Hi guys, I've an instance of Koha in lab test and I'm trying to enable ldap auth towards our active directory server (samba4 instance), but I'm experiencing some issues. Koha is correctly installed on an Ubuntu 16.04.6 LTS, fully updated. I read and followed this page [0], step by step, without any problems. Now, I've followed this step: 1. Open /etc/koha/sites/*biblioname*/koha-conf.xml 2. Enable LDAP: <useldapserver>1</useldapserver> 3. Insert settings as follow: <ldapserver id="ldapserver" listenref="ldapserver"> <hostname>ldaps://*IP-OF-DC*</hostname> <base>ou=Users,dc=*sub*,dc=*domain*,dc=*tld*</base> <user>cn=*user*,dc=*sub*,dc=*domain*,dc=*tld*</user> <pass>*password*</pass> <replicate>1</replicate> <update>1</update> <auth_by_bind>1</auth_by_bind> <principal_name>uid=%s,ou=*User*,dc=*sub*,dc=*domain*,dc=*tld*</principal_name> <mapping>record field names --> <userid is="uid"></userid> <password is="userpassword"></password> <email is="mail"></email> </mapping> </ldapserver> 4. Reload apache service After that, when I try to open the OPAC interface as well as staff interface, the follow errors appears: OPAC URL: Software error: Error reading file /etc/koha/sites/biblioname/koha-conf.xml. Try running this again as the koha instance user (or use the koha-shell command in debian) Compilation failed in require at /usr/share/koha/lib/C4/Auth.pm line 30. BEGIN failed--compilation aborted at /usr/share/koha/lib/C4/Auth.pm line 30. Compilation failed in require at /usr/share/koha/opac/cgi-bin/opac/opac-main.pl line 23. BEGIN failed--compilation aborted at /usr/share/koha/opac/cgi-bin/opac/opac-main.pl line 23. For help, please send mail to the webmaster ([no address given]), giving this error message and the time and date of the error. STAFF URL: Software error: Error reading file /etc/koha/sites/biblioname/koha-conf.xml. Try running this again as the koha instance user (or use the koha-shell command in debian) Compilation failed in require at /usr/share/koha/lib/C4/Output.pm line 34. BEGIN failed--compilation aborted at /usr/share/koha/lib/C4/Output.pm line 34. Compilation failed in require at /usr/share/koha/intranet/cgi-bin/mainpage.pl line 24. BEGIN failed--compilation aborted at /usr/share/koha/intranet/cgi-bin/mainpage.pl line 24. For help, please send mail to the webmaster ([no address given]), giving this error message and the time and date of the error. On the server side, the logs say: [Mon Jun 24 10:55:57.310730 2019] [cgi:error] [pid 7006] [client 192.168.199.28:54800] AH01215: [Mon Jun 24 10:55:57 2019] mainpage.pl: Compilation failed in require at /usr/share/koha/intranet/cgi-bin/mainpage.pl line 24.: /usr/share/koha/intranet/cgi-bin/mainpage.pl [Mon Jun 24 10:55:57.310901 2019] [cgi:error] [pid 7006] [client 192.168.199.28:54800] AH01215: [Mon Jun 24 10:55:57 2019] mainpage.pl: BEGIN failed--compilation aborted at /usr/share/koha/intranet/cgi-bin/mainpage.pl line 24.: /usr/share/koha/intranet/cgi-bin/mainpage.pl [Mon Jun 24 10:55:57.826379 2019] [cgi:error] [pid 7009] [client 192.168.199.28:54802] AH01215: [Mon Jun 24 10:55:57 2019] 404.pl: : /usr/share/koha/intranet/cgi-bin/errors/404.pl, referer: http://URL-OPAC/ [Mon Jun 24 10:55:57.826605 2019] [cgi:error] [pid 7009] [client 192.168.199.28:54802] AH01215: [Mon Jun 24 10:55:57 2019] 404.pl: Error reading file /etc/koha/sites/biblioname/koha-conf.xml.: /usr/share/koha/intranet/cgi-bin/errors/404.pl, referer: http://URL-OPAC/ [Mon Jun 24 10:55:57.826778 2019] [cgi:error] [pid 7009] [client 192.168.199.28:54802] AH01215: [Mon Jun 24 10:55:57 2019] 404.pl: Try running this again as the koha instance user (or use the koha-shell command in debian): /usr/share/koha/intranet/cgi-bin/errors/404.pl, referer: http://URL-OPAC/ [Mon Jun 24 10:55:57.826827 2019] [cgi:error] [pid 7009] [client 192.168.199.28:54802] AH01215: [Mon Jun 24 10:55:57 2019] 404.pl: : /usr/share/koha/intranet/cgi-bin/errors/404.pl, referer: http://URL-OPAC/ [Mon Jun 24 10:55:57.826956 2019] [cgi:error] [pid 7009] [client 192.168.199.28:54802] AH01215: [Mon Jun 24 10:55:57 2019] 404.pl: Compilation failed in require at /usr/share/koha/lib/C4/Auth.pm line 30.: /usr/share/koha/intranet/cgi-bin/errors/404.pl, referer: http://URL-OPAC/ [Mon Jun 24 10:55:57.827094 2019] [cgi:error] [pid 7009] [client 192.168.199.28:54802] AH01215: [Mon Jun 24 10:55:57 2019] 404.pl: BEGIN failed--compilation aborted at /usr/share/koha/lib/C4/Auth.pm line 30.: /usr/share/koha/intranet/cgi-bin/errors/404.pl, referer: http://URL-OPAC/ [Mon Jun 24 10:55:57.827243 2019] [cgi:error] [pid 7009] [client 192.168.199.28:54802] AH01215: [Mon Jun 24 10:55:57 2019] 404.pl: Compilation failed in require at /usr/share/koha/intranet/cgi-bin/errors/404.pl line 21.: /usr/share/koha/intranet/cgi-bin/errors/404.pl, referer: http://URL-OPAC/ [Mon Jun 24 10:55:57.827397 2019] [cgi:error] [pid 7009] [client 192.168.199.28:54802] AH01215: [Mon Jun 24 10:55:57 2019] 404.pl: BEGIN failed--compilation aborted at /usr/share/koha/intranet/cgi-bin/errors/404.pl line 21.: /usr/share/koha/intranet/cgi-bin/errors/404.pl, referer: http://URL-OPAC/ Any hints? Thanks, Daniele [0] https://wiki.koha-community.org/wiki/Koha_on_ubuntu_-_packages
Hi Daniele
On Jun 24, 2019, at 4:22 AM, Daniele Piccoli <daniele.piccoli@riseup.net> wrote:
Software error: Error reading file /etc/koha/sites/biblioname/koha-conf.xml. Try running this again as the koha instance user (or use the koha-shell command in debian)
Is the file readable by koha? Permissions should be 640, with user root and biblioname-koha as the group (if that is the group that owns koha). -- Héctor González cacho@genac.org
Il 24/06/19 21:30, Hector Gonzalez ha scritto:
Hi Daniele
Hi
On Jun 24, 2019, at 4:22 AM, Daniele Piccoli <daniele.piccoli@riseup.net> wrote:
Software error: Error reading file /etc/koha/sites/biblioname/koha-conf.xml. Try running this again as the koha instance user (or use the koha-shell command in debian)
Is the file readable by koha? Permissions should be 640, with user root and biblioname-koha as the group (if that is the group that owns koha).
The file is readable by Koha and in fact it has the correct permission as you said.
-- Héctor González cacho@genac.org
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
Daniele
On Jun 25, 2019, at 8:28 AM, Daniele Piccoli <daniele.piccoli@riseup.net> wrote:
Il 24/06/19 21:30, Hector Gonzalez ha scritto:
Hi Daniele
Hi
On Jun 24, 2019, at 4:22 AM, Daniele Piccoli <daniele.piccoli@riseup.net> wrote:
Software error: Error reading file /etc/koha/sites/biblioname/koha-conf.xml. Try running this again as the koha instance user (or use the koha-shell command in debian)
Is the file readable by koha? Permissions should be 640, with user root and biblioname-koha as the group (if that is the group that owns koha).
The file is readable by Koha and in fact it has the correct permission as you said.
Ok, then try making these changes: <ldapserver id="ldapserver" listenref="ldapserver"> <hostname>*IP-OF-DC*</hostname> <ldaps://*IP-OF-DC*</hostname>> <base>ou=Users,dc=*sub*,dc=*domain*,dc=*tld*</base> <replicate>1</replicate> <update>1</update> <auth_by_bind>1</auth_by_bind> <anonymous_bind>0</anonymous_bind> <principal_name>uid=%s@*sub*.*domain*.*tld*</principal_name> <mapping>record field names --> <userid is="uid"></userid> <password is="userpassword"></password> <email is="mail"></email> <branchcode is="">YOURLIBRARYCODEinKoha</branchcode> <categorycode is="">STUDENT</categorycode> </mapping> </ldapserver> 1. change the hostname to the actual hostname of the ldap server, if it is using ldaps, it might want to check the certificate, and that is based on the name. 2. remove the <user> and <pass> tags, as you are using auth_by_bind. (I don´t know if they are needed for <update> so you might want to leave that there). 3. Add a line that says: <anonymous_bind>0</anonymous_bind> which is needed with AD logins when you are using auth_by_bind (sounds weird, but it works that way) 4. Change principal_name, the format is <principal_name>%s@*your.domain.name*</principal_name> which is needed with AD too. It looks like an email address. 5. Add a mapping for "categorycode" with the text of the main user category (staff, students, faculty...) It IS required for login, and is assigned to the user automatically. 6. Add the branchcode for the library. Also, I would change the userid mapping to <userid is="sAMAccountName"></userid> which is a unique name for every user with AD. If it still gives you trouble, check the tags above and below your ldap configuration, and be sure those were not affected by editing the file.
Daniele _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
-- Héctor González cacho@genac.org
Il 26/06/19 00:44, Hector Gonzalez ha scritto:
On Jun 25, 2019, at 8:28 AM, Daniele Piccoli <daniele.piccoli@riseup.net> wrote:
Il 24/06/19 21:30, Hector Gonzalez ha scritto:
Hi Daniele
Hi
On Jun 24, 2019, at 4:22 AM, Daniele Piccoli <daniele.piccoli@riseup.net> wrote:
Software error: Error reading file /etc/koha/sites/biblioname/koha-conf.xml. Try running this again as the koha instance user (or use the koha-shell command in debian)
Is the file readable by koha? Permissions should be 640, with user root and biblioname-koha as the group (if that is the group that owns koha).
The file is readable by Koha and in fact it has the correct permission as you said.
I missed an end tag in a comment before, and so it gave me the error about reading Now, the error disappeared
Ok, then try making these changes:
<ldapserver id="ldapserver" listenref="ldapserver"> <hostname>*IP-OF-DC*</hostname> <ldaps://*IP-OF-DC*</hostname>> <base>ou=Users,dc=*sub*,dc=*domain*,dc=*tld*</base> <replicate>1</replicate> <update>1</update> <auth_by_bind>1</auth_by_bind> <anonymous_bind>0</anonymous_bind> <principal_name>uid=%s@*sub*.*domain*.*tld*</principal_name> <mapping>record field names --> <userid is="uid"></userid> <password is="userpassword"></password> <email is="mail"></email> <branchcode is="">YOURLIBRARYCODEinKoha</branchcode> <categorycode is="">STUDENT</categorycode> </mapping> </ldapserver>
1. change the hostname to the actual hostname of the ldap server, if it is using ldaps, it might want to check the certificate, and that is based on the name. 2. remove the <user> and <pass> tags, as you are using auth_by_bind. (I don´t know if they are needed for <update> so you might want to leave that there). 3. Add a line that says: <anonymous_bind>0</anonymous_bind> which is needed with AD logins when you are using auth_by_bind (sounds weird, but it works that way) 4. Change principal_name, the format is <principal_name>%s@*your.domain.name*</principal_name> which is needed with AD too. It looks like an email address. 5. Add a mapping for "categorycode" with the text of the main user category (staff, students, faculty...) It IS required for login, and is assigned to the user automatically. 6. Add the branchcode for the library.
Also, I would change the userid mapping to <userid is="sAMAccountName"></userid> which is a unique name for every user with AD. If it still gives you trouble, check the tags above and below your ldap configuration, and be sure those were not affected by editing the file.
