[Koha] Koha authentication against existing LDAP directory
ohiocore at gmail.com
Fri Jun 5 02:20:45 NZST 2009
On Wed, Jun 3, 2009 at 8:15 PM, Ben Finney
<ben+koha at benfinney.id.au<ben%2Bkoha at benfinney.id.au>
> Cab Vinton <bibliwho at gmail.com> writes:
> > Can someone provide a newbie summary of what functionality LDAP + Koha
> > is supposed to provide?
> LDAP (Lightweight Directory Access Protocol) is a standard query
> protocol into “directories” of information, where a directory is a
> hierarchical organisation of information optimised for fast and flexible
> Such directories can, of course, be directories of people: they are
> often used for providing a directory of people for various purposes,
> including authentication.
> > I gather it has something to do with authentication, but who's being
> > authenticated for what?
> LDAP authentication is normally done at login time by querying the LDAP
> server and asking it to authenticate the user based on the login
> credentials, in order to grant further access to the information in the
> directory (this process is termed “binding to” the directory).
> Koha 3.0 (and perhaps earlier) includes a feature for querying an LDAP
> directory for the user account details when a user attempts to log in.
> My messages have led to the conclusion that this is currently done in a
> rather naive and insecure way: not using the standard LDAP-server-based
> authentication, but instead using an access-all-accounts privileged
> directory account to pull all the details across the connection and
> perform authentication on the webserver
> Future (currently-in-development) Koha code may, I'm told, have the
> ability to use the correct authentication on the LDAP server, without a
> need for insecure access to the LDAP accounts.
The HEAD version of Koha suggests the functionality you want with
"auth_by_bind" lines in C4::Auth_with_LDAP. I'm not vouching for their
operation because I haven't tested it firsthand, but Active Directory is
specifically what the code has in mind.
Looking at the implementation, I don't like how it was done though. It
seems to require anonymous binding to work first, then ignores that and goes
for a separate user bind.
As for the non-auth_by_bind implementation being "naive", it isn't. It
anticipates batch import/update functionality that would be very desirable.
Obviously, importing a whole directory of unspecified users would require
the privileged account info.
LibLime - Open Source Library Solutions
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Koha