<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<title>ACS LDAP Authentication Requirements v.1d</title>
</head>

<body bgcolor=white>

<h2>ACS LDAP Authentication Requirements v.1d</h2>

by <a href="mailto:dennis@arsdigita.com">Dennis Gregorovic</a>

<hr>

<h3>I. Introduction</h3>

The following is a requirements document for the ACS LDAP Authentication package
version 0.1d.

<p>
<h3>II. Vision Statement</h3><p>

Often a group of servers running separate ACS installations would like to have a
single login and account creation mechanism for all of the servers in the group.
For example, if Joe User creates an account on www.arsdigita.com then he should
be able to log on to dev.arsdigita.com with the same e-mail address and
password.  

<h3>III. Use-cases and User-scenarios</h3>

The ACS LDAP Authentication package is intended for use by ACS administrators.

The setup process should be simple.  To use the ACS LDAP Authentication package,
Jane Admin first installs it.  Then, she configures the parameters for it so
that it points to the desired LDAP server.  Then she enables the package and the
LDAP Authentication overrides the default ACS login mechanisms.

<h3>IV. System/Application Overview</h3>
ACS LDAP Authentication consists of:

<ul>
  <li><strong>Configuration</strong>
   <ul>
     <li>There is at most one instance of an LDAP Authentication package per ACS
      installation.
     <li>Each instance requires a set of parameters specifying information about
      the LDAP server to be used.
     <li>Sharing authentication between ACS installations is implicitly
      performed by having the installations share a common LDAP Server setup.
   </ul>
      
  <li><strong>Common Authentication</strong>
   <ul>
     <li>If servers A, B, and C are using LDAP Authentication and are setup to
      share a common LDAP server, then Joe User can log into A, B, or C with the
      same e-mail address/password pair.
      </li>
   </ul>
   
  <li><strong>Account Replication</strong>
   <ul>
     <li>A user only needs to register on one ACS installation within a
      group of servers using LDAP Authentication.
     <li>When the user logs into an installation within the group, a
      local account will be created for the user if it does not already exist.
     <li>Each group of servers will contain canonical account information for
      users including e-mail address, first names, last name, screen name.  This
      information will be updated locally each time a user logs in.
   </ul>
</ul>

<h3>V. Related Links</h3>

<ul>
  <li> <a href=design.html>Design Document</a>
  <li> <a href="http://www.arsdigita.com/doc/ldap-authentication">Original Idea</a>
  <li> Test plan (Not available yet)
</ul>

<h3>VI.A Requirements: Data Model</h3>

<p>The LDAP Authentication package Data Model should provide the following
capabilities:</p>

<dl>
  <dt><b>10.10 Uniquely identify a user</b></dt>
  <dd><p>There needs to be a way within the data model to uniquely identify a
   user across multiple machines that still allows them to change their e-mail
   addresses and screen names.</p></dd>
</dl>

<h3>VI.B Requirements: API</h3>

<p>The Single Login functionality API should provide the following
capabilities:</p> 

<dl>
<dt><b>20.10 Authenticate a user</b></dt>

<dd> <p>Given an email address and a password, the LDAP Authentication package
 authenticates the password for that email address.  </p> </dd>

<dt><b>20.20 Query a user's existence</b></dt>

<dd> <p>Given an email address, the LDAP Authentication package returns whether a
user with that email address exists.  </p> </dd>

<dt><b>20.30 Update a user's local info</b></dt>

<dd> <p>The LDAP Authentication package can update a user's local information
 (email address, screen name, first names, last name) with the information from
 the canonical source.  </p> </dd>

<dt><b>20.40 Update a user's canonical info</b></dt>

<dd> <p>The LDAP Authentication package can update a user's information
 (email address, screen name, first names, last name) at the canonical source
 with the information from the local database.  </p> </dd>

</dl>

<h3>VI.C Requirements: The User Interface</h3>

<p>The Single Login functionality does not have any User Interface requirements.</p> 

<h3>VII. Revision History</h3>

<table cellpadding=2 cellspacing=2 width=90% bgcolor=#efefef>
<tr bgcolor=#e0e0e0>
    <th width=10%>Document Revision #</th>
    <th width=50%>Action Taken, Notes</th>
    <th>When?</th>
    <th>By Whom?</th>
</tr>

<tr>
   <td>0.1</td>
   <td>Creation</td>
   <td>08/30/2000</td>
   <td>Dennis Gregorovic</td>
</tr>

<tr>
   <td>0.2</td>
   <td>Revised</td>
   <td>09/11/2000</td>
   <td>Dennis Gregorovic</td>
</tr>

</table>
<hr>
<address><a href="mailto:dennis@arsdigita.com">dennis@arsdigita.com</a></address>
<!-- hhmts start -->
Last modified: Mon Sep 11 11:42:01 2000
<!-- hhmts end -->
</body>
</html>