On Wed, 6 Oct 2010, Amy wrote:
We are having a problem with a single student whose account was deleted from
LDAP by Technology, and then had her account re-established. She has the
same username and status as she used to have.
She is now unable to login to any of the library resources that use LDAP to
authenticate patrons. This includes our catalog & e-resources (through III)
and a Ruby on Rails group study room web application that uses LDAP
authentication.
Has anyone had any experiences like this before or any thoughts/speculation
on how to fix?
.. this is why it's a good idea to lock accounts for a period before
they're deleted fully.
But anyway ...
LDAP's used for authentication, but what's used for authorization?
(ie, we use a login & password to confirm they're who they say they are,
but what says that person's allowed to use the system?)
Sometimes it's stored in a field withing LDAP, sometimes it's stored in a
separate system with a foreign key into LDAP. (which *might* be the
login / uid / cn (common name) / dn (distinguished name), etc.)
I've seen a few systems that use an assigned ID as the user component of
the DN, rather than the UID / login, so should the user ever need to
change the name of the account (eg, they get a name change, and want to
change their login), they don't have to re-authorize them in all of the
systems. (of course, this means that a delete & recreate, even with the
same name has issues).
If I were trying to debug it, I'd try to get an ldif dump of their entry,
and compare that to someone created through 'normal' means, and see if
there's anything that looks strange (missing fields, random serial
numbers, something incremented (eg. John-Smith-2).
-Joe
