Evergreen

teach SIP driver how to use open-ils.auth_proxy

Bug #1526558 reported by Galen Charlton
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Evergreen
Confirmed
Wishlist
Unassigned
Evergreen 3.next

Bug Description

Evergreen's SIP driver does currently does not know how to use the authentication proxy, which can be awkward if (say) an academic library uses a central LDAP directory to authenticate patrons but also needs to provide access to an authenticated service that only knows how to use SIP2 (or cases where some library patrons are known only to Evergreen but will never be stored in the central authentication system).

I will create a patch to teach the SIP driver how to invoke the authentication proxy.

Evergreen master

Revision history for this message
Galen Charlton (gmc) wrote :

WIP patch in the user/gmcharlt/lp1526558_sip_auth_proxy branch in the working repository.

Jane Sandberg (sandbergja)
tags: added: ldap sip
Revision history for this message
Jeff Davis (jdavis-sitka) wrote :

A new working branch user/jeffdavis/lp1526558_sip_auth_proxy_rebased is available:

https://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/jeffdavis/lp1526558_sip_auth_proxy_rebased

This branch does two things:

- Rebases Galen's branch to current master.
- Uses native Evergreen auth for SIP client login by default, even if AuthProxy is enabled. The client credentials will commonly be known only to EG, so we should avoid spamming the central authentication system with auth requests that are bound to fail (especially since some SIP clients do a fresh login every 5 minutes or so). Those who do want client login to go through the authentication proxy can add the following to the <options> block in SIP implementation_config:

<option name='use_proxy_for_client_login' value='true' />

tags: added: pullrequest
Changed in evergreen:
milestone: none → 3.6-beta
Revision history for this message
Jeff Davis (jdavis-sitka) wrote :

I pushed a follow-up commit to the working branch, changing the login_type for AuthProxy SIP logins from "sip" to "opac". The "sip" login type does not exist and adding it is beyond the scope of this bug; non-AuthProxy SIP logins already use "opac" as the login type, so it seems reasonable to stick with that. However, that means you can't specify a separate login type for SIP in AuthProxy config -- if AuthProxy is enabled for OPAC logins, it will automatically be used for SIP as well.

Working branch user/jeffdavis/auth_proxy_test has a simple AuthProxy test authenticator that may be useful for testing this new feature.

Changed in evergreen:
status: New → Confirmed
Bill Erickson (berick)
Changed in evergreen:
assignee: nobody → Bill Erickson (berick)
Revision history for this message
Bill Erickson (berick) wrote :

New branch pushed:

https://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/berick/lp1526558-sip-auth-proxy

Includes sign-offs for existing commits.

Adds a new commit that:

1. Adds a new option called use_proxy_for_patron_auth. This may seem unnecessary, but it allows the SIP server to avoid having to make the "open-ils.auth_proxy.enabled" API call for every login.

2. Teach the use_proxy_for_client_login logic to bypass the "open-ils.auth_proxy.enabled" API call when the option is not set to true, since the value is discarded.

3. Adds docs to oils_sip.xml.example for the above.

Changed in evergreen:
assignee: Bill Erickson (berick) → nobody
Evergreen Bug Maintenance (bugmaster)
Changed in evergreen:
milestone: 3.6-beta → 3.next
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.