-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

When adding support for Shibboleth, we ran into an interesting issue.  I'll 
explain how things work with LDAP authentication first before explaining the 
problem with Shibboleth.

With LDAP authentication, two things can happen: 1) VCL can take the userid 
and password supplied by someone logging in and attempt to log in to the LDAP 
server using those credentials to validate if they are correct. 2) VCL can 
log in to the LDAP server with a specific set of credentials (created for 
that VCL install's use) to look up information about users.

#2 provides a way for VCL to validate any userids being entered that don't 
already exist in the user table.

With Shibboleth authentication, we lose #2.  Here's a solution I'm proposing:

Extend the user table by adding a new Boolean field named 'validated'.  The 
first time a new user logs in (by whatever authentication mechanism), this 
field would be set to 1.  In the case of #2 above, if a user that has an 
affiliation without a backing LDAP service and that doesn't already exist in 
the user table were entered in a form on the web frontend, a minimal record 
would be created in the user table with validated set to 0 and lastupdated 
set to the current time.  If the user ever logged in, validated would be set 
to 1 and lastupdated would be updated.  Periodically, any users with 
lastupdated older than some amount of time that have validated set to 0 could 
be dropped.

Does this sound like a good way of handling it?  Any other suggestions?

Josh
- -- 
- -------------------------------
Josh Thompson
Systems Programmer
Virtual Computing Lab (VCL)
North Carolina State University

josh_thomp...@ncsu.edu
919-515-5323

my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJjJsSV/LQcNdtPQMRApyCAJ4v5zFjw3JGFtpobja2nSttffvTLgCfXjZl
2DjkPE49itPwA2tSYpTSkjg=
=2s0V
-----END PGP SIGNATURE-----

Reply via email to