Koha and LDAP: Password comparison fails
Hello, we have a Koha-Installation and would like to connect to our OpenLDAP -server, but I can't get it to work. First our Koha setup:
OS: debian wheezy Koha: 3.20.02
Connecting to ldap-server works fine but the password comparison fails with the follwing error (tested in the console but also fails in the web gui; also given password is correct):
root@biblio:/etc/koha/sites/MY_SITE# env PERL5LIB=/usr/share/koha/lib KOHA_CONF=/etc/koha/sites/MY_SITE/koha-conf.xml perl /usr/share/koha/opac/cgi-bin/opac/opac-user.pl userid=MY_MAIL_NAME@MY_ ORG.org password=MY_PASSWORD. | head -5
kohaversion : 3.2002000 ## checkpw - checking LDAP LDAP Auth rejected : invalid password for user 'MY_MAIL_NAME@MY_ORG.o rg'. LDAP error #5: LDAP_COMPARE_FALSE # This code is returned when a compare request completes and the attribute value given is not in the entry specified
Login failed, resetting anonymous session... at /usr/share/koha/lib/C4/Auth.pm line 1107, <DATA> line 595.
Got 2 ldap mapkeys ( total ): userid Got 2 ldap mapkeys (populated): userid Checking Auth at /usr/share/koha/lib/C4/Auth.pm line 703, <DATA> line
Configuration in koha-conf.xml, see below. Our ldap-server uses SSHA as password sheme. Could this be the problem? How can I solve it? Can't find much usefull when searching internet for the problem. Thanks and best wishes Uwe
<useldapserver>1</useldapserver> <!-- see C4::Auth_with_ldap for extra configs you must add if you want to turn this on -->
<!-- LDAP SERVER (optional) -->
<ldapserver id="ldapserver" listenref="ldapserver"> <hostname>MY_LDAP_SERVER</hostname> <base>ou=id,dc=MY_ORG,dc=org</base> <user>cn=biblio,ou=daemons,dc=MY_ORG,dc=org</user> <!-- DN, if not anonymous --> <pass>MY_SECRET_PASSWORD</pass> <!-- password, if not anonymous --> <replicate>0</replicate> <!-- add new users from LDAP to Koha database --> <update>0</update> <!-- update existing users in Koha database --> <anonymous_bind>0</anonymous_bind> <auth_by_bind>0</auth_by_bind> <!-- set to 1 to authenticate by binding instead of password comparison, e.g., to use Active Directory --> <!--<principal_name>%s@MY_ORG.org</principal_name>--> <mapping> <!-- match koha SQL field names to your LDAP record field names --> <!--<firstname is="firstname"></firstname> <surname is="surname"></surname> <address is="postaladdress">hier</address> <city is="l">Berlin</city> <zipcode is="postalcode">1000</zipcode> <branchcode is="businesscategory"></branchcode> --> <userid is="uid"></userid> <!--<password is="USER_PASSWORD"></password> <email is="mail"></email> <categorycode is="employeetype">PT</categorycode> <phone is="telephonenumber">11111</phone> <flags is="flags">2</flags> --> </mapping> </ldapserver>
(hint: some private data is anonymized with large letters) -- Q: Why do WASPs play golf ? A: So they can dress like pimps.
Hi Uwe, I'm not sure if it will help you, but we have never had much luck with the password compare routine, which koha seems to like. I don't know any other ldap client that works like that. The usual way (and this one works perfectly here, using openldap and also samba4/AD) is: use <auth_by_bind>1</auth_by_bind> Your principal_name would then be something like: <principal_name>dn=%s,ou=id,dc=MY_ORG,dc=org</principal_name> Hopefully this helps you as well. MJ On 8/18/2015 14:35, uwe wrote:
Hello,
we have a Koha-Installation and would like to connect to our OpenLDAP -server, but I can't get it to work.
First our Koha setup:
OS: debian wheezy Koha: 3.20.02
Connecting to ldap-server works fine but the password comparison fails with the follwing error (tested in the console but also fails in the web gui; also given password is correct):
root@biblio:/etc/koha/sites/MY_SITE# env PERL5LIB=/usr/share/koha/lib KOHA_CONF=/etc/koha/sites/MY_SITE/koha-conf.xml perl /usr/share/koha/opac/cgi-bin/opac/opac-user.pl userid=MY_MAIL_NAME@MY_ ORG.org password=MY_PASSWORD. | head -5
kohaversion : 3.2002000 ## checkpw - checking LDAP LDAP Auth rejected : invalid password for user 'MY_MAIL_NAME@MY_ORG.o rg'. LDAP error #5: LDAP_COMPARE_FALSE # This code is returned when a compare request completes and the attribute value given is not in the entry specified
Login failed, resetting anonymous session... at /usr/share/koha/lib/C4/Auth.pm line 1107, <DATA> line 595.
Got 2 ldap mapkeys ( total ): userid Got 2 ldap mapkeys (populated): userid Checking Auth at /usr/share/koha/lib/C4/Auth.pm line 703, <DATA> line
Configuration in koha-conf.xml, see below. Our ldap-server uses SSHA as password sheme. Could this be the problem?
How can I solve it? Can't find much usefull when searching internet for the problem.