I've been trying to adapt the configuration in according to my DC server but, for the moment, ldap auth doesn't work. I'm monitoring the traffic on 389 port on DC and no traffic come from the Koha server...that's quite strange.
Daniele _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
-- Héctor González cacho@genac.org
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
Bye Daniele
On 27/06/19 1:13 AM, Daniele Piccoli wrote:
Il 26/06/19 00:44, Hector Gonzalez ha scritto:
On Jun 25, 2019, at 8:28 AM, Daniele Piccoli <daniele.piccoli@riseup.net> wrote:
Il 24/06/19 21:30, Hector Gonzalez ha scritto:
Hi Daniele Hi
On Jun 24, 2019, at 4:22 AM, Daniele Piccoli <daniele.piccoli@riseup.net> wrote:
Software error: Error reading file /etc/koha/sites/biblioname/koha-conf.xml. Try running this again as the koha instance user (or use the koha-shell command in debian) Is the file readable by koha? Permissions should be 640, with user root and biblioname-koha as the group (if that is the group that owns koha). The file is readable by Koha and in fact it has the correct permission as you said. I missed an end tag in a comment before, and so it gave me the error about reading
Now, the error disappeared
Ok, then try making these changes:
<ldapserver id="ldapserver" listenref="ldapserver"> <hostname>*IP-OF-DC*</hostname> <ldaps://*IP-OF-DC*</hostname>> <base>ou=Users,dc=*sub*,dc=*domain*,dc=*tld*</base> <replicate>1</replicate> <update>1</update> <auth_by_bind>1</auth_by_bind> <anonymous_bind>0</anonymous_bind> <principal_name>uid=%s@*sub*.*domain*.*tld*</principal_name> <mapping>record field names --> <userid is="uid"></userid> <password is="userpassword"></password> <email is="mail"></email> <branchcode is="">YOURLIBRARYCODEinKoha</branchcode> <categorycode is="">STUDENT</categorycode> </mapping> </ldapserver>
1. change the hostname to the actual hostname of the ldap server, if it is using ldaps, it might want to check the certificate, and that is based on the name. 2. remove the <user> and <pass> tags, as you are using auth_by_bind. (I don´t know if they are needed for <update> so you might want to leave that there). 3. Add a line that says: <anonymous_bind>0</anonymous_bind> which is needed with AD logins when you are using auth_by_bind (sounds weird, but it works that way) 4. Change principal_name, the format is <principal_name>%s@*your.domain.name*</principal_name> which is needed with AD too. It looks like an email address. 5. Add a mapping for "categorycode" with the text of the main user category (staff, students, faculty...) It IS required for login, and is assigned to the user automatically. 6. Add the branchcode for the library.
Also, I would change the userid mapping to <userid is="sAMAccountName"></userid> which is a unique name for every user with AD. If it still gives you trouble, check the tags above and below your ldap configuration, and be sure those were not affected by editing the file. I've been trying to adapt the configuration in according to my DC server but, for the moment, ldap auth doesn't work.
I'm monitoring the traffic on 389 port on DC and no traffic come from the Koha server...that's quite strange.
