Re: [Koha] LDAP and password storage
Tom, As I understand it: The Koha LDAP authentication mechanism copies user information from the LDAP tree to the local SQL database on the Koha server in order to create "user" accounts. I believe one of the minimum requirements to create a Koha "user" account is a password. Because of Koha's requirements for creating users, I don't think you will be able to populate the necessary fields to allow for users logins, without populating a password field. Last time I dealt with them, passwords were hashed with MD5, and no clear text password were saved on the Koha system. -Scott
Tom Hanstra<tom@nd.edu> 10/4/2011 9:56 AM >>> We now have LDAP working to authenticate on logins. But we have also noticed that Koha stores that same password locally. Is there a configurable switch that I have not yet found which will keep LDAP connected logins from local storage?
Thanks, Tom -- ----------------------------------------------------------------------------- Tom Hanstra Systems Administrator Hesburgh Libraries of Notre Dame Phone: (574)631-4686 213 Hesburgh Library Email: tom@nd.edu Notre Dame, IN 46556 Every day, from here to there, funny things are everywhere. Dr. Seuss ----------------------------------------------------------------------------- _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
Tom, What version are you on? From the code, the password hash should only be stored if the patron is returning (that is they already have an account in Koha), and you have Update turned on. Alternatively, if you've got a new patron signing in for the first time, and Replicate is on, and you've got the password in the <mapping>, then it would also be hashed and stored. These should be the only circumstances. -Ian 2011/10/4 Scott Owen <sowen@edzone.net>
Tom,
As I understand it: The Koha LDAP authentication mechanism copies user information from the LDAP tree to the local SQL database on the Koha server in order to create "user" accounts. I believe one of the minimum requirements to create a Koha "user" account is a password. Because of Koha's requirements for creating users, I don't think you will be able to populate the necessary fields to allow for users logins, without populating a password field. Last time I dealt with them, passwords were hashed with MD5, and no clear text password were saved on the Koha system.
-Scott
Tom Hanstra<tom@nd.edu> 10/4/2011 9:56 AM >>>
We now have LDAP working to authenticate on logins. But we have also noticed that Koha stores that same password locally. Is there a configurable switch that I have not yet found which will keep LDAP connected logins from local storage?
Thanks, Tom
--
----------------------------------------------------------------------------- Tom Hanstra Systems Administrator Hesburgh Libraries of Notre Dame Phone: (574)631-4686 213 Hesburgh Library Email: tom@nd.edu Notre Dame, IN 46556
Every day, from here to there, funny things are everywhere. Dr. Seuss
-----------------------------------------------------------------------------
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
-- Ian Walls Lead Development Specialist ByWater Solutions Phone # (888) 900-8944 http://bywatersolutions.com ian.walls@bywatersolutions.com Twitter: @sekjal
Ah, thanks. I was testing with Update turned on. I've still got some reading to do. Are the differences between what happens with Update and Replication in the documentation? That is something I wanted to test. Tom On 10/04/2011 11:02 AM, Ian Walls wrote:
Tom,
What version are you on? From the code, the password hash should only be stored if the patron is returning (that is they already have an account in Koha), and you have Update turned on. Alternatively, if you've got a new patron signing in for the first time, and Replicate is on, and you've got the password in the <mapping>, then it would also be hashed and stored. These should be the only circumstances.
-Ian
2011/10/4 Scott Owen <sowen@edzone.net <mailto:sowen@edzone.net>>
Tom, As I understand it: The Koha LDAP authentication mechanism copies user information from the LDAP tree to the local SQL database on the Koha server in order to create "user" accounts. I believe one of the minimum requirements to create a Koha "user" account is a password. Because of Koha's requirements for creating users, I don't think you will be able to populate the necessary fields to allow for users logins, without populating a password field. Last time I dealt with them, passwords were hashed with MD5, and no clear text password were saved on the Koha system. -Scott
>>> Tom Hanstra<tom@nd.edu <mailto:tom@nd.edu>> 10/4/2011 9:56 AM >>>
We now have LDAP working to authenticate on logins. But we have also noticed that Koha stores that same password locally. Is there a configurable switch that I have not yet found which will keep LDAP connected logins from local storage?
Thanks, Tom
--
----------------------------------------------------------------------------- Tom Hanstra Systems Administrator Hesburgh Libraries of Notre Dame Phone: (574)631-4686 <tel:%28574%29631-4686> 213 Hesburgh Library Email: tom@nd.edu <mailto:tom@nd.edu> Notre Dame, IN 46556
Every day, from here to there, funny things are everywhere. Dr. Seuss -----------------------------------------------------------------------------
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz <mailto:Koha@lists.katipo.co.nz> http://lists.katipo.co.nz/mailman/listinfo/koha
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz <mailto:Koha@lists.katipo.co.nz> http://lists.katipo.co.nz/mailman/listinfo/koha
-- Ian Walls Lead Development Specialist ByWater Solutions Phone # (888) 900-8944 http://bywatersolutions.com ian.walls@bywatersolutions.com <mailto:ian.walls@bywatersolutions.com> Twitter: @sekjal
-- ----------------------------------------------------------------------------- Tom Hanstra Systems Administrator Hesburgh Libraries of Notre Dame Phone: (574)631-4686 213 Hesburgh Library Email: tom@nd.edu Notre Dame, IN 46556 Every day, from here to there, funny things are everywhere. Dr. Seuss -----------------------------------------------------------------------------
participants (3)
-
Ian Walls -
Scott Owen -
Tom Hanstra