Thanks and best wishes Uwe
<useldapserver>1</useldapserver> <!-- see C4::Auth_with_ldap for extra configs you must add if you want to turn this on -->
<!-- LDAP SERVER (optional) -->
<ldapserver id="ldapserver" listenref="ldapserver"> <hostname>MY_LDAP_SERVER</hostname> <base>ou=id,dc=MY_ORG,dc=org</base> <user>cn=biblio,ou=daemons,dc=MY_ORG,dc=org</user> <!-- DN, if not anonymous --> <pass>MY_SECRET_PASSWORD</pass> <!-- password, if not anonymous --> <replicate>0</replicate> <!-- add new users from LDAP to Koha database --> <update>0</update> <!-- update existing users in Koha database --> <anonymous_bind>0</anonymous_bind> <auth_by_bind>0</auth_by_bind> <!-- set to 1 to authenticate by binding instead of password comparison, e.g., to use Active Directory --> <!--<principal_name>%s@MY_ORG.org</principal_name>--> <mapping> <!-- match koha SQL field names to your LDAP record field names --> <!--<firstname is="firstname"></firstname> <surname is="surname"></surname> <address is="postaladdress">hier</address> <city is="l">Berlin</city> <zipcode is="postalcode">1000</zipcode> <branchcode is="businesscategory"></branchcode> --> <userid is="uid"></userid> <!--<password is="USER_PASSWORD"></password> <email is="mail"></email> <categorycode is="employeetype">PT</categorycode> <phone is="telephonenumber">11111</phone> <flags is="flags">2</flags> --> </mapping> </ldapserver>
(hint: some private data is anonymized with large letters)
Hello, Am Mittwoch, den 19.08.2015, 22:24 +0200 schrieb mourik jan heupink:
I'm not sure if it will help you, but we have never had much luck
with the password compare routine, which koha seems to like.
I don't know any other ldap client that works like that. The usual way (and this one works perfectly here, using openldap and also samba4/AD) is: use <auth_by_bind>1</auth_by_bind>
Your principal_name would then be something like:
<principal_name>dn=%s,ou=id,dc=MY_ORG,dc=org</principal_name>
Thank you for your answer and hints but unfortunally auth_by_bind seems to be no option for us. Is there another way to solve the issue? Thanks in advance Uwe
Hopefully this helps you as well.
MJ
On 8/18/2015 14:35, uwe wrote:
Hello,
we have a Koha-Installation and would like to connect to our OpenLDAP -server, but I can't get it to work.
First our Koha setup:
OS: debian wheezy Koha: 3.20.02
Connecting to ldap-server works fine but the password comparison fails with the follwing error (tested in the console but also fails in the web gui; also given password is correct):
root@biblio:/etc/koha/sites/MY_SITE# env PERL5LIB=/usr/share/koha/lib KOHA_CONF=/etc/koha/sites/MY_SITE/koha-conf.xml perl /usr/share/koha/opac/cgi-bin/opac/opac-user.pl userid=MY_MAIL_NAME@MY_ ORG.org password=MY_PASSWORD. | head -5
kohaversion : 3.2002000 ## checkpw - checking LDAP LDAP Auth rejected : invalid password for user 'MY_MAIL_NAME@MY_O RG.o rg'. LDAP error #5: LDAP_COMPARE_FALSE # This code is returned when a compare request completes and the attribute value given is not in the entry specified
Login failed, resetting anonymous session... at /usr/share/koha/lib/C4/Auth.pm line 1107, <DATA> line 595.
Got 2 ldap mapkeys ( total ): userid Got 2 ldap mapkeys (populated): userid Checking Auth at /usr/share/koha/lib/C4/Auth.pm line 703, <DATA> line
Configuration in koha-conf.xml, see below. Our ldap-server uses SSHA as password sheme. Could this be the problem?
How can I solve it? Can't find much usefull when searching internet for the problem.
Thanks and best wishes Uwe
<useldapserver>1</useldapserver> <!-- see C4::Auth_with_ldap for extra configs you must add if you want to turn this on -->
<!-- LDAP SERVER (optional) -->
<ldapserver id="ldapserver" listenref="ldapserver"> <hostname>MY_LDAP_SERVER</hostname> <base>ou=id,dc=MY_ORG,dc=org</base> <user>cn=biblio,ou=daemons,dc=MY_ORG,dc=org</user> <!-- DN, if not anonymous --> <pass>MY_SECRET_PASSWORD</pass> <!-- password, if not anonymous --> <replicate>0</replicate> <!-- add new users from LDAP to Koha database --> <update>0</update> <!-- update existing users in Koha database --> <anonymous_bind>0</anonymous_bind> <auth_by_bind>0</auth_by_bind> <!-- set to 1 to authenticate by binding instead of password comparison, e.g., to use Active Directory --> <!--<principal_name>%s@MY_ORG.org</principal_name>--> <mapping> <!-- match koha SQL field names to your LDAP record field names --> <!--<firstname is="firstname"></firstname> <surname is="surname"></surname> <address is="postaladdress">hier</address> <city is="l">Berlin</city> <zipcode is="postalcode">1000</zipcode> <branchcode is="businesscategory"></branchcode> --> <userid is="uid"></userid> <!--<password is="USER_PASSWORD"></password> <email is="mail"></email> <categorycode is="employeetype">PT</categorycode> <phone is="telephonenumber">11111</phone> <flags is="flags">2</flags> --> </mapping> </ldapserver>
(hint: some private data is anonymized with large letters)
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha -- Everything will be just tickety-boo today.