hi Daniele here is a working config example of a Koha (v18.05.05) talking to an AD server hope that helps... -------------------------- <useldapserver>1</useldapserver> <ldapserver id="ldapserver"> <hostname>ldaps://1.2.3.4:30040</hostname> <base>DC=aaa,DC=bbb,DC=gov,DC=au</base> <replicate>1</replicate> <update>1</update> <auth_by_bind>1</auth_by_bind> <anonymous_bind>0</anonymous_bind> <update_password>0</update_password> <principal_name>%s@aaa.bbb.gov.au</principal_name> <mapping> <userid is="sAMAccountName" /> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <email is="userPrincipalName" /> <categorycode is="employeetype" >S</categorycode> <branchcode is="branch" >AAA</branchcode> <phone is="telephoneNumber" /> </mapping> </ldapserver> --------------------------
Il 26/06/19 17:12, Mason James ha scritto:
[cut]
hi Daniele here is a working config example of a Koha (v18.05.05) talking to an AD server
hope that helps... -------------------------- <useldapserver>1</useldapserver> <ldapserver id="ldapserver">
<hostname>ldaps://1.2.3.4:30040</hostname> <base>DC=aaa,DC=bbb,DC=gov,DC=au</base>
<replicate>1</replicate> <update>1</update>
<auth_by_bind>1</auth_by_bind>
<anonymous_bind>0</anonymous_bind> <update_password>0</update_password>
<principal_name>%s@aaa.bbb.gov.au</principal_name>
<mapping> <userid is="sAMAccountName" /> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <email is="userPrincipalName" />
<categorycode is="employeetype" >S</categorycode> <branchcode is="branch" >AAA</branchcode>
<phone is="telephoneNumber" /> </mapping>
</ldapserver> --------------------------
Thanks for the snippet :) Bye Daniele
Hello, Have you tried to restart memcached and koha-common after configurations updates. /etc/init.d/koha-common restart /etc/init.d/memcached restart Best Regards On Wed, 26 Jun 2019, 9:14 pm Daniele Piccoli, <daniele.piccoli@riseup.net> wrote:
Il 26/06/19 00:44, Hector Gonzalez ha scritto:
On Jun 25, 2019, at 8:28 AM, Daniele Piccoli <
daniele.piccoli@riseup.net> wrote:
Il 24/06/19 21:30, Hector Gonzalez ha scritto:
Hi Daniele
Hi
On Jun 24, 2019, at 4:22 AM, Daniele Piccoli <
daniele.piccoli@riseup.net> wrote:
Software error: Error reading file /etc/koha/sites/biblioname/koha-conf.xml. Try running this again as the koha instance user (or use the
koha-shell
command in debian)
Is the file readable by koha? Permissions should be 640, with user root and biblioname-koha as the group (if that is the group that owns koha).
The file is readable by Koha and in fact it has the correct permission as you said.
I missed an end tag in a comment before, and so it gave me the error about reading
Now, the error disappeared
Ok, then try making these changes:
<ldapserver id="ldapserver" listenref="ldapserver"> <hostname>*IP-OF-DC*</hostname> <ldaps://*IP-OF-DC*</hostname>> <base>ou=Users,dc=*sub*,dc=*domain*,dc=*tld*</base> <replicate>1</replicate> <update>1</update> <auth_by_bind>1</auth_by_bind> <anonymous_bind>0</anonymous_bind> <principal_name>uid=%s@*sub*.*domain*.*tld*</principal_name> <mapping>record field names --> <userid is="uid"></userid> <password is="userpassword"></password> <email is="mail"></email> <branchcode is="">YOURLIBRARYCODEinKoha</branchcode> <categorycode is="">STUDENT</categorycode> </mapping> </ldapserver>
1. change the hostname to the actual hostname of the ldap server, if it is using ldaps, it might want to check the certificate, and that is based on the name. 2. remove the <user> and <pass> tags, as you are using auth_by_bind. (I don´t know if they are needed for <update> so you might want to leave that there). 3. Add a line that says: <anonymous_bind>0</anonymous_bind> which is needed with AD logins when you are using auth_by_bind (sounds weird, but it works that way) 4. Change principal_name, the format is <principal_name>%s@* your.domain.name*</principal_name> which is needed with AD too. It looks like an email address. 5. Add a mapping for "categorycode" with the text of the main user category (staff, students, faculty...) It IS required for login, and is assigned to the user automatically. 6. Add the branchcode for the library.
Also, I would change the userid mapping to <userid is="sAMAccountName"></userid> which is a unique name for every user with AD. If it still gives you trouble, check the tags above and below your ldap configuration, and be sure those were not affected by editing the file.
I've been trying to adapt the configuration in according to my DC server but, for the moment, ldap auth doesn't work.
I'm monitoring the traffic on 389 port on DC and no traffic come from the Koha server...that's quite strange.
Daniele _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
-- Héctor González cacho@genac.org
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
Bye
Daniele _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
Il 26/06/19 19:12, Karam Qubsi ha scritto:
Hello,
Hi,
Have you tried to restart memcached and koha-common after configurations updates.
/etc/init.d/koha-common restart
I've already restarted it before
/etc/init.d/memcached restart
This is the point: I restarted it and ldap has been starting to work perfectly Thank you so much
Best Regards
Daniele
participants (4)
-
Daniele Piccoli -
Hector Gonzalez -
Karam Qubsi -
Mason James