Cab Vinton <bibliwho@gmail.com> writes:
Can someone provide a newbie summary of what functionality LDAP + Koha is supposed to provide?
LDAP (Lightweight Directory Access Protocol) is a standard query protocol into “directories” of information, where a directory is a hierarchical organisation of information optimised for fast and flexible query. Such directories can, of course, be directories of people: they are often used for providing a directory of people for various purposes, including authentication.
I gather it has something to do with authentication, but who's being authenticated for what?
LDAP authentication is normally done at login time by querying the LDAP server and asking it to authenticate the user based on the login credentials, in order to grant further access to the information in the directory (this process is termed “binding to” the directory). Koha 3.0 (and perhaps earlier) includes a feature for querying an LDAP directory for the user account details when a user attempts to log in. My messages have led to the conclusion that this is currently done in a rather naive and insecure way: not using the standard LDAP-server-based authentication, but instead using an access-all-accounts privileged directory account to pull all the details across the connection and perform authentication on the webserver <URL:http://wiki.koha.org/doku.php?id=en:development:ldap>. Future (currently-in-development) Koha code may, I'm told, have the ability to use the correct authentication on the LDAP server, without a need for insecure access to the LDAP accounts. -- \ “Only the educated are free.” —Epictetus | `\ | _o__) | Ben Finney