Koha authentication against existing LDAP directory
Howdy all, I am trying to get a Koha server to authenticate against an existing LDAP directory. I've followed what appear to be the appropriate documentation, but haven't succeeded in authenticating. Proving that LDAP authentication and query is working: ===== $ user_uid=percy $ ldapsearch -LLL -x -D uid=${user_uid},ou=People,dc=lan -W "(uid=${user_uid})" Enter LDAP Password: dn: uid=percy,ou=People,dc=lan cn: Percy uid: percy uidNumber: 1006 loginShell: /bin/sh homeDirectory: /home/percy gidNumber: 100 userPassword:: [blabla password hash] objectClass: posixAccount objectClass: shadowAccount objectClass: person objectClass: inetOrgPerson shadowLastChange: 14355 gecos: Percy sn: Percy ===== The ‘/etc/koha/koha-conf.xml’ contains, in part: ===== … <ldapserver id="ldapserver" listenref="ldapserver"> <hostname>example.lan</hostname> <base>dc=lan</base> <replicate>1</replicate> <update>1</update> <mapping> <surname is="sn" ></surname> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <categorycode is="employeetype" >PT</categorycode> </mapping> </ldapserver> ===== There's also a suggestion in the docs of two other elements, ‘user’ and ‘pass’. But shouldn't the LDAP connection be made as the user who's trying to authenticate, with the password they used? I hope I don't need to record some administrative user's authentication information in a configuration file. How can I get authentication working with Koha like with other LDAP clients? -- \ “I used to be a proofreader for a skywriting company.” —Steven | `\ Wright | _o__) | Ben Finney
Ben Finney <ben+koha@benfinney.id.au> writes:
Proving that LDAP authentication and query is working:
Sorry, I forgot to describe the failure. When I use the same username and password that worked in the direct LDAP query, and enter those into the Koha login form, the return page simply shows the same form with “Error: Invalid username or password”.
How can I get authentication working with Koha like with other LDAP clients?
In particular, without duplicating or storing privileged user credentials in the Koha configuration. -- \ “Computers are useless. They can only give you answers.” —Pablo | `\ Picasso | _o__) | Ben Finney
Ben Finney <ben+koha@benfinney.id.au> writes:
When I use the same username and password that worked in the direct LDAP query, and enter those into the Koha login form, the return page simply shows the same form with “Error: Invalid username or password”.
How can I get authentication working with Koha like with other LDAP clients?
In particular, without duplicating or storing privileged user credentials in the Koha configuration.
Is LDAP authentication something I should expect to be working? The documentation leads me to believe it should work, but the lack of responses here concerns me that it might not actually be in common use. -- \ “Isn't it enough to see that a garden is beautiful without | `\ having to believe that there are fairies at the bottom of it | _o__) too?” —Douglas Adams | Ben Finney
Hi Ben On 2009/05/26, at 12:19 AM, Ben Finney wrote:
Ben Finney <ben+koha@benfinney.id.au> writes:
When I use the same username and password that worked in the direct LDAP query, and enter those into the Koha login form, the return page simply shows the same form with “Error: Invalid username or password”.
How can I get authentication working with Koha like with other LDAP clients?
In particular, without duplicating or storing privileged user credentials in the Koha configuration.
well, this specifically is tricky - as koha expects some basic user records, as Joe stated... why not try to get a basic koha+LDAP system first, then aim for this advanced setup
Is LDAP authentication something I should expect to be working? The documentation leads me to believe it should work, but the lack of responses here concerns me that it might not actually be in common use.
I got it going recently with no previous experience with LDAP. and people attempting and succeeding LDAP setup is quite frequent, i think Mason.
Mason James <mason.loves.sushi@gmail.com> writes:
On 2009/05/26, at 12:19 AM, Ben Finney wrote:
Ben Finney <ben+koha@benfinney.id.au> writes:
When I use the same username and password that worked in the direct LDAP query, and enter those into the Koha login form, the return page simply shows the same form with “Error: Invalid username or password”.
How can I get authentication working with Koha like with other LDAP clients?
In particular, without duplicating or storing privileged user credentials in the Koha configuration.
well, this specifically is tricky - as koha expects some basic user records, as Joe stated...
This doesn't follow. Koha can get access to any user's record by authenticating as that user when they log in. Shouldn't Koha be using whatever credentials a user attempts to authenticate with at the login form, and querying against the LDAP server to see whether they're valid? In fact, this is what I was told Koha actually does, by requiring a user to log in before retrieving that user's record from the LDAP directory.
why not try to get a basic koha+LDAP system first, then aim for this advanced setup
I don't think “avoid storing the plain-text password of a privileged user for the LDAP directory” is a particularly advanced request Surely that's the whole point of having a centralised authentication service with a secure query protocol: to avoid duplication and insecure storage of credentials?
Is LDAP authentication something I should expect to be working? The documentation leads me to believe it should work, but the lack of responses here concerns me that it might not actually be in common use.
I got it going recently with no previous experience with LDAP. and people attempting and succeeding LDAP setup is quite frequent, i think
From what I can see of other LDAP clients, it's perfectly normal to do
Well, if the only way to get LDAP authentication working is to avoid using it as intended, that doesn't seem to me to qualify as “working”. the following when attempting to query the directory non-anonymously: * client application requests credentials at runtime * client application computes appropriate hash for credentials * client application binds (authenticates for the purpose of the query) to the LDAP server using the hashed credentials * server responds with appropraite status and query result * client application proceeds on that basis What documentation is there for getting Koha working as a normal LDAP authentication client? -- \ “Free thought is a necessary, but not a sufficient, condition | `\ for democracy.” —Carl Sagan | _o__) | Ben Finney
On 2009/05/27, at 6:21 PM, Ben Finney wrote:
Mason James <mason.loves.sushi@gmail.com> writes:
On 2009/05/26, at 12:19 AM, Ben Finney wrote:
Ben Finney <ben+koha@benfinney.id.au> writes:
When I use the same username and password that worked in the direct LDAP query, and enter those into the Koha login form, the return page simply shows the same form with “Error: Invalid username or password”.
FYI: turn your debug up and check yr logs too this was helpful to me for configuring LDAP successfully
What documentation is there for getting Koha working as a normal LDAP authentication client?
this is the doco http://wiki.koha.org/doku.php?id=en:development:ldap&s[]=ldap
Mason James <mason.loves.sushi@gmail.com> writes:
FYI: turn your debug up and check yr logs too this was helpful to me for configuring LDAP successfully
I haven't found a configuration option for this in ‘koha-conf.xml’, and the Koha wiki doesn't return anything useful when I search about this. What do I need to do to “turn up debug” in the log output? -- \ “The flattening of underwear with pleasure is the job of the | `\ chambermaid.” —hotel, Yugoslavia | _o__) | Ben Finney
Hi, On Wed, May 27, 2009 at 2:21 AM, Ben Finney <ben+koha@benfinney.id.au> wrote:
What documentation is there for getting Koha working as a normal LDAP authentication client?
See the auth_by_bind configuration option description on the wiki page <http://wiki.koha.org/doku.php?id=en:development:ldap>. Note that this option is currently available in HEAD, but would be a candidate for backporting into 3.0.x. Regards, Galen -- Galen Charlton VP, Research & Development, LibLime galen.charlton@liblime.com p: 1-888-564-2457 x709 skype: gmcharlt
Galen Charlton <galen.charlton@liblime.com> writes:
See the auth_by_bind configuration option description on the wiki page <http://wiki.koha.org/doku.php?id=en:development:ldap>. Note that this option is currently available in HEAD, but would be a candidate for backporting into 3.0.x.
Thanks for this. Okay, I have installed Koha from Git HEAD as of a few days ago (rev ID a8bfa5ffc0695089669478817cc443cc6e009764) over the top of the existing installation (which was Koha 3.0) and re-configured it. The config file now contains the following relevant for LDAP: ===== <config> … <useldapserver>1</useldapserver><!-- see C4::Auth_with_ldap for extra configs you must add if you want to turn this on --> <!-- LDAP SERVER (optional) --> <ldapserver id="ldapserver" listenref="ldapserver"> <hostname>trimserver-admin.lan</hostname> <base>ou=People,dc=lan</base> <replicate>1</replicate> <!-- add new users from LDAP to Koha database --> <update>1</update> <!-- update existing users in Koha database --> <auth_by_bind>1</auth_by_bind> <!-- set to 1 to authenticate by binding instead of password comparison, e.g., to use Active Directory --> <mapping> <!-- match koha SQL field names to your LDAP record field names --> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <!-- <address is="postaladdress" ></address> --> <!-- <city is="l" >Athens, OH</city> --> <!-- <zipcode is="postalcode" ></zipcode> --> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <!-- <email is="mail" ></email> --> <categorycode is="employeetype" >PT</categorycode> <!-- <phone is="telephonenumber"></phone> --> </mapping> </ldapserver> </config> ===== When I connect from this machine using the following command, I get the connection fine: ===== $ ldapsearch -LLL "(uid=percy)" -x -D "uid=percy,ou=People,dc=lan" -W dn: uid=percy,ou=People,dc=lan cn: Percy uid: percy uidNumber: 1006 loginShell: /bin/sh homeDirectory: /home/percy gidNumber: 100 userPassword:: <omitted> objectClass: posixAccount objectClass: shadowAccount objectClass: person objectClass: inetOrgPerson shadowLastChange: 14355 gecos: Percy sn: Percy ===== Yet when I try to give the same credentials via Koha, I get the message “Error: Unauthorized user”. (This is at least different from before, which tells me it actually is using the LDAP server for authentication this time.) How can I diagnose this further to see why correct LDAP account credentials are not granting access via Koha? -- \ “No matter how far down the wrong road you've gone, turn back.” | `\ —Turkish proverb | _o__) | Ben Finney
Ben Finney <ben+koha@benfinney.id.au> writes:
When I connect from this machine using the following command, I get the connection fine:
It occurred to me, discussing with Chris, that perhaps what I'm seeing from Koha is that the *authentication* worked, but the user has no permission. If true, that would be a step forward. Please tell me where I'm going wrong here, or how I can verify whether this is true: The message “Unauthorized user” appears to be coming from ‘intranet/htdocs/intranet-tmpl/prog/en/modules/auth.tmpl’, which shows the message if ‘nopermission’ is set. That appears to be set in ‘lib/C4/Auth.pm’ in the ‘info’ hash. Now, my understanding was that since my configuration has: ===== <config> … <useldapserver>1</useldapserver> <ldapserver id="ldapserver" listenref="ldapserver"> … <replicate>1</replicate> <!-- add new users from LDAP to Koha database --> <update>1</update> <!-- update existing users in Koha database --> … </ldapserver> … </config> ===== The ‘replicate’ setting should cause Koha to create a new account when a user first authenticates against LDAP, and the ‘update’ setting should cause their account to be updated from LDAP each subsequent time they log in. But this doesn't happen: after getting the above “Unauthorized user” message, the ‘borrowers’ and ‘user_permissions’ tables still have no records: ===== mysql> select count(borrowernumber) from borrowers; +-----------------------+ | count(borrowernumber) | +-----------------------+ | 0 | +-----------------------+ 1 row in set (0.00 sec) mysql> select count(borrowernumber) from user_permissions; +-----------------------+ | count(borrowernumber) | +-----------------------+ | 0 | +-----------------------+ 1 row in set (0.00 sec) ===== So where am I going wrong? Is this user not authenticating? Or (as I suspect) is the authentication successful, but the account not getting created in Koha's database? Should I be expecting all this to work as expected above? How can I troubleshoot further? -- \ “Every sentence I utter must be understood not as an | `\ affirmation, but as a question.” —Niels Bohr | _o__) | Ben Finney
So where am I going wrong? Is this user not authenticating? Or (as I suspect) is the authentication successful, but the account not getting created in Koha's database?
