Hi, I believe I have a solution that will make this work. An anonymous bind to LDAP requires us to compare passwords by retrieving the password then comparing to what the user has supplied. If passwords stored in LDAP are hashed using different mechanisms, the burden of determining what mechanism is used is on the the Koha application. I changed the code in Auth.pm a little so that bind() uses the persons DN and password. The burden of what password hash is used is on LDAP and not Koha. Between local in Auth.pm ################################################## ### LOCAL ### Change the code below to match your own LDAP server. ################################################## # LDAP connexion parameters # LDAP server my $ldapserver = '172.16.0.24'; # Base DN for users my $name = "ou=users,dc=tow,dc=net"; # Bind uses the users full DN, if uid doesn't work try "cn" # my $binddn = "cn=$userid,$name"; my $binddn = "uid=$userid,$name"; my $db = Net::LDAP->new( $ldapserver ); # do bind my $res =$db->bind( dn =>$binddn, password =>$password); # check connexion, anything other code than LDAP_SUCCESS (0) # is a problem if($res->code != 0 ) { # auth refused warn "LDAP Auth failed server not responding or wrong user password combination"; return 0; # search user }else { my $userdnsearch = $db->search(base => "$name", filter =>"(cn=$userid)", ); my $userldapentry=$userdnsearch -> shift_entry; # build LDAP hash my %memberhash; my $x =$userldapentry->{asn}{attributes}; my $key; foreach my $k ( @$x) { foreach my $k2 (keys %$k) { if ($k2 eq 'type') { $key = $$k{$k2}; } else { my $a = @$k{$k2}; foreach my $k3 (@$a) { $memberhash{$key} .= $k3." "; } } } } # # BUILD %borrower to CREATE or MODIFY BORROWER # change $memberhash{'xxx'} to fit your ldap structure. # check twice that mandatory fields are correctly filled # my %borrower; $borrower{cardnumber} = $userid; $borrower{firstname} = $memberhash{givenName}; # MANDATORY FIELD $borrower{surname} = $memberhash{sn}; # MANDATORY FIELD $borrower{initials} = substr($borrower{firstname},0,1).substr($borrower{surname},0,1)." "; # MANDATORY FIELD $borrower{streetaddress} = $memberhash{homePostalAddress}." "; # MANDATORY FIELD $borrower{city} = $memberhash{l}." "; # MANDATORY FIELD $borrower{phone} = $memberhash{homePhone}." "; # MANDATORY FIELD $borrower{branchcode} = $memberhash{businessCategory}; # MANDATORY FIELD $borrower{emailaddress} = $memberhash{mail}; $borrower{categorycode} = $memberhash{employeeType}; ################################################## ### /LOCAL ### No change needed after this line (unless there's a bug ;-) ) ################################################## This works for passwords stored in LDAP that use MD5 or SMD5. I imagine it will work for other hashing mechanisms also. Kent N On Tue, 2005-12-13 at 17:22 +0100, Paul POULAIN wrote:
mourik jan c heupink a écrit :
Dear Kent and list,
I'm using OpenLDAP 2.2.29 on Fedora Core 4.
I'm on SuSE Linux Enterprise server 9, with OpenLDAP 2.2.24
And a question to Paul Poulain: which ldap server are you using? I'm on openldap, and things don't work... Koha says the users's password is wrong, where I am pretty sure that it *IS* the right password.
Password encryption is where I think Auth.pm falls down. This entry
These are all the same password. The SMD5,MD5 doesn't work in Koha the bottom one does. The bottom password was uploaded to LDAP using ldapmodify, as clear text. OpenLDAP must have a default method for encryption.
I, (we) have to figure a way for the code to try other methods. I'm not very well versed in Perl and will have to seek help to get this to work.
I'm quite good in Perl, but a dummy in LDAP. I just can say that Auth_with_ldap.pm works for sure in Ecole des Mines de Nantes, as i've set it up with the code I've commited. I think, but am not sure, that it's LDAP too, on Solaris.
I don't know the structure of the directory, I just used the query the system admin gave me.
Sorry, but you'll have to investigate...