Re: [Koha] FW: Koha 3.0 LDAP Question?
Sure, it took me a while to get it working, but we have it working now. In our koha-conf.xml, we have this section in the config section (between <config> and </config> near the end of the file): <useldapserver>1</useldapserver> <ldapserver id="ldapserver"> <hostname>LDAPSERVERNAMEHERE:389</hostname> <base>dc=DOMAIN,dc=COM</base> <user> CN=[USER THAT CAN BROWSE ACTIVE DIRECTORY],OU=[OU OF USER (MULTIPLE ENTRIES IF NESTED OU)],DC=DOMAIN,DC=COM </user> <!-- DN, if not anonymous --> <pass>[PASSWORD OF USER]</pass><!-- password, if not anonymous --> <replicate>0</replicate> <!-- add new users from LDAP to Koha database --> <update>0</update> <!-- update existing users in Koha database --> <mapping> <!-- match koha SQL field names to your LDAP record field names --> <!--<cardnumber is="" ></cardnumber>--> <!--<firstname is="givenname" ></firstname>--> <!--<surname is="sn" ></surname>--> <!--<address is="" > </address>--> <!--<city is="" > </city>--> <!--<zipcode is="" ></zipcode>--> <!--<branchcode is ="">MAIN</branchcode>--> <userid is="samAccountName" ></userid> <password is="" ></password> <!--<email is="mail" ></email>--> <!--<categorycode is="employeetype" > </categorycode>--> <!--<phone is=""></phone>--> </mapping> </ldapserver> Most of the attributes are commented out because we populate our users in Koha from a different system and they only log in using their AD password. We don't want to add new users or update existing users. Then in Auth_with_ldap.pm at line 102 (thanks to this thread http://lists.koha.org/pipermail/koha-devel/2008-September/008355.html) Change these lines: my $userldapentry = $search->shift_entry; my $cmpmesg = $db->compare( $userldapentry, attr=>'userpassword', value => $password ); if ($cmpmesg->code != 6) { warn "LDAP Auth rejected : invalid password for user '$userid'. " . description($cmpmesg); return 0; } To this: my $userldapentry = $search->shift_entry; my $dbuser = Net::LDAP->new( [$prefhost] ); $res = $dbuser->bind( $userldapentry, password => $password ); unless ( $db && ! $res->code ) { warn "LDAP Auth rejected : invalid password for user '$userid'"; return 0; } We had an additional problem with the Auth_with_ldap.pm automatically updating the card number with the user's login. We have existing cards with specific numbers that we're importing, so I had to disable a couple of other lines (lines 116 and 117 in Auth_with_ldap.pm, before the first edit.) #($config{update} ) and my $c2 = &update_local($userid,$password,$borrowernumber,\%borrower) || ''; #($cardnumber eq $c2) or warn "update_local returned cardnumber '$c2' instead of '$cardnumber'"; Hopefully this helps. James Winter 215.517.2588 From: Barry Cannon [mailto:bc@interleaf.ie] Sent: Thursday, February 12, 2009 12:06 PM To: Winter, James Subject: RE: [Koha] FW: Koha 3.0 LDAP Question? Yes, I am using Active Directory. Do you have any tips? From: Winter, James [mailto:WinterJ@arcadia.edu] Sent: 12 February 2009 17:06 To: Barry Cannon Subject: RE: [Koha] FW: Koha 3.0 LDAP Question? Are you using Active Directory? James Winter 215.517.2588 From: koha-bounces@lists.katipo.co.nz [mailto:koha-bounces@lists.katipo.co.nz] On Behalf Of Barry Cannon Sent: Thursday, February 12, 2009 9:17 AM To: koha@lists.katipo.co.nz Subject: [Koha] FW: Koha 3.0 LDAP Question? I have been trying to configure LDAP and have a couple of questions: The Wiki says: There are two parts of the KOHA_CONF file (default location: /etc/koha.xml) relevant to LDAP authentication: the configuration stanza itself, and the "switch" line that enables or disables LDAP. The switch appears in the main <config> section, 0 for "off" and 1 for "on",.... Should I take this to mean the koha-conf.xml file? There is no koha.xml file on our installed server? If it is this file, do I simply add the LDAP server options in the config file. I have assumed that is what is needed but I can't figure out where to go from there? Is there an Admin tool to configure/test the LPAD authentication? Thanks Barry