Should I be expecting all this to work as expected above? How can I troubleshoot further?
1) take a look here to set your debug level, theres a bunch of ways... http://git.koha.org/cgi-bin/gitweb.cgi?p=Koha;a=blob;f=C4/Debug.pm 2) look in your apache-config for your path to your errorlog usually /var/log/apache2/error.log 3) tail your errorlog, and look for LDAP debug info fyi: heres my ldap config <useldapserver>1</useldapserver> <!-- LDAP SERVER (optional) --> <ldapserver id="ldapserver" listenref="ldapserver"> <hostname>ldaps://ldaps.foo.com:636</hostname> <base>ou=People,dc=foo,dc=internal</base> <user>ou=People,dc=foo,dc=internal</user> <!-- DN, if not anonymous --> <pass></pass> <!-- password, if not anonymous --> <replicate>1</replicate> <!-- add new users from LDAP to Koha database --> <update>1</update> <!-- update existing users in Koha database --> <mapping> <!-- match koha SQL field names to your LDAP record field names --> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >foo</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >foo</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <phone is="telephonenumber"></phone> <cardnumber is="uid" ></cardnumber> </mapping> </ldapserver>
Ben Finney <ben+koha@benfinney.id.au> writes:
It occurred to me, discussing with Chris, that perhaps what I'm seeing from Koha is that the *authentication* worked, but the user has no permission. If true, that would be a step forward.
A discussion on IRC with Galen Charlton confirmed that indeed, the authentication was working. The creation of the borrower record failed due to confusion over the MySQL schema and the mapping from LDAP-to-MySQL fields. I have now imported the “optional data” from the SQL files in ‘installer/data/mysql/en/optional/’. I now have the following Koha config for the LDAP section: ===== <config> … <useldapserver>1</useldapserver <ldapserver id="ldapserver" listenref="ldapserver"> <hostname>trimserver-admin.lan</hostname> <base>ou=People,dc=lan</base> <replicate>1</replicate> <!-- add new users from LDAP to Koha database --> <update>1</update> <!-- update existing users in Koha database --> <auth_by_bind>1</auth_by_bind> <!-- set to 1 to authenticate by binding instead of password comparison, e.g., to use Active Directory --> <mapping> <!-- match koha SQL field names to your LDAP record field names --> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" >Unknown address</address> <city is="l" >Unknown city</city> <!-- <zipcode is="postalcode" ></zipcode> --> <branchcode is="branch" >CPL</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <!-- <email is="mail" ></email> --> <categorycode is="employeetype" >PT</categorycode> <!-- <phone is="telephonenumber"></phone> --> </mapping> </ldapserver> </config> ===== (Side note: isn't one of the main points of a NULL in a database to indicate “the value for this column is currently unknown”? It would be better, I'd think, for the Koha code to use a NULL field to indicate that state, rather than setting the schema NOT NULL for those columns.) Now, when successfully authenticating against LDAP in the admin interface, a new borrower record is created in the ‘borrowers’ table, if the user was previously unknown. I'm getting errors still, but it appears that authentication has succeeded. Thanks for everyone's help so far. -- \ “The apparent lesson of the Inquisition is that insistence on | `\ uniformity of belief is fatal to intellectual, moral, and | _o__) spiritual health.” —_The Uses Of The Past_, Herbert J. Muller | Ben Finney
Mason James <mason.loves.sushi@gmail.com> writes:
Ben Finney <ben+koha@benfinney.id.au> writes:
How can I get authentication working with Koha like with other LDAP clients?