Hi, I have no other clues, no. Must say I'm rather surprised to read that auth by bind is no option for you. Are you sure? Why not? MJ On 08/20/2015 03:02 PM, uwe wrote:
Hello,
Am Mittwoch, den 19.08.2015, 22:24 +0200 schrieb mourik jan heupink:
I'm not sure if it will help you, but we have never had much luck
with the password compare routine, which koha seems to like.
I don't know any other ldap client that works like that. The usual way (and this one works perfectly here, using openldap and also samba4/AD) is: use <auth_by_bind>1</auth_by_bind>
Your principal_name would then be something like:
<principal_name>dn=%s,ou=id,dc=MY_ORG,dc=org</principal_name>
Thank you for your answer and hints but unfortunally auth_by_bind seems to be no option for us.
Is there another way to solve the issue?
Thanks in advance Uwe
Hopefully this helps you as well.
MJ
On 8/18/2015 14:35, uwe wrote:
Hello,
we have a Koha-Installation and would like to connect to our OpenLDAP -server, but I can't get it to work.
First our Koha setup:
OS: debian wheezy Koha: 3.20.02
Connecting to ldap-server works fine but the password comparison fails with the follwing error (tested in the console but also fails in the web gui; also given password is correct):
root@biblio:/etc/koha/sites/MY_SITE# env PERL5LIB=/usr/share/koha/lib KOHA_CONF=/etc/koha/sites/MY_SITE/koha-conf.xml perl /usr/share/koha/opac/cgi-bin/opac/opac-user.pl userid=MY_MAIL_NAME@MY_ ORG.org password=MY_PASSWORD. | head -5
kohaversion : 3.2002000 ## checkpw - checking LDAP LDAP Auth rejected : invalid password for user 'MY_MAIL_NAME@MY_O RG.o rg'. LDAP error #5: LDAP_COMPARE_FALSE # This code is returned when a compare request completes and the attribute value given is not in the entry specified
Login failed, resetting anonymous session... at /usr/share/koha/lib/C4/Auth.pm line 1107, <DATA> line 595.
Got 2 ldap mapkeys ( total ): userid Got 2 ldap mapkeys (populated): userid Checking Auth at /usr/share/koha/lib/C4/Auth.pm line 703, <DATA> line
Configuration in koha-conf.xml, see below. Our ldap-server uses SSHA as password sheme. Could this be the problem?
How can I solve it? Can't find much usefull when searching internet for the problem.
Thanks and best wishes Uwe
<useldapserver>1</useldapserver> <!-- see C4::Auth_with_ldap for extra configs you must add if you want to turn this on -->
<!-- LDAP SERVER (optional) -->
<ldapserver id="ldapserver" listenref="ldapserver"> <hostname>MY_LDAP_SERVER</hostname> <base>ou=id,dc=MY_ORG,dc=org</base> <user>cn=biblio,ou=daemons,dc=MY_ORG,dc=org</user> <!-- DN, if not anonymous --> <pass>MY_SECRET_PASSWORD</pass> <!-- password, if not anonymous --> <replicate>0</replicate> <!-- add new users from LDAP to Koha database --> <update>0</update> <!-- update existing users in Koha database --> <anonymous_bind>0</anonymous_bind> <auth_by_bind>0</auth_by_bind> <!-- set to 1 to authenticate by binding instead of password comparison, e.g., to use Active Directory --> <!--<principal_name>%s@MY_ORG.org</principal_name>--> <mapping> <!-- match koha SQL field names to your LDAP record field names --> <!--<firstname is="firstname"></firstname> <surname is="surname"></surname> <address is="postaladdress">hier</address> <city is="l">Berlin</city> <zipcode is="postalcode">1000</zipcode> <branchcode is="businesscategory"></branchcode> --> <userid is="uid"></userid> <!--<password is="USER_PASSWORD"></password> <email is="mail"></email> <categorycode is="employeetype">PT</categorycode> <phone is="telephonenumber">11111</phone> <flags is="flags">2</flags> --> </mapping> </ldapserver>
(hint: some private data is anonymized with large letters)
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
Am Freitag, den 21.08.2015, 10:36 +0200 schrieb mourik jan heupink:
I have no other clues, no. Must say I'm rather surprised to read that auth by bind is no option for you. Are you sure? Why not
It seems that I misunderstood the auth-by-bind function. Finally someone who has more ldap knowledge helped out to connect the ldap to our koha installation. Now it works with auth-by-bind as you suggested. Thank you very much. Your hint guided us into the right way to get it to work. Best wishes Uwe
On 08/20/2015 03:02 PM, uwe wrote:
Hello,
Am Mittwoch, den 19.08.2015, 22:24 +0200 schrieb mourik jan heupink:
I'm not sure if it will help you, but we have never had much luck
with the password compare routine, which koha seems to like.
