acs-authentication
+This document aims to help you understand how it works and how +you can use it for your own purpouses. By Rocael Hernández R. +
++Main functionality: It is used to authenticate +any user in an openacs installations.
+So far, you can use it to authenticate against LDAP & PAM, +and of course, locally. You can implement your own based on your +needs, processes, etc.
+Definition: SC = +service-contract +
++
Authorities
+acs-authentication can have multiple authorities, each one
+represent an specific configuration of authenticatication. For
+instance, in your openacs installation you can have users related
+to different authorities, some of them might authenticate locally
+since they are external or invited, others belongs to your
+corporate network and already have users, so might authenticate
+against LDAP and others in your own work office might use PAM for
+authentication because your local system authentication. Plus you
+might define an specific implementation (using the set of SC) to
+connect to your client DB, which is in another DB, and allow your
+clients login to certain parts of your website. Then, this is right
+way to handle all those set of users, that already might have an
+account in another place and you just want them to authenticate
+against that external system.
+
The idea is: each user belongs to a given authority, and +just one .
++To add an authority in your installation go to +/acs-admin/auth/ and click on "Create new authority".
+When adding the authority you need to configure:
+Those configurations simply will perform the tcl proc that is +defined in the SC above described for the given SC implementation +that you choose. In other words:
++
Note: "Batch Synchronization" will not be administered +there anymore in the future, everything will go to ims-ent.
+Also, depending on each implementation, it has a set of +parameters that will require for the configuration to work. And +those parameters are set independently by authority / +authentication method, so for LDAP you'll be able to configure +the next set of parameters:
+Then you can enter your specific values for your server, is +likely that the recomemded ones will work fine.
+Hint: nssha (SSHA) doesn't work well with LDAP use ns_passwd +or another encryption method (MD5...)
+You can make your users to logging using the email or username, +by changing the parameter at the kernel named: UseEmailForLoginP +under Security section. If username is used for logging, it will +ask for the authority to use, since username is unique by authority +but not for the entire openacs installation (can exists several +identic usernames but each one belongs to a different +authority).
++
acs-authentication defines a set of SC to +interact with the different authentication implementations (LDAP or +PAM):
+Note: #4 & #5 will be taken out from authentication and +moved to the package ims-ent.
+The SC definitions are quite straightforward, then worth to look + +at them for better understanding.
++
Login process
+In an openacs site the login is managed through
+acs-authentication. It happens like this:
+