James, Thanks for this info...I can now authenticate against my LDAP server with no problems. However, when I start enabling <replicate> and <update> to try and add the AD users into Koha the replication doesn't occur. The authentication still works but the users information, as per mappings, doesn't come across into Koha. There are no errors either? Does anyone have any suggestions? Thanks Bar From: Winter, James [mailto:WinterJ@arcadia.edu] Sent: 12 February 2009 17:35 To: Barry Cannon Cc: koha@lists.katipo.co.nz Subject: RE: [Koha] FW: Koha 3.0 LDAP Question? Sure, it took me a while to get it working, but we have it working now. In our koha-conf.xml, we have this section in the config section (between <config> and </config> near the end of the file): <useldapserver>1</useldapserver> <ldapserver id="ldapserver"> <hostname>LDAPSERVERNAMEHERE:389</hostname> <base>dc=DOMAIN,dc=COM</base> <user> CN=[USER THAT CAN BROWSE ACTIVE DIRECTORY],OU=[OU OF USER (MULTIPLE ENTRIES IF NESTED OU)],DC=DOMAIN,DC=COM </user> <!-- DN, if not anonymous --> <pass>[PASSWORD OF USER]</pass><!-- password, if not anonymous --> <replicate>0</replicate> <!-- add new users from LDAP to Koha database --> <update>0</update> <!-- update existing users in Koha database --> <mapping> <!-- match koha SQL field names to your LDAP record field names --> <!--<cardnumber is="" ></cardnumber>--> <!--<firstname is="givenname" ></firstname>--> <!--<surname is="sn" ></surname>--> <!--<address is="" > </address>--> <!--<city is="" > </city>--> <!--<zipcode is="" ></zipcode>--> <!--<branchcode is ="">MAIN</branchcode>--> <userid is="samAccountName" ></userid> <password is="" ></password> <!--<email is="mail" ></email>--> <!--<categorycode is="employeetype" > </categorycode>--> <!--<phone is=""></phone>--> </mapping> </ldapserver> Most of the attributes are commented out because we populate our users in Koha from a different system and they only log in using their AD password. We don't want to add new users or update existing users. Then in Auth_with_ldap.pm at line 102 (thanks to this thread http://lists.koha.org/pipermail/koha-devel/2008-September/008355.html) Change these lines: my $userldapentry = $search->shift_entry; my $cmpmesg = $db->compare( $userldapentry, attr=>'userpassword', value => $password ); if ($cmpmesg->code != 6) { warn "LDAP Auth rejected : invalid password for user '$userid'. " . description($cmpmesg); return 0; } To this: my $userldapentry = $search->shift_entry; my $dbuser = Net::LDAP->new( [$prefhost] ); $res = $dbuser->bind( $userldapentry, password => $password ); unless ( $db && ! $res->code ) { warn "LDAP Auth rejected : invalid password for user '$userid'"; return 0; } We had an additional problem with the Auth_with_ldap.pm automatically updating the card number with the user's login. We have existing cards with specific numbers that we're importing, so I had to disable a couple of other lines (lines 116 and 117 in Auth_with_ldap.pm, before the first edit.) #($config{update} ) and my $c2 = &update_local($userid,$password,$borrowernumber,\%borrower) || ''; #($cardnumber eq $c2) or warn "update_local returned cardnumber '$c2' instead of '$cardnumber'"; Hopefully this helps. James Winter 215.517.2588 From: Barry Cannon [mailto:bc@interleaf.ie] Sent: Thursday, February 12, 2009 12:06 PM To: Winter, James Subject: RE: [Koha] FW: Koha 3.0 LDAP Question? Yes, I am using Active Directory. Do you have any tips? From: Winter, James [mailto:WinterJ@arcadia.edu] Sent: 12 February 2009 17:06 To: Barry Cannon Subject: RE: [Koha] FW: Koha 3.0 LDAP Question? Are you using Active Directory? James Winter 215.517.2588 From: koha-bounces@lists.katipo.co.nz [mailto:koha-bounces@lists.katipo.co.nz] On Behalf Of Barry Cannon Sent: Thursday, February 12, 2009 9:17 AM To: koha@lists.katipo.co.nz Subject: [Koha] FW: Koha 3.0 LDAP Question? I have been trying to configure LDAP and have a couple of questions: The Wiki says: There are two parts of the KOHA_CONF file (default location: /etc/koha.xml) relevant to LDAP authentication: the configuration stanza itself, and the "switch" line that enables or disables LDAP. The switch appears in the main <config> section, 0 for "off" and 1 for "on",.... Should I take this to mean the koha-conf.xml file? There is no koha.xml file on our installed server? If it is this file, do I simply add the LDAP server options in the config file. I have assumed that is what is needed but I can't figure out where to go from there? Is there an Admin tool to configure/test the LPAD authentication? Thanks Barry
