ACS LDAP Authentication Requirements v.1d

I. Introduction

The following is a requirements document for the ACS LDAP Authentication package version 0.1d.

II. Vision Statement

Often a group of servers running separate ACS installations would like to have a single login and account creation mechanism for all of the servers in the group. For example, if Joe User creates an account on www.arsdigita.com then he should be able to log on to dev.arsdigita.com with the same e-mail address and password.

III. Use-cases and User-scenarios

The ACS LDAP Authentication package is intended for use by ACS administrators. The setup process should be simple. To use the ACS LDAP Authentication package, Jane Admin first installs it. Then, she configures the parameters for it so that it points to the desired LDAP server. Then she enables the package and the LDAP Authentication overrides the default ACS login mechanisms.

IV. System/Application Overview

ACS LDAP Authentication consists of:

Configuration
- There is at most one instance of an LDAP Authentication package per ACS installation.
- Each instance requires a set of parameters specifying information about the LDAP server to be used.
- Sharing authentication between ACS installations is implicitly performed by having the installations share a common LDAP Server setup.
Common Authentication
- If servers A, B, and C are using LDAP Authentication and are setup to share a common LDAP server, then Joe User can log into A, B, or C with the same e-mail address/password pair.
Account Replication
- A user only needs to register on one ACS installation within a group of servers using LDAP Authentication.
- When the user logs into an installation within the group, a local account will be created for the user if it does not already exist.
- Each group of servers will contain canonical account information for users including e-mail address, first names, last name, screen name. This information will be updated locally each time a user logs in.

V. Related Links

Design Document
Original Idea
Test plan (Not available yet)

VI.A Requirements: Data Model

The LDAP Authentication package Data Model should provide the following capabilities:

10.10 Uniquely identify a user: There needs to be a way within the data model to uniquely identify a user across multiple machines that still allows them to change their e-mail addresses and screen names.

VI.B Requirements: API

The Single Login functionality API should provide the following capabilities:

20.10 Authenticate a user: Given an email address and a password, the LDAP Authentication package authenticates the password for that email address.
20.20 Query a user's existence: Given an email address, the LDAP Authentication package returns whether a user with that email address exists.
20.30 Update a user's local info: The LDAP Authentication package can update a user's local information (email address, screen name, first names, last name) with the information from the canonical source.
20.40 Update a user's canonical info: The LDAP Authentication package can update a user's information (email address, screen name, first names, last name) at the canonical source with the information from the local database.

VI.C Requirements: The User Interface

The Single Login functionality does not have any User Interface requirements.

VII. Revision History

Document Revision #	Action Taken, Notes	When?	By Whom?
0.1	Creation	08/30/2000	Dennis Gregorovic
0.2	Revised	09/11/2000	Dennis Gregorovic

dennis@arsdigita.com

Last modified: Mon Sep 11 11:42:01 2000