RFC: Detaching user name from email, LDAP and Single-Signon
bugreport at peshkin.net
Thu Apr 8 12:28:21 UTC 2004
In order to implement any of the systems that take Bugzilla out of the
business of authenticating its users by sending them email, we need to
make some common changes.
1) Add a field to profiles containing a (varchar(128)) identifier. This
field should be added to the profile before any of the authentication
systems start to use it.
2) LDAP Changes:
A new LDAP configuration parameter is added to identify an optional
LDAP attribute that specified a durable user identifier. In many
environments, a person's userid and email address change when they marry
and change names, but an employee number stays the same for the duration
If the durable identifier is available, when a user logs in the
identifier is used to locate the user's profile, and the LDAP email
address and realname are used to set or update the database email
address and realname.
If the durable identifier is not available, LDAP would have to
behave as it does today.
3) Single Signon
Most single signon systems have a way to pass variables to a CGI
containing the equivalent of fields from LDAP. The single signon module
would accept the variables from the webserver and handle them in a
similar manner to LDAP, using a durable identifier to locate the profile
and auto-updating the email address and realname if it detects a change.
4) Detaching user identifier from email
Once the system begins to maintain an identifier other than
Realname or Email, it becomes possible to build configuration options to
use that identifier in lieu of email addresses in presentation and
selection of users.
More information about the developers