I don't know any other ldap client that works like that. The usual way (and this one works perfectly here, using openldap and also samba4/AD) is: use <auth_by_bind>1</auth_by_bind>
Your principal_name would then be something like:
<principal_name>dn=%s,ou=id,dc=MY_ORG,dc=org</principal_name>
Thank you for your answer and hints but unfortunally auth_by_bind seems to be no option for us.
Is there another way to solve the issue?
Thanks in advance Uwe
Hopefully this helps you as well.
MJ
On 8/18/2015 14:35, uwe wrote:
Hello,
we have a Koha-Installation and would like to connect to our OpenLDAP -server, but I can't get it to work.
First our Koha setup:
OS: debian wheezy Koha: 3.20.02
Connecting to ldap-server works fine but the password comparison fails with the follwing error (tested in the console but also fails in the web gui; also given password is correct):
root@biblio:/etc/koha/sites/MY_SITE# env PERL5LIB=/usr/share/koha/lib KOHA_CONF=/etc/koha/sites/MY_SITE/koha-conf.xml perl /usr/share/koha/opac/cgi-bin/opac/opac-user.pl userid=MY_MAIL_NAME@MY_ ORG.org password=MY_PASSWORD. | head -5
kohaversion : 3.2002000 ## checkpw - checking LDAP LDAP Auth rejected : invalid password for user 'MY_MAIL_NAME@MY_O RG.o rg'. LDAP error #5: LDAP_COMPARE_FALSE # This code is returned when a compare request completes and the attribute value given is not in the entry specified
Login failed, resetting anonymous session... at /usr/share/koha/lib/C4/Auth.pm line 1107, <DATA> line 595.
Got 2 ldap mapkeys ( total ): userid Got 2 ldap mapkeys (populated): userid Checking Auth at /usr/share/koha/lib/C4/Auth.pm line 703, <DATA> line
Configuration in koha-conf.xml, see below. Our ldap-server uses SSHA as password sheme. Could this be the problem?
How can I solve it? Can't find much usefull when searching internet for the problem.
Thanks and best wishes Uwe
<useldapserver>1</useldapserver> <!-- see C4::Auth_with_ldap for extra configs you must add if you want to turn this on -->
<!-- LDAP SERVER (optional) -->
<ldapserver id="ldapserver" listenref="ldapserver"> <hostname>MY_LDAP_SERVER</hostname> <base>ou=id,dc=MY_ORG,dc=org</base> <user>cn=biblio,ou=daemons,dc=MY_ORG,dc=org</user> <!-- DN, if not anonymous --> <pass>MY_SECRET_PASSWORD</pass> <!-- password, if not anonymous --> <replicate>0</replicate> <!-- add new users from LDAP to Koha database --> <update>0</update> <!-- update existing users in Koha database --> <anonymous_bind>0</anonymous_bind> <auth_by_bind>0</auth_by_bind> <!-- set to 1 to authenticate by binding instead of password comparison, e.g., to use Active Directory --> <!--<principal_name>%s@MY_ORG.org</principal_name>--> <mapping> <!-- match koha SQL field names to your LDAP record field names --> <!--<firstname is="firstname"></firstname> <surname is="surname"></surname> <address is="postaladdress">hier</address> <city is="l">Berlin</city> <zipcode is="postalcode">1000</zipcode> <branchcode is="businesscategory"></branchcode> --> <userid is="uid"></userid> <!--<password is="USER_PASSWORD"></password> <email is="mail"></email> <categorycode is="employeetype">PT</categorycode> <phone is="telephonenumber">11111</phone> <flags is="flags">2</flags> --> </mapping> </ldapserver>
(hint: some private data is anonymized with large letters)
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
-- Q: What is green and lives in the ocean? A: Moby Pickle.
