On Tue, 2005-12-13 at 12:33 +0100, mourik jan c heupink wrote:
Dear Kent,
I am no ldap expert at all, but I did notice in your Auth.pm:
This works though. I also used cn instead of uid. When I put the LDAP server in debug it returns the correct user and all attributes.
my $userdnsearch = $db->search(base => "$name", filter =>"(uid=$userid)", );
maybe instead of "$name" it should say $name (without ") (that's what it says in my version of the file, and I don't think we are meant to change that...?)
I'm using OpenLDAP 2.2.29 on Fedora Core 4.
And a question to Paul Poulain: which ldap server are you using? I'm on openldap, and things don't work... Koha says the users's password is wrong, where I am pretty sure that it *IS* the right password.
Password encryption is where I think Auth.pm falls down. This entry my $cmpmesg = $db -> compare ( $userldapentry, attr => 'userPassword', value => $password ); seems to compare a password encrypted by another method to what is in LDAP. In my case passwords are encrypted using a couple different methods. Here's a typical password entry in LDAP as attribute userPassword: {SMD5}KjuP+wOsUoBqpDSv3zOeH/+1XmY= {MD5}tNsHZEz+OsGo5TKotec1Hg== Mjg2Ymx1ZTZn These are all the same password. The SMD5,MD5 doesn't work in Koha the bottom one does. The bottom password was uploaded to LDAP using ldapmodify, as clear text. OpenLDAP must have a default method for encryption. I, (we) have to figure a way for the code to try other methods. I'm not very well versed in Perl and will have to seek help to get this to work.
Could there be differences with passwords encryption between various ldap servers..?
You can store an encrypted password in any form in LDAP. LDAP doesn't care. Kent N
Kind regards!
Mourik Jan
KL Nasveschuk wrote:
Hello, The query to LDAP works correctly. I put the ldap server in debug (slapd -d 3) and watch what transpires. In debug mode ldap returns all attributes for a user on search (error and output goes to screen).
If I put in a bogus uid it returns: bdb_search: no candidates
Cn or uid works, I guess it just matters what is being indexed in LDAP.
I can't determine what is happening in the Koha side. Any suggestions on how to better debug the Perl side (from anyone). Just wondering on if Perl is using one password hashing algorithm which is not the same as what is in LDAP.
Ex. of LDAP attribute stored in userPassword:
SMD5}ox3RAPB79VIHB+KZZw+dpxKIx3A
Kent N
On Mon, 2005-12-12 at 16:46 +0100, Paul POULAIN wrote:
KL Nasveschuk a écrit :
Hello,
I'm still trying to get LDAP authentication to work on Koha. I've modified Auth.pm with the following:
################################################## ### LOCAL ### Change the code below to match your own LDAP server. ################################################## # LDAP connexion parameters my $ldapserver = '172.16.0.24'; # Infos to do an anonymous bind my $ldapinfos = 'ou=users,dc=tow,dc=net '; my $name = "ou=users,dc=tow,dc=net"; my $db = Net::LDAP->new( $ldapserver );
# do an anonymous bind my $res =$db->bind(); # check connexion if($res->code) { # auth refused warn "LDAP Auth impossible : server not responding"; return 0; # search user } else {
this log
[Mon Dec 12 12:04:36 2005] [error] [client 172.16.60.186] LDAP Auth impossible : user unknown in LDAP at /usr/local/koha/intranet/modules/C4/Auth.pm line 464.
means you have an error in the following code :
my $userdnsearch = $db->search(base => "$name", filter =>"(uid=$userid)", ); if($userdnsearch->code || ! ( $userdnsearch-> count eq 1 ) ) { warn "LDAP Auth impossible : user unknown in LDAP"; return 0; };
That means : * connexion was successful (otherwise, you would have LDAP Auth impossible : server not responding). A good news ;-) * the LDAP search failed. Meaning : uid=$userid is probably not what you had to do. The query you have to do depends on your LDAP structure, I can't help you more.
just another hint. Change to : warn "LDAP Auth impossible : user unknown in LDAP for $userid"; to see which value is in $userid !
That could help you.
HTH
Anyway, I can ensure you I have 1 (and soon 2) libraries using LDAP auth. Quite tricky to tune, but works fine when it's done !
Just one reminder : the member record is created in Koha when the user logs in in OPAC. So you MUST request all your users to log in at least once. That's a good solution to show you now "have the great free ILS called Koha" & show what it can do.
_______________________________________________ Koha mailing list Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
_______________________________________________ Koha mailing list Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha