wiki:LdapSupport

Version 4 (modified by davea, 10 years ago) (diff)

--

LDAP support

Goal: a BOINC project (e.g. nanoHUB) can let users authenticate (in both Web and Manager) using an LDAP server, using their LDAP UID and password. Specifically:

  • The web create-account form has an "authenticate with LDAP" link, which goes to an LDAP-specific form that asks for uid and passwd.
  • Similar for login form.
  • In BOINC Manager Attach Project wizard, if

Model

An account on a BOINC project can optionally have an "external authorizer" (EA), described by

  • authorizer type: e.g. LDAP, OpenAuth
  • authorizer URL
  • authorizer account ID

Projects can support one or more EAs; this is exported in get_project_config.php.

If a user creates an EA account, they shouldn't be aware of a separate BOINC account.

if an account has an EA, user can remove it, after which they have to login with password.

if an account doesn't have an EA, user can add it.

Web login

    login form has "log in with LDAP" link
    handler:
        authorize account w/ LDAP server
        get back email, ID
        if acct w/ that email exists
            if authorizer info matches, OK
            else show error
                "a PROJECT account with that email address exists,
                but isn't configured to log in with LDAP.
                Please log in using email and PROJECT password."
        else
            create account
        if

Client attach

   current:
      do either lookup_account or create_account w/ email, passwd
      create account as needed
   new:
      GUI, attach form:
         "login with LDAP" checkbox
         LDAP name, password fields