Dear All I will appreciate if you guide us how you integrated KOHA with AD. Any guide will be highly appreciated. Thanks On Thu, Sep 10, 2015, 3:45 AM uwe <singlespeedfahrer@yandex.com> wrote: > Am Freitag, den 21.08.2015, 10:36 +0200 schrieb mourik jan heupink: > > I have no other clues, no. Must say I'm rather surprised to read that > > auth by bind is no option for you. Are you sure? Why not > > It seems that I misunderstood the auth-by-bind function. Finally > someone who has more ldap knowledge helped out to connect the ldap to > our koha installation. Now it works with auth-by-bind as you suggested. > Thank you very much. Your hint guided us into the right way to get it > to work. > > Best wishes > Uwe > > > > > > > On 08/20/2015 03:02 PM, uwe wrote: > > > Hello, > > > > > > Am Mittwoch, den 19.08.2015, 22:24 +0200 schrieb mourik jan > > > heupink: > > > > I'm not sure if it will help you, but we have never had much luck > > > > > > > > with the password compare routine, which koha seems to like. > > > > > > > > I don't know any other ldap client that works like that. The > > > > usual > > > > way > > > > (and this one works perfectly here, using openldap and also > > > > samba4/AD) > > > > is: use <auth_by_bind>1</auth_by_bind> > > > > > > > > Your principal_name would then be something like: > > > > > > > > <principal_name>dn=%s,ou=id,dc=MY_ORG,dc=org</principal_name> > > > > > > Thank you for your answer and hints but unfortunally auth_by_bind > > > seems > > > to be no option for us. > > > > > > Is there another way to solve the issue? > > > > > > Thanks in advance > > > Uwe > > > > > > > Hopefully this helps you as well. > > > > > > > > MJ > > > > > > > > On 8/18/2015 14:35, uwe wrote: > > > > > Hello, > > > > > > > > > > we have a Koha-Installation and would like to connect to our > > > > > OpenLDAP > > > > > -server, but I can't get it to work. > > > > > > > > > > First our Koha setup: > > > > > > > > > > > OS: debian wheezy > > > > > > Koha: 3.20.02 > > > > > > > > > > Connecting to ldap-server works fine but the password > > > > > comparison > > > > > fails > > > > > with the follwing error (tested in the console but also fails > > > > > in > > > > > the > > > > > web gui; also given password is correct): > > > > > > > > > > > root@biblio:/etc/koha/sites/MY_SITE# env > > > > > > PERL5LIB=/usr/share/koha/lib > > > > > KOHA_CONF=/etc/koha/sites/MY_SITE/koha-conf.xml perl > > > > > /usr/share/koha/opac/cgi-bin/opac/opac-user.pl > > > > > userid=MY_MAIL_NAME@MY_ > > > > > ORG.org password=MY_PASSWORD. | head -5 > > > > > > > > > > > Got 2 ldap mapkeys ( total ): userid > > > > > > Got 2 ldap mapkeys (populated): userid > > > > > > Checking Auth at /usr/share/koha/lib/C4/Auth.pm line 703, > > > > > > <DATA> > > > > > > line > > > > > 558. > > > > > > kohaversion : 3.2002000 > > > > > > ## checkpw - checking LDAP > > > > > > LDAP Auth rejected : invalid password for user > > > > > > 'MY_MAIL_NAME@MY_O > > > > > > RG.o > > > > > rg'. LDAP error #5: LDAP_COMPARE_FALSE > > > > > > # This code is returned when a compare request completes and > > > > > > the > > > > > attribute value given is not in the entry specified > > > > > > > > > > > > Login failed, resetting anonymous session... at > > > > > /usr/share/koha/lib/C4/Auth.pm line 1107, <DATA> line 595. > > > > > > > > > > Configuration in koha-conf.xml, see below. Our ldap-server uses > > > > > SSHA as > > > > > password sheme. Could this be the problem? > > > > > > > > > > How can I solve it? Can't find much usefull when searching > > > > > internet > > > > > for > > > > > the problem. > > > > > > > > > > Thanks and best wishes > > > > > Uwe > > > > > > > > > > > <useldapserver>1</useldapserver> <!-- see C4::Auth_with_ldap > > > > > > for > > > > > extra configs you must add if you want to turn this on --> > > > > > > > > > > > > <!-- LDAP SERVER (optional) --> > > > > > > > > > > > > <ldapserver id="ldapserver" listenref="ldapserver"> > > > > > > <hostname>MY_LDAP_SERVER</hostname> > > > > > > <base>ou=id,dc=MY_ORG,dc=org</base> > > > > > > <user>cn=biblio,ou=daemons,dc=MY_ORG,dc=org</user> > > > > > > <!-- > > > > > > DN, > > > > > if not anonymous --> > > > > > > <pass>MY_SECRET_PASSWORD</pass> <!-- password, if > > > > > > not > > > > > anonymous --> > > > > > > <replicate>0</replicate> <!-- add new users from LDAP > > > > > > to > > > > > > Koha > > > > > database --> > > > > > > <update>0</update> <!-- update existing users in > > > > > > Koha > > > > > database --> > > > > > > <anonymous_bind>0</anonymous_bind> > > > > > > <auth_by_bind>0</auth_by_bind> <!-- set to 1 to > > > > > > authenticate > > > > > by binding instead of password comparison, e.g., to use Active > > > > > Directory --> > > > > > > <!--<principal_name>%s@MY_ORG.org</principal_name>--> > > > > > > <mapping> <!-- match koha SQL field names to your > > > > > > LDAP > > > > > > record > > > > > field names --> > > > > > > <!--<firstname is="firstname"></firstname> > > > > > > <surname is="surname"></surname> > > > > > > <address is="postaladdress">hier</address> > > > > > > <city is="l">Berlin</city> > > > > > > <zipcode is="postalcode">1000</zipcode> > > > > > > <branchcode > > > > > > is="businesscategory"></branchcode> > > > > > > --> > > > > > > <userid is="uid"></userid> > > > > > > <!