RFC: Detaching user name from email, LDAP and Single-Signon

Joel Peshkin bugreport at peshkin.net
Thu Apr 8 12:28:21 UTC 2004

Please comment:

In order to implement any of the systems that take Bugzilla out of the 
business of authenticating its users by sending them email, we need to 
make some common changes.

1) Add a field to profiles containing a (varchar(128)) identifier.  This 
field should be added to the profile before any of the authentication 
systems start to use it.

2) LDAP Changes:
    A new LDAP configuration parameter is added to identify an optional 
LDAP attribute that specified a durable user identifier.  In many 
environments, a person's userid and email address change when they marry 
and change names, but an employee number stays the same for the duration 
of emplyment.
    If the durable identifier is available, when a user logs in the 
identifier is used to locate the user's profile, and the LDAP email 
address and realname are used to set or update the database email 
address and realname.
    If the durable identifier is not available, LDAP would have to 
behave as it does today.

3) Single Signon
    Most single signon systems have a way to pass variables to a CGI 
containing the equivalent of fields from LDAP.  The single signon module 
would accept the variables from the webserver and handle them in a 
similar manner to LDAP, using a durable identifier to locate the profile 
and auto-updating the email address and realname if it detects a change.

4) Detaching user identifier from email
     Once the system begins to maintain an identifier other than 
Realname or Email, it becomes possible to build configuration options to 
use that identifier in lieu of email addresses in presentation and 
selection of users. 

More information about the developers mailing list