Thanks very much for your reply and for providing additional instructions on how to authenticate users from an LDAP directory. After reading your explanation I was able to set OJS to authenticate against my LDAP directory without any problems.
asmecher wrote:OJS supports LDAP for password authentication and profile synchronization, but users must have accounts in OJS in order to log in via LDAP, since OJS stores a large amount of relational records that refer to user accounts.
I understand very well this very sensible design decision.
asmecher wrote:In order to use LDAP for authentication (and profile information, if desired), you'll have to create accounts for users and set each account's authentication method to LDAP. OJS currently supports creating accounts in the LDAP database when users register, but it doesn't at the moment support creating an OJS user account from an LDAP record.
My goal was to implement a single registration database for multiple, disparate systems that make up the web system I am developing. I wanted to provide a single place for my users to register and later edit their profiles. I would also like to let them use a single set of credentials to access the various subsystems they have available, such as Typo3 Content Management System, TWiki, Subversion, WebDAV and some others.
The LDAP plugin came in really handy for me, but as you may have expected, I needed to come up with my own way of creating the user accounts in OJS so that they can be later authenticated via LDAP.
What I did was to code a web application that has direct access to the user account information OJS database.
Although this solves my problem, it may not be a good general solution for others trying to use OJS with LDAP.
I believe that to make the LDAP support in OJS complete, there needs to be a way for external applications to:
1) Create new user accounts (one at a time). There should be a way to link those accounts to journals, and of enrolling users. This feature would require OJS to describe to the calling application which journals are available.
2) Update profile details when users change them in the central registration application.
It would also be nice to have a button that the OJS administrator could push to synchronize the OJS user database to the external (LDAP) source.
It would also be nice to have a way to block or redirect the links to Registration forms on OJS once you select a new authentication source for the system.
Note that there are several implications to be considered when implementing these features:
* general security implications and authentication of the external application;
* issue of deleting existing users, etc.
Note that these requirements reflect my needs regarding LDAP authentication, and may not be general enough to fullfil the needs of others.
Anyways, I hope this information is of any help to you.
Keep up the great work.