--<password is="USER_PASSWORD"></password> > > > > > > <email is="mail"></email> > > > > > > <categorycode > > > > > > is="employeetype">PT</categorycode> > > > > > > <phone is="telephonenumber">11111</phone> > > > > > > <flags is="flags">2</flags> --> > > > > > > </mapping> > > > > > > </ldapserver> > > > > > > > > > > > > > > > (hint: some private data is anonymized with large letters) > > > > > > > > > _______________________________________________ > > > > Koha mailing list http://koha-community.org > > > > Koha@lists.katipo.co.nz > > > > https://lists.katipo.co.nz/mailman/listinfo/koha > > _______________________________________________ > > Koha mailing list http://koha-community.org > > Koha@lists.katipo.co.nz > > https://lists.katipo.co.nz/mailman/listinfo/koha > -- > Q: What is green and lives in the ocean? > A: Moby Pickle. > > > _______________________________________________ > Koha mailing list http://koha-community.org > Koha@lists.katipo.co.nz > https://lists.katipo.co.nz/mailman/listinfo/koha >
Here is the AD bit from our koha-conf.xml:
<ldapserver id="DC"> <hostname>samba.domain.com</hostname> <base>CN=Users,DC=samba,DC=domain,DC=com</base> <replicate>1</replicate> <update>1</update> <auth_by_bind>1</auth_by_bind> <principal_name>%s@samba.domain.com</principal_name> <mapping> <!-- match koha SQL field names to your LDAP record field names --> <firstname is="givenName" ></firstname> <surname is="sn" ></surname> <address is="streetAddress" ></address> <city is="l" ></city> <zipcode is="postalCode" ></zipcode> <branchcode is="branch" >our_branch</branchcode> <userid is="uid" ></userid> <password is="userPassword" ></password> <email is="mail" ></email> <categorycode is="employeeType" >A</categorycode> <phone is="telephoneNumber"></phone> </mapping> </ldapserver>
Explained: samba.domain.com is the name of our active directory, if you specify that as hostname to bind to, koha will use (round robin) dns to connect to all DC's. Gives you a nice load spread, plus if one DC happens to be down, only some logons will fail. (verify with "host samba.domain.com" reveral times in a row, it should normally return different ip's, dependin on your number of dc's) Base should be your users container. Principal took me some time to understand: <principal_name>%s@samba.domain.com</principal_name> %s is replaced with a username, so in my example koha tries to bind as username@samba.domain.com I think the above explains it all? MJ On 09/10/2015 09:18 AM, Ahmad Amanullah Khan wrote:
Dear All
I will appreciate if you guide us how you integrated KOHA with AD. Any guide will be highly appreciated.
Thanks
On Thu, Sep 10, 2015, 3:45 AM uwe <singlespeedfahrer@yandex.com> wrote:
Am Freitag, den 21.08.2015, 10:36 +0200 schrieb mourik jan heupink:
I have no other clues, no. Must say I'm rather surprised to read that auth by bind is no option for you. Are you sure? Why not
It seems that I misunderstood the auth-by-bind function. Finally someone who has more ldap knowledge helped out to connect the ldap to our koha installation. Now it works with auth-by-bind as you suggested. Thank you very much. Your hint guided us into the right way to get it to work.
Best wishes Uwe
On 08/20/2015 03:02 PM, uwe wrote:
Hello,
Am Mittwoch, den 19.08.2015, 22:24 +0200 schrieb mourik jan heupink:
I'm not sure if it will help you, but we have never had much luck
with the password compare routine, which koha seems to like.
I don't know any other ldap client that works like that. The usual way (and this one works perfectly here, using openldap and also samba4/AD) is: use <auth_by_bind>1</auth_by_bind>
Your principal_name would then be something like:
<principal_name>dn=%s,ou=id,dc=MY_ORG,dc=org</principal_name>
Thank you for your answer and hints but unfortunally auth_by_bind seems to be no option for us.
Is there another way to solve the issue?
Thanks in advance Uwe
Hopefully this helps you as well.
MJ
On 8/18/2015 14:35, uwe wrote:
Hello,
we have a Koha-Installation and would like to connect to our OpenLDAP -server, but I can't get it to work.
First our Koha setup:
> OS: debian wheezy > Koha: 3.20.02
Connecting to ldap-server works fine but the password comparison fails with the follwing error (tested in the console but also fails in the web gui; also given password is correct):
> root@biblio:/etc/koha/sites/MY_SITE# env > PERL5LIB=/usr/share/koha/lib KOHA_CONF=/etc/koha/sites/MY_SITE/koha-conf.xml perl /usr/share/koha/opac/cgi-bin/opac/opac-user.pl userid=MY_MAIL_NAME@MY_ ORG.org password=MY_PASSWORD. | head -5
> Got 2 ldap mapkeys ( total ): userid > Got 2 ldap mapkeys (populated): userid > Checking Auth at /usr/share/koha/lib/C4/Auth.pm line 703, > <DATA> > line 558. > kohaversion : 3.2002000 > ## checkpw - checking LDAP > LDAP Auth rejected : invalid password for user > 'MY_MAIL_NAME@MY_O > RG.o rg'. LDAP error #5: LDAP_COMPARE_FALSE > # This code is returned when a compare request completes and > the attribute value given is not in the entry specified > > Login failed, resetting anonymous session... at /usr/share/koha/lib/C4/Auth.pm line 1107, <DATA> line 595.
Configuration in koha-conf.xml, see below. Our ldap-server uses SSHA as password sheme. Could this be the problem?
How can I solve it? Can't find much usefull when searching internet for the problem.
