Share Koha-LDAP conf
Hi all There are many questions and solutions around Koha-LDAP connection / authentication, so it seems there is not a only way to get it because each Library / Institution has its own requirements / developments. If you has a successful / useful experience on this topic, may you share how you do it, please? Obviously, changing some real names / IP's Sometimes, examples are the better way to support people looking for solutions... Thanks in advance. Oscar G.
2011/6/22 Oscar Gaona <ramses02@yahoo.com>:
Hi all There are many questions and solutions around Koha-LDAP connection / authentication, so it seems there is not a only way to get it because each Library / Institution has its own requirements / developments. If you has a successful / useful experience on this topic, may you share how you do it, please? Obviously, changing some real names / IP's Sometimes, examples are the better way to support people looking for solutions...
For start, I would suggest to first try 3.2.10 or current git version because there are few LDAP fixes which just got merged into repository and relesed. For a start, until bug 4994[1] gets merged, keep values inside is="ldap-field" lower case only. We are using following configuration: <useldapserver>1</useldapserver><!-- see C4::Auth_with_ldap for extra configs you must add if you want to turn this on --> <ldapserver id="ldapserver" listenref="ldapserver"> <!-- <hostname>ldaps://ldap.ffzg.hr</hostname> --> <hostname>ldap://localhost:1389</hostname> <base>dc=ffzg,dc=hr</base> <replicate>1</replicate> <!-- add new users from LDAP to Koha database --> <update>0</update> <!-- update existing users in Koha database --> <auth_by_bind>1</auth_by_bind> <principal_name>%s</principal_name> <!-- optional, for auth_by_bind: a printf format to make userPrincipalName from koha userid --> <mapping> <!-- match koha SQL field names to your LDAP record field names --> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="ffzg-adresa_ulica" ></address> <city is="ffzg-adresa_grad" ></city> <!-- <zipcode is="ffzg-adresa_postanski_broj"></zipcode> ---> <branchcode is="local-branch" >FFZG</branchcode> <userid is="hrEduPersonUniqueID" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="hrEduPersongroupmember" >IMP</categorycode> <dateofbirth is="hredupersondateofbirth" ></dateofbirth> <sex is="ffzg-spol" ></sex> <phone is="ffzg-tel_fixed"></phone> <mobile is="ffzg-tel_mobile"></mobile> <dateexpiry is="hredupersonexpiredate">2012-12-23</dateexpiry> <JMBG is="hrEduPersonUniqueNumber_JMBG"></JMBG> <OIB is="hrEduPersonOIB"></OIB> </mapping> </ldapserver> This configuration works with changes in bug 4994, otherwise everything inside is="" would have to be lowercase only. We are using few of HrEdu* attributes which are specific to our national LDAP schema, and probably unusual combination of replication (to create users who logged in first time over web) without update (since we will edit patron's data locally, and then our data will be more current that LDAP data, so we don't want to overwrite it). Hope this helps. 1: http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=4994 -- ...2share!2flame... http://blog.rot13.org
I would also very much like to see an example of a working config with an openldap backend, and using the auth-by-bind method. I'm assuming that auth_by_bind means that koha tries to bind with the openldap server using the username and password the user provided. I'm unsure where to configure HOW koha should bind with the ldap server... (something like uid=%s,ou=users,dc=blah,dc=blah) (<principal_name> seems to be for active directory..?) Hopefully someone has a nice working example. :-) Have a nice weekend!
I'm not sure why but I also had to format principal_name in koha-conf.xml as follows: -- <principal_name>uid=%s,dc=irb,dc=hr</principal_name> -- Otherwise it doesn't work with openldap at my institution :/ regards, -- alen
2011/6/22 Oscar Gaona <ramses02@yahoo.com>:
Hi all There are many questions and solutions around Koha-LDAP connection / authentication, so it seems there is not a only way to get it because each Library / Institution has its own requirements / developments. If you has a successful / useful experience on this topic, may you share how you do it, please? Obviously, changing some real names / IP's Sometimes, examples are the better way to support people looking for solutions...
For start, I would suggest to first try 3.2.10 or current git version because there are few LDAP fixes which just got merged into repository and relesed.
For a start, until bug 4994[1] gets merged, keep values inside is="ldap-field" lower case only.
