[Koha] LDAP authentication problem with Koha 2.2.9

Thu Oct 4 01:40:07 NZST 2007

Hi all,

Ok, below is my understanding of what is happening here. I have written 
some emails about this (koha/ldap) to the koha list, but never received 
a reply. :-(

Please do correct me if I'm wrong...

I think this is what is going on: koha uses a strange way to check the 
password. Note: I'm running an older koha version (2.2.6), so things 
might have changed since then..?

The NORMAL way to verify a password is to try to authenticate to the 
ldap server using the username/password combination the user typed. If 
the connection works, the combination is correct. If the connection 
fails, the password of username is wrong.

Koha tries to actually compare the two passwords itself, and this will 
not always work. (due to password encryption, or access control lists 
that prevent the password to be given out on the ldapserver)

Personally I find it a strange and unsafe way to check for a correct 
password.

Anyway, below is my Auth.pm, that tries to bind to the ldap server with 
the username/password the user gave us, and then reports success or 
failure. Note: I'm running 2.2.6!

         ##################################################
         ### LOCAL
         ### Change the code below to match your own LDAP server.
         ##################################################

         # LDAP connection parameters

         # LDAP server
         my $ldapserver = 'x.x.x.x';

         # Base DN for users
         my $name  = "ou=users,dc=blah,dc=blah";

         # Bind uses the users full DN, if uid doesn't work try "cn"
         my $binddn = "uid=$userid,$name";

         my $db = Net::LDAP->new( $ldapserver );

         # do bind
         my $res =$db->bind(
                         dn      =>$binddn,
                         password =>$password);

         # check result, any other result than LDAP_SUCCESS (0)
         # is a problem
         if($res->code != 0 ) {
                 # auth refused
                 warn "Auth failed. LDAP server not responding or 
invalid credentials provided";

Maybe this helps?

Regards,
Mourik Jan

Guillaume Hatt wrote:
> Hi everyone,
> I have Koha working (2.2.9), and I try to connect the readers who are 
> stored in our LDAP.
> The connection to LDAP server is OK, Koha can find the reader login, but 
> authentication fails.
> 
> In my log, I can see :
> LDAP Auth impossible : wrong password at 
> /usr/local/koha/intranet/modules/C4/Auth.pm line 533, <DATA> line 430.
> 
> I use Auth_LDAP.pm renamed as Auth.pm, and I think the problem is there 
> (line 527) :
> my $userldapentry=$userdnsearch -> shift_entry;
> my $cmpmesg = $db -> compare ( $userldapentry, attr => 'userPassword', 
> value => $password );                 ## HACK LMK
>           ## ligne originale
>           #if( $cmpmesg -> code != 6 ) {
>           if( ( $cmpmesg -> code != 6 ) &&  ! ( $password eq "kivabien" 
> ) ) {
>             warn "LDAP Auth impossible : wrong password";
>             return 0;
>     };
> 
> In our LDAP, the password is in the field userPassword but is crypted. I 
> think I must replace "kivabien" with something, but I don't know what...
> 
> Has anybody an idea ? Is there an exemple on other site with Koha ?
> 
> Thanks.
> G. Hatt
> 
> 
> _______________________________________________
> Koha mailing list
> Koha at lists.katipo.co.nz
> http://lists.katipo.co.nz/mailman/listinfo/koha