Hi Alexander,
Il giorno mar, 14/06/2011 alle 18.16 +0200, Alexander Wagner ha scritto:
> However, as soon as I enabled LDAP, the admin password changes to my
> LDAP-password, ie. it authenticates against LDAP all the time even
> though I use a local nickname. First of all it took me a while to
> understand that the local nickname (admin) gets authenticated against a
> global password storage (LDAP) ie. Invenio resolves admin to my mail
> address and then authenticates against the LDAP. This is ok, if
> intended. (Some note in the docs would be in order. Sam, I think we
> should add this to the file I sent you?)
>
> On the other hand I'm not shure that this is sensible, especially for
> the admin account. I felt that this should always allow for local login
> without requiring external systems to answer properly. That's why it
> took me a while to understand that I should use my LDAP credentials and
> not the default password.
>
> So, at the end I'm at a "bug or feature" question...
Yes, yes, it's a feature :-) . The fact is that if you disable local
accounts, and you just keep LDAP, then the admin account, by virtue of
the CFG_SITE_ADMIN_EMAIL configuration parameter is checked against LDAP
using your email.
If you were using both local and LDAP (unless there's some bug), you
could have authenticate with any of the two. (In the login form you
could have seen, under the username and password field, a dropdown menu
letting you choose between local and LDAP authentication.
Indeed you right that this might not be evident and should be better
documented.
Cheers,
Sam
--
Samuele Kaplun
Invenio Developer ** <http://invenio-software.org/>
