James, I'm running Koha 3.00.02 which includes the new <auth_by_bind>1</auth_by_bind> for Active Directory, but I still cannot authenticate against our M$ LDAP. The Koha OPAC reports "Error: Invalid Username or Password. Specifically I'm unsure what to do with the <password></password> tag because our Microsoft AD LDAP schema has no exposed "userpassword". Do I simply use <password = ""></password>? I wish to create and update Koha user records when they login to Koha, so I have:<br>
<br><ldapserver id="ldapserver" listenref="ldapserver"><br> <hostname>ldap://<a href="http://ldap.example.com:389">ldap.example.com:389</a></hostname><br> <base>dc=example,dc=com</base><br>
<user>CN=KOHA_LDAP_USER</user> <!-- DN, if not anonymous --><br> <pass>secretpasswd</pass> <!-- password, if not anonymous --><br> <replicate>1</replicate> <!-- add new users from LDAP to Koha database --><br>
<update>1</update> <!-- update existing users in Koha database --><br> <auth_by_bind>1</auth_by_bind> <!-- set to 1 to authenticate by binding instead of<br> password comparison, e.g., to use Active Directory --><br>
<mapping> <!-- match koha SQL field names to your LDAP record field names --><br> <firstname is="givenName" ></firstname><br> <surname is="sn" ></surname><br>
<address is="streetAddress" ></address><br> <city is="l" ></city><br> <zipcode is="postalCode" ></zipcode><br>
<userid is="sAMAccountName" ></userid><br> <password is="" ></password><br> <email is="mail" ></email><br>
<phone is="telephoneNumber"></phone><br> </mapping><br></ldapserver><br><br>After a failed login attempt, /var/log/koha/koha-error_log :<br><br>[Mon Jul 13 15:56:11 2009] [error] [client] [Mon Jul 13 15:56:11 2009] mainpage.pl: LDAP Auth rejected : invalid password for user 'johndoe'. LDAP error #16: LDAP_NO_SUCH_ATTRIBUTE, referer: <a href="http://koha.example.com:8080/cgi-bin/koha/mainpage.pl">http://koha.example.com:8080/cgi-bin/koha/mainpage.pl</a><br>
[Mon Jul 13 15:56:11 2009] [error] [client] [Mon Jul 13 15:56:11 2009] mainpage.pl: # The request referenced an attribute that does not exist, referer: <a href="http://koha.example.com:8080/cgi-bin/koha/mainpage.pl">http://koha.example.com:8080/cgi-bin/koha/mainpage.pl</a><br>
[Mon Jul 13 15:56:11 2009] [error] [client] [Mon Jul 13 15:56:11 2009] mainpage.pl: , referer: <a href="http://koha.example.com:8080/cgi-bin/koha/mainpage.pl">http://koha.example.com:8080/cgi-bin/koha/mainpage.pl</a><br><br>
<br>thank you!<br><br><div class="gmail_quote"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
1. Re: FW: Koha 3.0 LDAP Question? (Winter, James)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Fri, 13 Feb 2009 09:52:45 -0500<br>
From: "Winter, James" <<a href="mailto:WinterJ@arcadia.edu">WinterJ@arcadia.edu</a>><br>
Subject: Re: [Koha] FW: Koha 3.0 LDAP Question?<br>
To: "Barry Cannon" <<a href="mailto:bc@interleaf.ie">bc@interleaf.ie</a>><br>
Cc: <a href="mailto:koha@lists.katipo.co.nz">koha@lists.katipo.co.nz</a><br>
Message-ID:<br>
<<a href="mailto:195366CE4CF91245936298EEA68FEA980AE3C41E@BISHOP.arcadia.edu">195366CE4CF91245936298EEA68FEA980AE3C41E@BISHOP.arcadia.edu</a>><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
Did you comment out the two lines in Auth_with_ldap.pm? If so, it won't<br>
update or replicate the data. If you didn't, I would make sure you have<br>
the property names correct. I would start with the required fields<br>
(surname, address, city, branchcode, categorycode).<br>
<br>
<br>
<br>
Try using default values by setting is="" for those properties and put<br>
text between the tags. <address is="">123 Test Street</address> for<br>