In particular, without duplicating or storing privileged user credentials in the Koha configuration.
well, this specifically is tricky - as koha expects some basic user records, as Joe stated... why not try to get a basic koha+LDAP system first, then aim for this advanced setup
Just to clarify, what is it you mean by “a basic Koha+LDAP system”? Does it or does it not require use of a privileged LDAP user? To me, “a basic Koha+LDAP system” would be one that uses the basic LDAP authentication method (i.e. no privileged LDAP user required). But I don't know if that's what you mean. -- \ “It is difficult to get a man to understand something when his | `\ salary depends upon his not understanding it.” —Upton Sinclair, | _o__) 1935 | Ben Finney
On 2009/06/3, at 3:31 PM, Ben Finney wrote:
Mason James <mason.loves.sushi@gmail.com> writes:
Ben Finney <ben+koha@benfinney.id.au> writes:
How can I get authentication working with Koha like with other LDAP clients?
In particular, without duplicating or storing privileged user credentials in the Koha configuration.
well, this specifically is tricky - as koha expects some basic user records, as Joe stated... why not try to get a basic koha+LDAP system first, then aim for this advanced setup
Just to clarify, what is it you mean by “a basic Koha+LDAP system”? Does it or does it not require use of a privileged LDAP user?
to my knowledge, no it doesnt
To me, “a basic Koha+LDAP system” would be one that uses the basic LDAP authentication method (i.e. no privileged LDAP user required). But I don't know if that's what you mean.
yep, thats what i mean
Mason James <mason.loves.sushi@gmail.com> writes:
On 2009/06/3, at 3:31 PM, Ben Finney wrote:
Mason James <mason.loves.sushi@gmail.com> writes:
well, this specifically is tricky - as koha expects some basic user records, as Joe stated... why not try to get a basic koha+LDAP system first, then aim for this advanced setup
Just to clarify, what is it you mean by “a basic Koha+LDAP system”? Does it or does it not require use of a privileged LDAP user?
to my knowledge, no it doesnt
Thanks for your response. I'm confused over an apparent contradiction, then. When I asked:
Ben Finney <ben+koha@benfinney.id.au> writes:
How can I get authentication working with Koha like with other LDAP clients?
In particular, without duplicating or storing privileged user credentials in the Koha configuration.
You (Mason) replied:
well, this specifically is tricky - as koha expects some basic user records, as Joe stated...
So, asking again: How can I get authentication working with Koha, without requiring the duplication or storage of privileged LDAP user credentials in the Koha configuration? I ask because the instructions assume the existence of such a provileged account and instruct me to use those credentials in the configuration <URL:http://wiki.koha.org/doku.php?id=en:development:ldap>. So, since you say that's not necessary, how do I get it working without that? -- \ “I took it easy today. I just pretty much layed around in my | `\ underwear all day. … Got kicked out of quite a few places, | _o__) though.” —Bug-Eyed Earl, _Red Meat_ | Ben Finney
Ben Finney <ben+koha@benfinney.id.au> writes:
I ask because the instructions assume the existence of such a provileged account and instruct me to use those credentials in the configuration <URL:http://wiki.koha.org/doku.php?id=en:development:ldap>.
If I try omitting the values for the username and password: <ldapserver …> … <user></user> <pass></pass> … </ldapserver> I still get “Invalid username or password” when trying to log in. The same happens if I omit the ‘user’ and ‘pass’ elements from that section entirely.
So, since you say that's not necessary, how do I get it working without that?
