<br><br><div class="gmail_quote">On Wed, Jun 3, 2009 at 8:15 PM, Ben Finney <span dir="ltr"><<a href="mailto:ben%2Bkoha@benfinney.id.au">ben+koha@benfinney.id.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">Cab Vinton <<a href="mailto:bibliwho@gmail.com">bibliwho@gmail.com</a>> writes:<br>
<br>
> Can someone provide a newbie summary of what functionality LDAP + Koha<br>
> is supposed to provide?<br>
<br>
</div>LDAP (Lightweight Directory Access Protocol) is a standard query<br>
protocol into “directories” of information, where a directory is a<br>
hierarchical organisation of information optimised for fast and flexible<br>
query.<br>
<br>
Such directories can, of course, be directories of people: they are<br>
often used for providing a directory of people for various purposes,<br>
including authentication.<br>
<div class="im"><br>
> I gather it has something to do with authentication, but who's being<br>
> authenticated for what?<br>
<br>
</div>LDAP authentication is normally done at login time by querying the LDAP<br>
server and asking it to authenticate the user based on the login<br>
credentials, in order to grant further access to the information in the<br>
directory (this process is termed “binding to” the directory).<br>
<br>
Koha 3.0 (and perhaps earlier) includes a feature for querying an LDAP<br>
directory for the user account details when a user attempts to log in.<br>
<br>
My messages have led to the conclusion that this is currently done in a<br>
rather naive and insecure way: not using the standard LDAP-server-based<br>
authentication, but instead using an access-all-accounts privileged<br>
directory account to pull all the details across the connection and<br>
perform authentication on the webserver<br>
<URL:<a href="http://wiki.koha.org/doku.php?id=en:development:ldap" target="_blank">http://wiki.koha.org/doku.php?id=en:development:ldap</a>>.<br>
<br>
Future (currently-in-development) Koha code may, I'm told, have the<br>
ability to use the correct authentication on the LDAP server, without a<br>
need for insecure access to the LDAP accounts.<br>
</blockquote><div><br>The HEAD version of Koha suggests the functionality you want with "auth_by_bind" lines in C4::Auth_with_LDAP. I'm not vouching for their operation because I haven't tested it firsthand, but Active Directory is specifically what the code has in mind. <br>
<br>Looking at the implementation, I don't like how it was done though. It seems to require anonymous binding to work first, then ignores that and goes for a separate user bind. <br><br>As for the non-auth_by_bind implementation being "naive", it isn't. It anticipates batch import/update functionality that would be very desirable. Obviously, importing a whole directory of unspecified users would require the privileged account info. <br>
-- <br>Joe Atzberger<br>LibLime - Open Source Library Solutions<br></div></div>