dear list, There has been some discussion on koha@lists.katipo.co.nz about the ldap authentication bit of koha. (mostly in december 2005) The outcome of that discussion was (as far as I understood it) that the actual checking of the password should be done by trying to connect (authenticate) to the ldap server with a specific username/password and see if ldap accepts the connection. What koha does: It tries to receive the password field from the ldap server, and compares that to the password the user has typed, to check if they are the same. There are some problems with this approach: - most (if not all..?) ldap servers will be configured NOT to provide a user's password to an anonymous connection. Meaning koha would have to logon with a rootdn (or use acl's) to be able to 'read' the users password. - if the ldap server uses a a way to encrypt the password, comparing the (encrypted) password with the plain text (or otherwise encrypted) plassword two values will not give the desired result. Anyway, a solution was provided on this list. To my surprise I noticed that in the new koha 2.2.6RC2 the old method was still in place. Is there anything I missed? Are there reasons NOT to use the trying to connect (authenticate) to the ldap server with a specific username/password approach? Does it break other things? The Auth.pm provided by KL Nasveschuk is quoted below, and works here. Kind regards, Mourik Jan ################################################## ### LOCAL ### Change the code below to match your own LDAP server. ################################################## # LDAP connection parameters # LDAP server my $ldapserver = 'ldap.server.com'; # Base DN for users my $name = "ou=users,dc=server,dc=com"; # Bind uses the users full DN, if uid doesn't work try "cn" my $binddn = "uid=$userid,$name"; my $db = Net::LDAP->new( $ldapserver ); # do bind my $res =$db->bind( dn =>$binddn, password =>$password); # check connexion, anything other code than LDAP_SUCCESS (0) # is a problem if($res->code != 0 ) { # auth refused warn "LDAP Auth failed server not responding or wrong user password combination"; return 0; # search user }else { my $userdnsearch = $db->search(base => "$name", filter =>"(cn=$userid)", ); my $userldapentry=$userdnsearch -> shift_entry; # build LDAP hash my %memberhash; my $x =$userldapentry->{asn}{attributes}; my $key; foreach my $k ( @$x) { foreach my $k2 (keys %$k) { if ($k2 eq 'type') { $key = $$k{$k2}; } else { my $a = @$k{$k2}; foreach my $k3 (@$a) { $memberhash{$key} .= $k3." "; } } } } # # BUILD %borrower to CREATE or MODIFY BORROWER # change $memberhash{'xxx'} to fit your ldap structure. # check twice that mandatory fields are correctly filled # my %borrower; $borrower{cardnumber} = $userid; $borrower{firstname} = $memberhash{givenName}; # MANDATORY FIELD $borrower{surname} = $memberhash{sn}; # MANDATORY FIELD $borrower{initials} = substr($borrower{firstname},0,1).substr($borrower{surname},0,1)." "; # MANDATORY FIELD $borrower{streetaddress} = $memberhash{postalAddress}." "; # MANDATORY FIELD $borrower{city} = $memberhash{l}." "; # MANDATORY FIELD $borrower{phone} = $memberhash{telephoneNumber}." "; # MANDATORY FIELD $borrower{branchcode} = "MERIT"; # MANDATORY FIELD $borrower{emailaddress} = $memberhash{mail}; $borrower{categorycode} = $memberhash{employeeType}; ################################################## ### /LOCAL ### No change needed after this line (unless there's a bug ;-) ) ##################################################