example. If a person is created successfully with default values then<br>
it's a property name problem. If not, it's a Koha problem.<br>
<br>
<br>
<br>
James Winter<br>
<br>
215.517.2588<br>
<br>
<br>
<br>
From: Barry Cannon [mailto:<a href="mailto:bc@interleaf.ie">bc@interleaf.ie</a>]<br>
Sent: Friday, February 13, 2009 7:31 AM<br>
To: Winter, James<br>
Cc: <a href="mailto:koha@lists.katipo.co.nz">koha@lists.katipo.co.nz</a><br>
Subject: RE: [Koha] FW: Koha 3.0 LDAP Question?<br>
<br>
<br>
<br>
James,<br>
<br>
Thanks for this info...I can now authenticate against my<br>
LDAP server with no problems. However, when I start enabling <replicate><br>
and <update> to try and add the AD users into Koha the replication<br>
doesn't occur. The authentication still works but the users information,<br>
as per mappings, doesn't come across into Koha. There are no errors<br>
either?<br>
<br>
<br>
<br>
Does anyone have any suggestions?<br>
<br>
<br>
<br>
Thanks<br>
<br>
Bar<br>
<br>
<br>
<br>
From: Winter, James [mailto:<a href="mailto:WinterJ@arcadia.edu">WinterJ@arcadia.edu</a>]<br>
Sent: 12 February 2009 17:35<br>
To: Barry Cannon<br>
Cc: <a href="mailto:koha@lists.katipo.co.nz">koha@lists.katipo.co.nz</a><br>
Subject: RE: [Koha] FW: Koha 3.0 LDAP Question?<br>
<br>
<br>
<br>
Sure, it took me a while to get it working, but we have it working now.<br>
<br>
<br>
<br>
In our koha-conf.xml, we have this section in the config section<br>
(between <config> and </config> near the end of the file):<br>
<br>
<br>
<br>
<useldapserver>1</useldapserver><br>
<br>
<ldapserver id="ldapserver"><br>
<br>
<hostname>LDAPSERVERNAMEHERE:389</hostname><br>
<br>
<base>dc=DOMAIN,dc=COM</base><br>
<br>
<user> CN=[USER THAT CAN BROWSE ACTIVE DIRECTORY],OU=[OU OF USER<br>
(MULTIPLE ENTRIES IF NESTED OU)],DC=DOMAIN,DC=COM </user> <!-- DN, if<br>
not anonymous --><br>
<br>
<pass>[PASSWORD OF USER]</pass><!-- password, if not anonymous --><br>
<br>
<replicate>0</replicate> <!-- add new users from LDAP to Koha<br>
database --><br>
<br>
<update>0</update> <!-- update existing users in Koha<br>
database --><br>
<br>
<mapping> <!-- match koha SQL field names to your<br>
LDAP record field names --><br>
<br>
<!--<cardnumber is="" ></cardnumber>--><br>
<br>
<!--<firstname is="givenname" ></firstname>--><br>
<br>
<!--<surname is="sn" ></surname>--><br>
<br>
<!--<address is="" > </address>--><br>
<br>
<!--<city is="" ><br>
</city>--><br>
<br>
<!--<zipcode is="" ></zipcode>--><br>
<br>
<!--<branchcode is ="">MAIN</branchcode>--><br>
<br>
<userid is="samAccountName" ></userid><br>
<br>
<password is="" ></password><br>
<br>
<!--<email is="mail" ></email>--><br>
<br>
<!--<categorycode is="employeetype" > </categorycode>--><br>
<br>
<!--<phone is=""></phone>--><br>
<br>
</mapping><br>
<br>
</ldapserver><br>
<br>
<br>
<br>
Most of the attributes are commented out because we populate our users<br>
in Koha from a different system and they only log in using their AD<br>
password. We don't want to add new users or update existing users.<br>
<br>
<br>
<br>
Then in Auth_with_ldap.pm at line 102 (thanks to this thread<br>
<a href="http://lists.koha.org/pipermail/koha-devel/2008-September/008355.html" target="_blank">http://lists.koha.org/pipermail/koha-devel/2008-September/008355.html</a>)<br>
<br>
<br>
<br>
Change these lines:<br>
<br>
<br>
<br>
my $userldapentry = $search->shift_entry;<br>
<br>
my $cmpmesg = $db->compare( $userldapentry,<br>
attr=>'userpassword', value => $password );<br>
<br>
if ($cmpmesg->code != 6) {<br>
<br>
warn "LDAP Auth rejected : invalid password for user<br>