We are using following configuration:
<useldapserver>1</useldapserver><!-- see C4::Auth_with_ldap for extra configs you must add if you want to turn this on -->
<ldapserver id="ldapserver" listenref="ldapserver"> <!-- <hostname>ldaps://ldap.ffzg.hr</hostname> --> <hostname>ldap://localhost:1389</hostname> <base>dc=ffzg,dc=hr</base>
<replicate>1</replicate> <!-- add new users from LDAP to Koha database --> <update>0</update> <!-- update existing users in Koha database -->
<auth_by_bind>1</auth_by_bind> <principal_name>%s</principal_name> <!-- optional, for auth_by_bind: a printf format to make userPrincipalName from koha userid -->
<mapping> <!-- match koha SQL field names to your LDAP record field names --> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="ffzg-adresa_ulica" ></address> <city is="ffzg-adresa_grad" ></city> <!-- <zipcode is="ffzg-adresa_postanski_broj"></zipcode> --->
<branchcode is="local-branch" >FFZG</branchcode> <userid is="hrEduPersonUniqueID" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="hrEduPersongroupmember" >IMP</categorycode>
<dateofbirth is="hredupersondateofbirth" ></dateofbirth> <sex is="ffzg-spol" ></sex> <phone is="ffzg-tel_fixed"></phone> <mobile is="ffzg-tel_mobile"></mobile>
<dateexpiry is="hredupersonexpiredate">2012-12-23</dateexpiry>
<JMBG is="hrEduPersonUniqueNumber_JMBG"></JMBG> <OIB is="hrEduPersonOIB"></OIB>
</mapping> </ldapserver>
This configuration works with changes in bug 4994, otherwise everything inside is="" would have to be lowercase only.
We are using few of HrEdu* attributes which are specific to our national LDAP schema, and probably unusual combination of replication (to create users who logged in first time over web) without update (since we will edit patron's data locally, and then our data will be more current that LDAP data, so we don't want to overwrite it).
Hope this helps.
1: http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=4994
-- ...2share!2flame... http://blog.rot13.org _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
----------------------------- UPOZORENJE -----------------------------
Automatskom detekcijom utvrdjeno je da se u ovoj poruci pojavljuje rijec "PASSWORD" ili "LOZINKA".
AKO SE U PORUCI TRAZI DA POSALJETE SVOJU IRB LOZINKU NEMOJTE TO NIKAKO UCINITI JER SE RADI O NAPADU S CILJEM KRADJE ELEKTRONICKOG IDENTITETA.
Centar za informatiku i racunarstvo, Institut Rudjer Boskovic
----------------------------- UPOZORENJE -----------------------------
--
Anybody using Oracle Internet Directory, OID, for Koha-LDAP authentication? Alen,in your case, what is the ldap software? Thanks an regards, Oscar ________________________________ From: alen vodopijevec <alen@irb.hr> To: koha@lists.katipo.co.nz Cc: dpavlin@rot13.org; Oscar Gaona <ramses02@yahoo.com> Sent: Wednesday, June 29, 2011 4:54 PM Subject: Re: [Koha] Share Koha-LDAP conf I'm not sure why but I also had to format principal_name in koha-conf.xml as follows: -- <principal_name>uid=%s,dc=irb,dc=hr</principal_name> -- Otherwise it doesn't work with openldap at my institution :/ regards, -- alen
2011/6/22 Oscar Gaona <ramses02@yahoo.com>:
Hi all There are many questions and solutions around Koha-LDAP connection / authentication, so it seems there is not a only way to get it because each Library / Institution has its own requirements / developments. If you has a successful / useful experience on this topic, may you share how you do it, please? Obviously, changing some real names / IP's Sometimes, examples are the better way to support people looking for solutions...
For start, I would suggest to first try 3.2.10 or current git version because there are few LDAP fixes which just got merged into repository and relesed.
For a start, until bug 4994[1] gets merged, keep values inside is="ldap-field" lower case only.
We are using following configuration:
<useldapserver>1</useldapserver><!-- see C4::Auth_with_ldap for extra configs you must add if you want to turn this on -->
<ldapserver id="ldapserver" listenref="ldapserver"> <!-- <hostname>ldaps://ldap.ffzg.hr</hostname> --> <hostname>ldap://localhost:1389</hostname> <base>dc=ffzg,dc=hr</base>
<replicate>1</replicate> <!-- add new users from LDAP to Koha database --> <update>0</update> <!-- update existing users in Koha database -->
<auth_by_bind>1</auth_by_bind> <principal_name>%s</principal_name> <!-- optional, for auth_by_bind: a printf format to make userPrincipalName from koha userid -->
<mapping> <!-- match koha SQL field names to your LDAP record field names --> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="ffzg-adresa_ulica" ></address> <city is="ffzg-adresa_grad" ></city> <!-- <zipcode is="ffzg-adresa_postanski_broj"></zipcode> --->
<branchcode is="local-branch" >FFZG</branchcode> <userid is="hrEduPersonUniqueID" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="hrEduPersongroupmember" >IMP</categorycode>
<dateofbirth is="hredupersondateofbirth" ></dateofbirth> <sex is="ffzg-spol" ></sex> <phone is="ffzg-tel_fixed"></phone> <mobile is="ffzg-tel_mobile"></mobile>
<dateexpiry is="hredupersonexpiredate">2012-12-23</dateexpiry>
<JMBG is="hrEduPersonUniqueNumber_JMBG"></JMBG> <OIB is="hrEduPersonOIB"></OIB>
</mapping> </ldapserver>
This configuration works with changes in bug 4994, otherwise everything inside is="" would have to be lowercase only.