The question remains. -- \ “Ladies, leave your clothes here and spend the afternoon having | `\ a good time.” —laundry, Rome | _o__) | Ben Finney
On 2009/06/3, at 3:51 PM, Ben Finney wrote:
Mason James <mason.loves.sushi@gmail.com> writes:
On 2009/06/3, at 3:31 PM, Ben Finney wrote:
Mason James <mason.loves.sushi@gmail.com> writes:
well, this specifically is tricky - as koha expects some basic user records, as Joe stated... why not try to get a basic koha+LDAP system first, then aim for this advanced setup
Just to clarify, what is it you mean by “a basic Koha+LDAP system”? Does it or does it not require use of a privileged LDAP user?
to my knowledge, no it doesnt
Thanks for your response.
I'm confused over an apparent contradiction, then. When I asked:
Ben Finney <ben+koha@benfinney.id.au> writes:
How can I get authentication working with Koha like with other LDAP clients?
In particular, without duplicating or storing privileged user credentials in the Koha configuration.
You (Mason) replied:
well, this specifically is tricky - as koha expects some basic user records, as Joe stated...
So, asking again: How can I get authentication working with Koha, without requiring the duplication or storage of privileged LDAP user credentials in the Koha configuration?
AFAIK, currently you cant, without some hacking Sorry, im not an LDAP expert, im an LDAP newbie The *only* time i've used LDAP was to set up a koha 3 months ago. i dont understand what a "privileged" ldap user really is ;) or what "privileged user credentials" are so i may not be the person to give you the expect info you need. from memory, i used the Auth_with_ldap.pm from HEAD http://git.koha.org/cgi-bin/gitweb.cgi?p=Koha;a=blob;f=C4/ Auth_with_ldap.pm;h=cbe0b51ab76135b9df1b499c9486abc4674283da;hb=HEAD
I haven't been following this or the other recent LDAP threads very closely, but the volume of LDAP-related messages has made me wonder what I'm missing. Can someone provide a newbie summary of what functionality LDAP + Koha is supposed to provide? I gather it has something to do with authentication, but who's being authenticated for what? Thanks, Cab Vinton, Director Sanbornton Public Library Sanbornton, NH
Hi, On Wed, Jun 3, 2009 at 7:27 AM, Cab Vinton <bibliwho@gmail.com> wrote:
Can someone provide a newbie summary of what functionality LDAP + Koha is supposed to provide? I gather it has something to do with authentication, but who's being authenticated for what?
LDAP stands for the Lightweight Directory Access Protocol, and LDAP directories are often used to store directories of people, including login information. Many academic and corporate libraries, and some public libraries, configure Koha to query an LDAP directory run by the host institution to authenticate a user to the OPAC rather than having Koha's patron database be an entirely separate pool of records describing the same people. Regards, Galen -- Galen Charlton VP, Research & Development, LibLime galen.charlton@liblime.com p: 1-888-564-2457 x709 skype: gmcharlt
Cab Vinton <bibliwho@gmail.com> writes:
Can someone provide a newbie summary of what functionality LDAP + Koha is supposed to provide?
LDAP (Lightweight Directory Access Protocol) is a standard query protocol into “directories” of information, where a directory is a hierarchical organisation of information optimised for fast and flexible query. Such directories can, of course, be directories of people: they are often used for providing a directory of people for various purposes, including authentication.
I gather it has something to do with authentication, but who's being authenticated for what?
LDAP authentication is normally done at login time by querying the LDAP server and asking it to authenticate the user based on the login credentials, in order to grant further access to the information in the directory (this process is termed “binding to” the directory). Koha 3.0 (and perhaps earlier) includes a feature for querying an LDAP directory for the user account details when a user attempts to log in. My messages have led to the conclusion that this is currently done in a rather naive and insecure way: not using the standard LDAP-server-based authentication, but instead using an access-all-accounts privileged directory account to pull all the details across the connection and perform authentication on the webserver <URL:http://wiki.koha.org/doku.php?id=en:development:ldap>. Future (currently-in-development) Koha code may, I'm told, have the ability to use the correct authentication on the LDAP server, without a need for insecure access to the LDAP accounts. -- \ “Only the educated are free.” —Epictetus | `\ | _o__) | Ben Finney
On Wed, Jun 3, 2009 at 8:15 PM, Ben Finney <ben+koha@benfinney.id.au<ben%2Bkoha@benfinney.id.au>
wrote:
Cab Vinton <bibliwho@gmail.com> writes:
Can someone provide a newbie summary of what functionality LDAP + Koha is supposed to provide?