'$userid'. " . description($cmpmesg);<br>
<br>
return 0;<br>
<br>
}<br>
<br>
<br>
<br>
To this:<br>
<br>
<br>
<br>
my $userldapentry = $search->shift_entry;<br>
<br>
<br>
<br>
my $dbuser = Net::LDAP->new( [$prefhost] );<br>
<br>
$res = $dbuser->bind( $userldapentry, password => $password );<br>
<br>
unless ( $db && ! $res->code ) {<br>
<br>
warn "LDAP Auth rejected : invalid password for user<br>
'$userid'";<br>
<br>
return 0;<br>
<br>
}<br>
<br>
<br>
<br>
We had an additional problem with the Auth_with_ldap.pm automatically<br>
updating the card number with the user's login. We have existing cards<br>
with specific numbers that we're importing, so I had to disable a couple<br>
of other lines (lines 116 and 117 in Auth_with_ldap.pm, before the first<br>
edit.)<br>
<br>
<br>
<br>
#($config{update} ) and my $c2 =<br>
&update_local($userid,$password,$borrowernumber,\%borrower) || '';<br>
<br>
#($cardnumber eq $c2) or warn "update_local returned<br>
cardnumber '$c2' instead of '$cardnumber'";<br>
<br>
<br>
<br>
Hopefully this helps.<br>
<br>
<br>
<br>
James Winter<br>
<br>
215.517.2588<br>
<br>
<br>
<br>
From: Barry Cannon [mailto:<a href="mailto:bc@interleaf.ie">bc@interleaf.ie</a>]<br>
Sent: Thursday, February 12, 2009 12:06 PM<br>
To: Winter, James<br>
Subject: RE: [Koha] FW: Koha 3.0 LDAP Question?<br>
<br>
<br>
<br>
Yes, I am using Active Directory. Do you have any tips?<br>
<br>
<br>
<br>
From: Winter, James [mailto:<a href="mailto:WinterJ@arcadia.edu">WinterJ@arcadia.edu</a>]<br>
Sent: 12 February 2009 17:06<br>
To: Barry Cannon<br>
Subject: RE: [Koha] FW: Koha 3.0 LDAP Question?<br>
<br>
<br>
<br>
Are you using Active Directory?<br>
<br>
<br>
<br>
James Winter<br>
<br>
215.517.2588<br>
<br>
<br>
<br>
From: <a href="mailto:koha-bounces@lists.katipo.co.nz">koha-bounces@lists.katipo.co.nz</a><br>
[mailto:<a href="mailto:koha-bounces@lists.katipo.co.nz">koha-bounces@lists.katipo.co.nz</a>] On Behalf Of Barry Cannon<br>
Sent: Thursday, February 12, 2009 9:17 AM<br>
To: <a href="mailto:koha@lists.katipo.co.nz">koha@lists.katipo.co.nz</a><br>
Subject: [Koha] FW: Koha 3.0 LDAP Question?<br>
<br>
<br>
<br>
I have been trying to configure LDAP and have a couple of questions:<br>
<br>
<br>
<br>
The Wiki says: There are two parts of the KOHA_CONF file (default<br>
location: /etc/koha.xml) relevant to LDAP authentication: the<br>
configuration stanza itself, and the "switch" line that enables or<br>
disables LDAP. The switch appears in the main <config> section, 0 for<br>
"off" and 1 for "on",....<br>
<br>
<br>
<br>
Should I take this to mean the koha-conf.xml file? There is no koha.xml<br>
file on our installed server? If it is this file, do I simply add the<br>
LDAP server options in the config file.<br>
<br>
<br>
<br>
I have assumed that is what is needed but I can't figure out where to go<br>
from there? Is there an Admin tool to configure/test the LPAD<br>
authentication?<br>
<br>
<br>
<br>
Thanks<br>
<br>
Barry<br>
<br>
<br>
<br>
<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.katipo.co.nz/pipermail/koha/attachments/20090213/87c6d6cd/attachment.htm" target="_blank">http://lists.katipo.co.nz/pipermail/koha/attachments/20090213/87c6d6cd/attachment.htm</a><br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
Koha mailing list<br>
<a href="mailto:Koha@lists.katipo.co.nz">Koha@lists.katipo.co.nz</a><br>
<a href="http://lists.katipo.co.nz/mailman/listinfo/koha" target="_blank">http://lists.katipo.co.nz/mailman/listinfo/koha</a><br>
<br>
<br>
End of Koha Digest, Vol 40, Issue 35<br>
************************************<br>
</blockquote><br></div><br>