We are using few of HrEdu* attributes which are specific to our national LDAP schema, and probably unusual combination of replication (to create users who logged in first time over web) without update (since we will edit patron's data locally, and then our data will be more current that LDAP data, so we don't want to overwrite it).
Hope this helps.
1: http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=4994
-- ...2share!2flame... http://blog.rot13.org _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
----------------------------- UPOZORENJE -----------------------------
Automatskom detekcijom utvrdjeno je da se u ovoj poruci pojavljuje rijec "PASSWORD" ili "LOZINKA".
AKO SE U PORUCI TRAZI DA POSALJETE SVOJU IRB LOZINKU NEMOJTE TO NIKAKO UCINITI JER SE RADI O NAPADU S CILJEM KRADJE ELEKTRONICKOG IDENTITETA.
Centar za informatiku i racunarstvo, Institut Rudjer Boskovic
----------------------------- UPOZORENJE -----------------------------
--
It's openldap and Koha ver. 3.4.2 -- alen On 07/01/2011 08:27 AM, Oscar Gaona wrote:
Anybody using Oracle Internet Directory, OID, for Koha-LDAP authentication?
Alen,in your case, what is the ldap software?
Thanks an regards, Oscar
------------------------------------------------------------------------ *From:* alen vodopijevec <alen@irb.hr> *To:* koha@lists.katipo.co.nz *Cc:* dpavlin@rot13.org; Oscar Gaona <ramses02@yahoo.com> *Sent:* Wednesday, June 29, 2011 4:54 PM *Subject:* Re: [Koha] Share Koha-LDAP conf
I'm not sure why but I also had to format principal_name in koha-conf.xml as follows: -- <principal_name>uid=%s,dc=irb,dc=hr</principal_name> --
Otherwise it doesn't work with openldap at my institution :/
regards, -- alen
2011/6/22 Oscar Gaona <ramses02@yahoo.com <mailto:ramses02@yahoo.com>>:
Hi all There are many questions and solutions around Koha-LDAP connection / authentication, so it seems there is not a only way to get it because each Library / Institution has its own requirements / developments. If you has a successful / useful experience on this topic, may you share how you do it, please? Obviously, changing some real names / IP's Sometimes, examples are the better way to support people looking for solutions...
For start, I would suggest to first try 3.2.10 or current git version because there are few LDAP fixes which just got merged into repository and relesed.
For a start, until bug 4994[1] gets merged, keep values inside is="ldap-field" lower case only.
We are using following configuration:
<useldapserver>1</useldapserver><!-- see C4::Auth_with_ldap for extra configs you must add if you want to turn this on -->
<ldapserver id="ldapserver" listenref="ldapserver"> <!-- <hostname>ldaps://ldap.ffzg.hr</hostname> --> <hostname>ldap://localhost:1389</hostname> <base>dc=ffzg,dc=hr</base>
<replicate>1</replicate> <!-- add new users from LDAP to Koha database --> <update>0</update> <!-- update existing users in Koha database -->
<auth_by_bind>1</auth_by_bind> <principal_name>%s</principal_name> <!-- optional, for auth_by_bind: a printf format to make userPrincipalName from koha userid -->
<mapping> <!-- match koha SQL field names to your LDAP record field names --> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="ffzg-adresa_ulica" ></address> <city is="ffzg-adresa_grad" ></city> <!-- <zipcode is="ffzg-adresa_postanski_broj"></zipcode> --->
<branchcode is="local-branch" >FFZG</branchcode> <userid is="hrEduPersonUniqueID" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="hrEduPersongroupmember" >IMP</categorycode>
<dateofbirth is="hredupersondateofbirth" ></dateofbirth> <sex is="ffzg-spol" ></sex> <phone is="ffzg-tel_fixed"></phone> <mobile is="ffzg-tel_mobile"></mobile>
<dateexpiry is="hredupersonexpiredate">2012-12-23</dateexpiry>
<JMBG is="hrEduPersonUniqueNumber_JMBG"></JMBG> <OIB is="hrEduPersonOIB"></OIB>
</mapping> </ldapserver>
This configuration works with changes in bug 4994, otherwise everything inside is="" would have to be lowercase only.
We are using few of HrEdu* attributes which are specific to our national LDAP schema, and probably unusual combination of replication (to create users who logged in first time over web) without update (since we will edit patron's data locally, and then our data will be more current that LDAP data, so we don't want to overwrite it).
Hope this helps.
1: http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=4994
-- ...2share!2flame... http://blog.rot13.org _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz <mailto:Koha@lists.katipo.co.nz> http://lists.katipo.co.nz/mailman/listinfo/koha
--
participants (4)
-
alen vodopijevec -
Dobrica Pavlinušić -
mourik jan heupink -
Oscar Gaona