Galen Charlton <galen.charlton@liblime.com> writes:
See the auth_by_bind configuration option description on the wiki page <http://wiki.koha.org/doku.php?id=en:development:ldap>. Note that this option is currently available in HEAD, but would be a candidate for backporting into 3.0.x.
Thanks for this. Okay, I have installed Koha from Git HEAD as of a few days ago (rev ID a8bfa5ffc0695089669478817cc443cc6e009764) over the top of the existing installation (which was Koha 3.0) and re-configured it. The config file now contains the following relevant for LDAP: ===== <config> … <useldapserver>1</useldapserver><!-- see C4::Auth_with_ldap for extra configs you must add if you want to turn this on --> <!-- LDAP SERVER (optional) --> <ldapserver id="ldapserver" listenref="ldapserver"> <hostname>trimserver-admin.lan</hostname> <base>ou=People,dc=lan</base> <replicate>1</replicate> <!-- add new users from LDAP to Koha database --> <update>1</update> <!-- update existing users in Koha database --> <auth_by_bind>1</auth_by_bind> <!-- set to 1 to authenticate by binding instead of password comparison, e.g., to use Active Directory --> <mapping> <!-- match koha SQL field names to your LDAP record field names --> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <!-- <address is="postaladdress" ></address> --> <!-- <city is="l" >Athens, OH</city> --> <!-- <zipcode is="postalcode" ></zipcode> --> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <!-- <email is="mail" ></email> --> <categorycode is="employeetype" >PT</categorycode> <!-- <phone is="telephonenumber"></phone> --> </mapping> </ldapserver> </config> ===== When I connect from this machine using the following command, I get the connection fine: ===== $ ldapsearch -LLL "(uid=percy)" -x -D "uid=percy,ou=People,dc=lan" -W dn: uid=percy,ou=People,dc=lan cn: Percy uid: percy uidNumber: 1006 loginShell: /bin/sh homeDirectory: /home/percy gidNumber: 100 userPassword:: <omitted> objectClass: posixAccount objectClass: shadowAccount objectClass: person objectClass: inetOrgPerson shadowLastChange: 14355 gecos: Percy sn: Percy ===== Yet when I try to give the same credentials via Koha, I get the message “Error: Unauthorized user”. (This is at least different from before, which tells me it actually is using the LDAP server for authentication this time.) How can I diagnose this further to see why correct LDAP account credentials are not granting access via Koha? -- \ “No matter how far down the wrong road you've gone, turn back.” | `\ —Turkish proverb | _o__) | Ben Finney