Exciting, thanks for reaching out! I apologize for the lack of documentation...but I'm sure we can help figure this out.
Yes, that would definitely be a welcome addition!
Since catsoop logins carry over across courses on the same catsoop instance, it's not possible to implement them at the level of an individual subject. Actually, it might technically be possible in 2020.2 (due to an oversight) by adding an
__AUTH__ directory within your subject, but it's not intended, and future versions will remove that.
From a high-level perspective, what we need is a new subdirectory of the
__AUTH__ directory (which it looks like you already discovered). Inside of that directory, there must be a Python file with the same name, for example
cs_auth_type = 'dummy', catsoop will look there for how to do authentication.
'dummy' is a reasonable place to start looking, because it's by far the most minimal example we have for an authentication type, and it implements the one required piece:
get_logged_in_user, which takes in a dictionary with a bunch of information about the catsoop instance, and returns a dictionary with some additional information:
'username' is the indentifier that catsoop should use for this person,
'email' is an e-mail address we can use for that person, and
'name' (not required) is a full name we can use for the person.
'dummy' just looks up this information from the catsoop configuration file, but other authentication types do more work. The OpenID Connect implementation, for example, does a bit more:
- It first looks in the user's session data for user information. If that information exists there, it simply returns it.
- If no user information exists in the session, and a special flag indicating a log in attempt has not been set in the query string, we render the page (modifying
context['cs_content'] to indicate that the user should log in)
- If we set the flag asking to log in, we store some information in the session (related to the OpenID Connect request we're going to make), and redirect elsewhere (which then redirects back to catsoop to actually complete the login).
I think the high-level approach to an LDAP authentication would be similar, but the last step, rather than performing a redirect, would show a login form. Then that form would submit to someplace where we could send the username and password to the LDAP server, and use its response to store the appropriate information in the session.
I'm not at all familiar with LDAP, but it looks like there are at least a couple of packages in PyPI that implement LDAP (this one, for example, looks reasonable). If we were using that package, it does look like the login process would be pretty straightforward (following this example), though we would want to have a way to specify the arguments to the
Server object, since different LDAP servers will, presumably, require different settings.
I'm not sure if that's enough to get started on, but I'm certainly happy to continue the conversation, and to help/advise as necessary.