Thanks and best wishes Uwe
> <useldapserver>1</useldapserver> <!-- see C4::Auth_with_ldap > for extra configs you must add if you want to turn this on --> > > <!-- LDAP SERVER (optional) --> > > <ldapserver id="ldapserver" listenref="ldapserver"> > <hostname>MY_LDAP_SERVER</hostname> > <base>ou=id,dc=MY_ORG,dc=org</base> > <user>cn=biblio,ou=daemons,dc=MY_ORG,dc=org</user> > <!-- > DN, if not anonymous --> > <pass>MY_SECRET_PASSWORD</pass> <!-- password, if > not anonymous --> > <replicate>0</replicate> <!-- add new users from LDAP > to > Koha database --> > <update>0</update> <!-- update existing users in > Koha database --> > <anonymous_bind>0</anonymous_bind> > <auth_by_bind>0</auth_by_bind> <!-- set to 1 to > authenticate by binding instead of password comparison, e.g., to use Active Directory --> > <!--<principal_name>%s@MY_ORG.org</principal_name>--> > <mapping> <!-- match koha SQL field names to your > LDAP > record field names --> > <!--<firstname is="firstname"></firstname> > <surname is="surname"></surname> > <address is="postaladdress">hier</address> > <city is="l">Berlin</city> > <zipcode is="postalcode">1000</zipcode> > <branchcode > is="businesscategory"></branchcode> > --> > <userid is="uid"></userid> > <!--<password is="USER_PASSWORD"></password> > <email is="mail"></email> > <categorycode > is="employeetype">PT</categorycode> > <phone is="telephonenumber">11111</phone> > <flags is="flags">2</flags> --> > </mapping> > </ldapserver>
(hint: some private data is anonymized with large letters)
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
-- Q: What is green and lives in the ocean? A: Moby Pickle.
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
Thankyou for the reply. We tried it but not working and getting exception: koha_opac_error_log: /cgi-bin/koha/opac-user.pl [Fri Sep 11 17:11:44 2015] [error] [client 10.15.0.200] [Fri Sep 11 17:11:44 2015] opac-user.pl: LDAP Auth rejected : (sAMAccountName=xxxx.xxxx) gets 0 hits, referer: https://librarydemo.abc.edu/cgi-bin/koha/opac-user.pl [Fri Sep 11 17:11:44 2015] [error] [client 10.15.0.200] [Fri Sep 11 17:11:44 2015] opac-user.pl: Use of uninitialized value $retuserid in string ne at koha_error_log: LDAP error #32: LDAP_NO_SUCH_OBJECT, referer: https://stafflibrarydemo.abc.edu/ [Thu Sep 10 17:02:22 2015] [error] [client 10.15.2.17] [Thu Sep 10 17:02:22 2015] mainpage.pl: # The server cannot find an object specified in the request, referer: https://stafflibrarydemo.abc.edu/ [Thu Sep 10 17:02:22 2015] [error] [client 10.15.2.17] [Thu Sep 10 17:02:22 2015] mainpage.pl: , referer: https://stafflibrarydemo.habib.edu.pk/ Our KOHA version: 3.12.04.000 Seems that KOHA is unable to search user in LDAP. Any suggestion what could be the reason ? Your support is highly appreciated. Thanks Ahmad Amanullah Khan On Thu, Sep 10, 2015 at 1:07 PM, mourik jan heupink <heupink@merit.unu.edu> wrote:
Here is the AD bit from our koha-conf.xml:
<ldapserver id="DC">
<hostname>samba.domain.com</hostname> <base>CN=Users,DC=samba,DC=domain,DC=com</base> <replicate>1</replicate> <update>1</update> <auth_by_bind>1</auth_by_bind> <principal_name>%s@samba.domain.com</principal_name> <mapping> <!-- match koha SQL field names to your LDAP record field names --> <firstname is="givenName" ></firstname> <surname is="sn" ></surname> <address is="streetAddress" ></address> <city is="l" ></city> <zipcode is="postalCode" ></zipcode> <branchcode is="branch" >our_branch</branchcode> <userid is="uid" ></userid> <password is="userPassword" ></password> <email is="mail" ></email> <categorycode is="employeeType" >A</categorycode> <phone is="telephoneNumber"></phone> </mapping> </ldapserver>
Explained: samba.domain.com is the name of our active directory, if you specify that as hostname to bind to, koha will use (round robin) dns to connect to all DC's. Gives you a nice load spread, plus if one DC happens to be down, only some logons will fail.
(verify with "host samba.domain.com" reveral times in a row, it should normally return different ip's, dependin on your number of dc's)
Base should be your users container.
Principal took me some time to understand: <principal_name>% s@samba.domain.com</principal_name>
%s is replaced with a username, so in my example koha tries to bind as username@samba.domain.com
I think the above explains it all?
MJ
On 09/10/2015 09:18 AM, Ahmad Amanullah Khan wrote:
Dear All
I will appreciate if you guide us how you integrated KOHA with AD. Any guide will be highly appreciated.
Thanks
On Thu, Sep 10, 2015, 3:45 AM uwe <singlespeedfahrer@yandex.com> wrote:
Am Freitag, den 21.08.2015, 10:36 +0200 schrieb mourik jan heupink:
I have no other clues, no. Must say I'm rather surprised to read that auth by bind is no option for you. Are you sure? Why not
It seems that I misunderstood the auth-by-bind function. Finally someone who has more ldap knowledge helped out to connect the ldap to our koha installation. Now it works with auth-by-bind as you suggested. Thank you very much. Your hint guided us into the right way to get it to work.
