-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 When adding support for Shibboleth, we ran into an interesting issue. I'll explain how things work with LDAP authentication first before explaining the problem with Shibboleth.
With LDAP authentication, two things can happen: 1) VCL can take the userid and password supplied by someone logging in and attempt to log in to the LDAP server using those credentials to validate if they are correct. 2) VCL can log in to the LDAP server with a specific set of credentials (created for that VCL install's use) to look up information about users. #2 provides a way for VCL to validate any userids being entered that don't already exist in the user table. With Shibboleth authentication, we lose #2. Here's a solution I'm proposing: Extend the user table by adding a new Boolean field named 'validated'. The first time a new user logs in (by whatever authentication mechanism), this field would be set to 1. In the case of #2 above, if a user that has an affiliation without a backing LDAP service and that doesn't already exist in the user table were entered in a form on the web frontend, a minimal record would be created in the user table with validated set to 0 and lastupdated set to the current time. If the user ever logged in, validated would be set to 1 and lastupdated would be updated. Periodically, any users with lastupdated older than some amount of time that have validated set to 0 could be dropped. Does this sound like a good way of handling it? Any other suggestions? Josh - -- - ------------------------------- Josh Thompson Systems Programmer Virtual Computing Lab (VCL) North Carolina State University josh_thomp...@ncsu.edu 919-515-5323 my GPG/PGP key can be found at pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJjJsSV/LQcNdtPQMRApyCAJ4v5zFjw3JGFtpobja2nSttffvTLgCfXjZl 2DjkPE49itPwA2tSYpTSkjg= =2s0V -----END PGP SIGNATURE-----