LDAP (Lightweight Directory Access Protocol) is a standard query protocol into “directories” of information, where a directory is a hierarchical organisation of information optimised for fast and flexible query.
Such directories can, of course, be directories of people: they are often used for providing a directory of people for various purposes, including authentication.
I gather it has something to do with authentication, but who's being authenticated for what?
LDAP authentication is normally done at login time by querying the LDAP server and asking it to authenticate the user based on the login credentials, in order to grant further access to the information in the directory (this process is termed “binding to” the directory).
Koha 3.0 (and perhaps earlier) includes a feature for querying an LDAP directory for the user account details when a user attempts to log in.
My messages have led to the conclusion that this is currently done in a rather naive and insecure way: not using the standard LDAP-server-based authentication, but instead using an access-all-accounts privileged directory account to pull all the details across the connection and perform authentication on the webserver <URL:http://wiki.koha.org/doku.php?id=en:development:ldap>.
Future (currently-in-development) Koha code may, I'm told, have the ability to use the correct authentication on the LDAP server, without a need for insecure access to the LDAP accounts.
The HEAD version of Koha suggests the functionality you want with "auth_by_bind" lines in C4::Auth_with_LDAP. I'm not vouching for their operation because I haven't tested it firsthand, but Active Directory is specifically what the code has in mind. Looking at the implementation, I don't like how it was done though. It seems to require anonymous binding to work first, then ignores that and goes for a separate user bind. As for the non-auth_by_bind implementation being "naive", it isn't. It anticipates batch import/update functionality that would be very desirable. Obviously, importing a whole directory of unspecified users would require the privileged account info. -- Joe Atzberger LibLime - Open Source Library Solutions
Joe Atzberger <ohiocore@gmail.com> writes:
The HEAD version of Koha suggests the functionality you want with "auth_by_bind" lines in C4::Auth_with_LDAP. I'm not vouching for their operation because I haven't tested it firsthand, but Active Directory is specifically what the code has in mind.
Thank you. Who here *has* tested this functionality first-hand? (I'm unconcerned with Active Directory, at present, only with OpenLDAP servers.)
Looking at the implementation, I don't like how it was done though. It seems to require anonymous binding to work first, then ignores that and goes for a separate user bind.
Hmm. An anonymous bind attempt could succeed, but then such a binding isn't likely to work for login as a specific user. Is that what you don't like about it? Or is there something further that is objectionable about this implementation?
As for the non-auth_by_bind implementation being "naive", it isn't. It anticipates batch import/update functionality that would be very desirable.
I refer to the import-entire-user-account-via-privileged-account as “naive” because it requires multiple otherwise-unnecessary security holes that could have been avoided by considering possible failure modes. Having an account in the directory privileged to read all account password fields isn't necessary at all for LDAP authentication and is unnecessary exposure, yet as described so far this implementation won't work without it. Having such a privileged account's credentials stored in a configuration file where the web-server user can read it is a further security hole, one that again seems necessary for operation of the current authentication system. These statements aren't intended to raise anyone's hackles, only to support my claim that the Koha 3.0 authentication against an LDAP directory is implemented naively. If there's an implementation that uses the standard LDAP authentication mechanism I'd like to try it out. Are there specific instructions I should follow beyond those for Koha 3.0? -- \ “Somebody told me how frightening it was how much topsoil we | `\ are losing each year, but I told that story around the campfire | _o__) and nobody got scared.” —Jack Handey | Ben Finney
participants (5)
-
Ben Finney -
Cab Vinton -
Galen Charlton -
Joe Atzberger -
Mason James