Did you comment out the two lines in Auth_with_ldap.pm? If so, it won't update or replicate the data. If you didn't, I would make sure you have the property names correct. I would start with the required fields (surname, address, city, branchcode, categorycode). Try using default values by setting is="" for those properties and put text between the tags. <address is="">123 Test Street</address> for example. If a person is created successfully with default values then it's a property name problem. If not, it's a Koha problem. James Winter 215.517.2588 From: Barry Cannon [mailto:bc@interleaf.ie] Sent: Friday, February 13, 2009 7:31 AM To: Winter, James Cc: koha@lists.katipo.co.nz Subject: RE: [Koha] FW: Koha 3.0 LDAP Question? James, Thanks for this info...I can now authenticate against my LDAP server with no problems. However, when I start enabling <replicate> and <update> to try and add the AD users into Koha the replication doesn't occur. The authentication still works but the users information, as per mappings, doesn't come across into Koha. There are no errors either? Does anyone have any suggestions? Thanks Bar From: Winter, James [mailto:WinterJ@arcadia.edu] Sent: 12 February 2009 17:35 To: Barry Cannon Cc: koha@lists.katipo.co.nz Subject: RE: [Koha] FW: Koha 3.0 LDAP Question? Sure, it took me a while to get it working, but we have it working now. In our koha-conf.xml, we have this section in the config section (between <config> and </config> near the end of the file): <useldapserver>1</useldapserver> <ldapserver id="ldapserver"> <hostname>LDAPSERVERNAMEHERE:389</hostname> <base>dc=DOMAIN,dc=COM</base> <user> CN=[USER THAT CAN BROWSE ACTIVE DIRECTORY],OU=[OU OF USER (MULTIPLE ENTRIES IF NESTED OU)],DC=DOMAIN,DC=COM </user> <!-- DN, if not anonymous --> <pass>[PASSWORD OF USER]</pass><!-- password, if not anonymous --> <replicate>0</replicate> <!-- add new users from LDAP to Koha database --> <update>0</update> <!-- update existing users in Koha database --> <mapping> <!-- match koha SQL field names to your LDAP record field names --> <!--<cardnumber is="" ></cardnumber>--> <!--<firstname is="givenname" ></firstname>--> <!--<surname is="sn" ></surname>--> <!--<address is="" > </address>--> <!--<city is="" > </city>--> <!--<zipcode is="" ></zipcode>--> <!--<branchcode is ="">MAIN</branchcode>--> <userid is="samAccountName" ></userid> <password is="" ></password> <!--<email is="mail" ></email>--> <!--<categorycode is="employeetype" > </categorycode>--> <!--<phone is=""></phone>--> </mapping> </ldapserver> Most of the attributes are commented out because we populate our users in Koha from a different system and they only log in using their AD password. We don't want to add new users or update existing users. Then in Auth_with_ldap.pm at line 102 (thanks to this thread http://lists.koha.org/pipermail/koha-devel/2008-September/008355.html) Change these lines: my $userldapentry = $search->shift_entry; my $cmpmesg = $db->compare( $userldapentry, attr=>'userpassword', value => $password ); if ($cmpmesg->code != 6) { warn "LDAP Auth rejected : invalid password for user '$userid'. " . description($cmpmesg); return 0; } To this: my $userldapentry = $search->shift_entry; my $dbuser = Net::LDAP->new( [$prefhost] ); $res = $dbuser->bind( $userldapentry, password => $password ); unless ( $db && ! $res->code ) { warn "LDAP Auth rejected : invalid password for user '$userid'"; return 0; } We had an additional problem with the Auth_with_ldap.pm automatically updating the card number with the user's login. We have existing cards with specific numbers that we're importing, so I had to disable a couple of other lines (lines 116 and 117 in Auth_with_ldap.pm, before the first edit.) #($config{update} ) and my $c2 = &update_local($userid,$password,$borrowernumber,\%borrower) || ''; #($cardnumber eq $c2) or warn "update_local returned cardnumber '$c2' instead of '$cardnumber'"; Hopefully this helps. James Winter 215.517.2588 From: Barry Cannon [mailto:bc@interleaf.ie] Sent: Thursday, February 12, 2009 12:06 PM To: Winter, James Subject: RE: [Koha] FW: Koha 3.0 LDAP Question? Yes, I am using Active Directory. Do you have any tips? From: Winter, James [mailto:WinterJ@arcadia.edu] Sent: 12 February 2009 17:06 To: Barry Cannon Subject: RE: [Koha] FW: Koha 3.0 LDAP Question? Are you using Active Directory? James Winter 215.517.2588 From: koha-bounces@lists.katipo.co.nz [mailto:koha-bounces@lists.katipo.co.nz] On Behalf Of Barry Cannon Sent: Thursday, February 12, 2009 9:17 AM To: koha@lists.katipo.co.nz Subject: [Koha] FW: Koha 3.0 LDAP Question? I have been trying to configure LDAP and have a couple of questions: The Wiki says: There are two parts of the KOHA_CONF file (default location: /etc/koha.xml) relevant to LDAP authentication: the configuration stanza itself, and the "switch" line that enables or disables LDAP. The switch appears in the main <config> section, 0 for "off" and 1 for "on",.... Should I take this to mean the koha-conf.xml file? There is no koha.xml file on our installed server? If it is this file, do I simply add the LDAP server options in the config file. I have assumed that is what is needed but I can't figure out where to go from there? Is there an Admin tool to configure/test the LPAD authentication? Thanks Barry
participants (2)
-
Barry Cannon -
Winter, James