support =

== Model ==
An account on a BOINC project can optionally have an "external authorizer" (EA), described by
 * authorizer type: e.g. LDAP, !OpenAuth
 * authorizer URL
 * authorizer account ID

Projects can support one or more EAs; this is exported in get_project_config.php.

If a user creates an EA account, they shouldn't be aware of a separate BOINC account.

if an account has an EA, user can remove it, after which they have to login with password.

if an account doesn't have an EA, user can add it.

== Web login ==
{{{
    login form has "log in with LDAP" link
    handler:
        authorize account w/ LDAP server
        get back email, ID
        if acct w/ that email exists
            if authorizer info matches, OK
            else show error
                "a PROJECT account with that email address exists,
                but isn't configured to log in with LDAP.
                Please log in using email and PROJECT password."
        else
            create account
        if
}}}

== Client attach ==
{{{
   current:
      do either lookup_account or create_account w/ email, passwd
      create account as needed
   new:
      GUI, attach form:
         "login with LDAP" checkbox
         LDAP name, password fields
}}}