Best wishes Uwe
On 08/20/2015 03:02 PM, uwe wrote:
Hello,
Am Mittwoch, den 19.08.2015, 22:24 +0200 schrieb mourik jan heupink:
I'm not sure if it will help you, but we have never had much luck
with the password compare routine, which koha seems to like.
I don't know any other ldap client that works like that. The usual way (and this one works perfectly here, using openldap and also samba4/AD) is: use <auth_by_bind>1</auth_by_bind>
Your principal_name would then be something like:
<principal_name>dn=%s,ou=id,dc=MY_ORG,dc=org</principal_name>
Thank you for your answer and hints but unfortunally auth_by_bind seems to be no option for us.
Is there another way to solve the issue?
Thanks in advance Uwe
Hopefully this helps you as well.
MJ
On 8/18/2015 14:35, uwe wrote:
> Hello, > > we have a Koha-Installation and would like to connect to our > OpenLDAP > -server, but I can't get it to work. > > First our Koha setup: > > OS: debian wheezy >> Koha: 3.20.02 >> > > Connecting to ldap-server works fine but the password > comparison > fails > with the follwing error (tested in the console but also fails > in > the > web gui; also given password is correct): > > root@biblio:/etc/koha/sites/MY_SITE# env >> PERL5LIB=/usr/share/koha/lib >> > KOHA_CONF=/etc/koha/sites/MY_SITE/koha-conf.xml perl > /usr/share/koha/opac/cgi-bin/opac/opac-user.pl > userid=MY_MAIL_NAME@MY_ > ORG.org password=MY_PASSWORD. | head -5 > > Got 2 ldap mapkeys ( total ): userid >> Got 2 ldap mapkeys (populated): userid >> Checking Auth at /usr/share/koha/lib/C4/Auth.pm line 703, >> <DATA> >> line >> > 558. > >> kohaversion : 3.2002000 >> ## checkpw - checking LDAP >> LDAP Auth rejected : invalid password for user >> 'MY_MAIL_NAME@MY_O >> RG.o >> > rg'. LDAP error #5: LDAP_COMPARE_FALSE > >> # This code is returned when a compare request completes and >> the >> > attribute value given is not in the entry specified > >> >> Login failed, resetting anonymous session... at >> > /usr/share/koha/lib/C4/Auth.pm line 1107, <DATA> line 595. > > Configuration in koha-conf.xml, see below. Our ldap-server uses > SSHA as > password sheme. Could this be the problem? > > How can I solve it? Can't find much usefull when searching > internet > for > the problem. > > Thanks and best wishes > Uwe > > <useldapserver>1</useldapserver> <!-- see C4::Auth_with_ldap >> for >> > extra configs you must add if you want to turn this on --> > >> >> <!-- LDAP SERVER (optional) --> >> >> <ldapserver id="ldapserver" listenref="ldapserver"> >> <hostname>MY_LDAP_SERVER</hostname> >> <base>ou=id,dc=MY_ORG,dc=org</base> >> <user>cn=biblio,ou=daemons,dc=MY_ORG,dc=org</user> >> <!-- >> DN, >> > if not anonymous --> > >> <pass>MY_SECRET_PASSWORD</pass> <!-- password, if >> not >> > anonymous --> > >> <replicate>0</replicate> <!-- add new users from LDAP >> to >> Koha >> > database --> > >> <update>0</update> <!-- update existing users in >> Koha >> > database --> > >> <anonymous_bind>0</anonymous_bind> >> <auth_by_bind>0</auth_by_bind> <!-- set to 1 to >> authenticate >> > by binding instead of password comparison, e.g., to use Active > Directory --> > >> <!--<principal_name>%s@MY_ORG.org</principal_name>--> >> <mapping> <!-- match koha SQL field names to your >> LDAP >> record >> > field names --> > >> <!--<firstname is="firstname"></firstname> >> <surname is="surname"></surname> >> <address is="postaladdress">hier</address> >> <city is="l">Berlin</city> >> <zipcode is="postalcode">1000</zipcode> >> <branchcode >> is="businesscategory"></branchcode> >> --> >> <userid is="uid"></userid> >> <!--<password is="USER_PASSWORD"></password> >> <email is="mail"></email> >> <categorycode >> is="employeetype">PT</categorycode> >> <phone is="telephonenumber">11111</phone> >> <flags is="flags">2</flags> --> >> </mapping> >> </ldapserver> >> > > > (hint: some private data is anonymized with large letters) > > _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
-- Q: What is green and lives in the ocean? A: Moby Pickle.
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
_______________________________________________
Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
-- “*Testing is an infinite process of comparing the invisible to the ambiguous in order to avoid the unthinkable happening to the anonymous.” -** James Bach* *Best Regards,* *Ahmad Amanullah Khan* ------------------------------------------------------------------------------------------------------ Gmail : ahmadamanullahkhan@gmail.com <ahmadamanullah@gmail.com> Skype: ahmad.khan922 LinkedIn: http://linkedin.com/in/aaukhan Cell: +92 314 2042060 -------------------------------------------------------------------------------------------------------
participants (3)
-
Ahmad Amanullah Khan -
mourik jan heupink -
uwe