[Koha] LDAP Attributes

Joe Atzberger ohiocore at gmail.com
Thu Jul 9 10:35:23 NZST 2009


On Wed, Jul 8, 2009 at 6:21 PM, David Schuster <dschust1 at tx.rr.com> wrote:

> If you wanted to just authenticate and not update the borrowers using LDAP
> can this be done?


Yes, this would be update OFF with auth_by_bind ON, but you should consider
whether or not you really get what you want out of this situation.  See the
POD comments from my recently submitted LDAP patch:

Once a user has been accepted by the LDAP server, there are several
possibilities for how Koha will behave, depending on your configuration and
the presence of a matching Koha user in your local DB:

                                LOCAL_USER
        OPTION UPDATE REPLICATE  EXISTS?  RESULT
          A1      1       1        1      OK : We’re updating them anyway.
          A2      1       1        0      OK : We’re adding them anyway.
          B1      1       0        1      OK : We update them.
          B2      1       0        0     FAIL: We cannot add new user.
          C1      0       1        1      OK : We do nothing.
          C2      0       1        0      OK : We add the new user.
          D1      0       0        1      OK : We do nothing.
          D2      0       0        0     FAIL: We cannot add new user.

Note: failure here just means that Koha will fallback to checking the local
DB.  That is, a given user could login with their LDAP password OR their
local one.  If this is a problem, then you should enable update and supply a
mapping for password.  Then the local value will be updated at successful
LDAP login and the passwords will be synced.

If you choose NOT to update local users, the borrowers table will not be
affected at all.  Note that this means that patron passwords may appear to
change if LDAP is ever disabled, because the local table never contained the
LDAP values.

*auth_by_bind
*
Binds as the user instead of retrieving their record.  Recommended if update
disabled.



> I don't want to "compare" logins/passwords - maybe logins only?


No, that wouldn't mean anything in terms of authentication.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.katipo.co.nz/pipermail/koha/attachments/20090708/464352d2/attachment.htm 


More information about the Koha mailing list