Hello, I'm still trying to get LDAP authentication to work on Koha. I've modified Auth.pm with the following: ################################################## ### LOCAL ### Change the code below to match your own LDAP server. ################################################## # LDAP connexion parameters my $ldapserver = '172.16.0.24'; # Infos to do an anonymous bind my $ldapinfos = 'ou=users,dc=tow,dc=net '; my $name = "ou=users,dc=tow,dc=net"; my $db = Net::LDAP->new( $ldapserver ); # do an anonymous bind my $res =$db->bind(); # check connexion if($res->code) { # auth refused warn "LDAP Auth impossible : server not responding"; return 0; # search user } else { my $userdnsearch = $db->search(base => "$name", filter =>"(uid=$userid)", ); if($userdnsearch->code || ! ( $userdnsearch-> count eq 1 ) ) { warn "LDAP Auth impossible : user unknown in LDAP"; return 0; }; # compare a-weak with $password. # The a-weak LDAP field contains the password my $userldapentry=$userdnsearch -> shift_entry; my $cmpmesg = $db -> compare ( $userldapentry, attr => 'userPassword', value => $password ); if( $cmpmesg -> code != 6 ) { warn "LDAP Auth impossible : wrong password $userldapentry"; return 0; }; # build LDAP hash my %memberhash; my $x =$userldapentry->{asn}{attributes}; my $key; foreach my $k ( @$x) { foreach my $k2 (keys %$k) { if ($k2 eq 'type') { $key = $$k{$k2}; } else { my $a = @$k{$k2}; foreach my $k3 (@$a) { $memberhash{$key} .= $k3." "; } } } } # # BUILD %borrower to CREATE or MODIFY BORROWER # change $memberhash{'xxx'} to fit your ldap structure. # check twice that mandatory fields are correctly filled # my %borrower; $borrower{cardnumber} = $userid; $borrower{firstname} = $memberhash{givenName}; # MANDATORY FIELD $borrower{surname} = $memberhash{sn}; # MANDATORY FIELD $borrower{initials} = substr($borrower{firstname},0,1).substr($borrower{surname},0,1)." "; # MANDATORY FIELD $borrower{streetaddress} = $memberhash{homePostalAddress}." "; # MANDATORY FIELD $borrower{city} = $memberhash{l}." "; # MANDATORY FIELD $borrower{phone} = $memberhash{homePhone}." "; # MANDATORY FIELD $borrower{branchcode} = $memberhash{businessCategory}; # MANDATORY FIELD $borrower{emailaddress} = $memberhash{mail}; $borrower{categorycode} = $memberhash{employeeType}; ################################################## ### /LOCAL ### No change needed after this line (unless there's a bug ;-) ) ################################################## The error message I get in opac-err_log is: [Mon Dec 12 12:04:36 2005] [error] [client 172.16.60.186] LDAP Auth impossible : user unknown in LDAP at /usr/local/koha/intranet/modules/C4/Auth.pm line 464. Is there anyway to modify this to get error messages printed to opac-error_log, or use a specific user to search the directory. I'm not very good at Perl unfortunately, better at PHP. Kent N
hello all! Sorry... I have no solution, but just wanted to let you and the list know that I am following this thread with great interest, as I also want to use ldap with koha, and was unable to get it to work... Kind regards, Mourik Jan KL Nasveschuk wrote:
Hello,
I'm still trying to get LDAP authentication to work on Koha. I've modified Auth.pm with the following:
################################################## ### LOCAL ### Change the code below to match your own LDAP server. ################################################## # LDAP connexion parameters my $ldapserver = '172.16.0.24'; # Infos to do an anonymous bind my $ldapinfos = 'ou=users,dc=tow,dc=net '; my $name = "ou=users,dc=tow,dc=net"; my $db = Net::LDAP->new( $ldapserver );
# do an anonymous bind my $res =$db->bind(); # check connexion if($res->code) { # auth refused warn "LDAP Auth impossible : server not responding"; return 0; # search user } else { my $userdnsearch = $db->search(base => "$name", filter =>"(uid=$userid)", ); if($userdnsearch->code || ! ( $userdnsearch-> count eq 1 ) ) { warn "LDAP Auth impossible : user unknown in LDAP"; return 0; }; # compare a-weak with $password. # The a-weak LDAP field contains the password my $userldapentry=$userdnsearch -> shift_entry; my $cmpmesg = $db -> compare ( $userldapentry, attr => 'userPassword', value => $password ); if( $cmpmesg -> code != 6 ) { warn "LDAP Auth impossible : wrong password $userldapentry"; return 0; }; # build LDAP hash my %memberhash; my $x =$userldapentry->{asn}{attributes}; my $key; foreach my $k ( @$x) { foreach my $k2 (keys %$k) { if ($k2 eq 'type') { $key = $$k{$k2}; } else { my $a = @$k{$k2}; foreach my $k3 (@$a) { $memberhash{$key} .= $k3." "; } } } } # # BUILD %borrower to CREATE or MODIFY BORROWER # change $memberhash{'xxx'} to fit your ldap structure. # check twice that mandatory fields are correctly filled # my %borrower; $borrower{cardnumber} = $userid; $borrower{firstname} = $memberhash{givenName}; # MANDATORY FIELD $borrower{surname} = $memberhash{sn}; # MANDATORY FIELD $borrower{initials} = substr($borrower{firstname},0,1).substr($borrower{surname},0,1)." "; # MANDATORY FIELD $borrower{streetaddress} = $memberhash{homePostalAddress}." "; # MANDATORY FIELD $borrower{city} = $memberhash{l}." "; # MANDATORY FIELD $borrower{phone} = $memberhash{homePhone}." "; # MANDATORY FIELD $borrower{branchcode} = $memberhash{businessCategory}; # MANDATORY FIELD $borrower{emailaddress} = $memberhash{mail}; $borrower{categorycode} = $memberhash{employeeType}; ################################################## ### /LOCAL ### No change needed after this line (unless there's a bug ;-) ) ##################################################
The error message I get in opac-err_log is:
[Mon Dec 12 12:04:36 2005] [error] [client 172.16.60.186] LDAP Auth impossible : user unknown in LDAP at /usr/local/koha/intranet/modules/C4/Auth.pm line 464.
Is there anyway to modify this to get error messages printed to opac-error_log, or use a specific user to search the directory. I'm not very good at Perl unfortunately, better at PHP.
Kent N
_______________________________________________ Koha mailing list Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
KL Nasveschuk a écrit :
Hello,
I'm still trying to get LDAP authentication to work on Koha. I've modified Auth.pm with the following:
################################################## ### LOCAL ### Change the code below to match your own LDAP server. ################################################## # LDAP connexion parameters my $ldapserver = '172.16.0.24'; # Infos to do an anonymous bind my $ldapinfos = 'ou=users,dc=tow,dc=net '; my $name = "ou=users,dc=tow,dc=net"; my $db = Net::LDAP->new( $ldapserver );
# do an anonymous bind my $res =$db->bind(); # check connexion if($res->code) { # auth refused warn "LDAP Auth impossible : server not responding"; return 0; # search user } else {
this log
[Mon Dec 12 12:04:36 2005] [error] [client 172.16.60.186] LDAP Auth impossible : user unknown in LDAP at /usr/local/koha/intranet/modules/C4/Auth.pm line 464.
means you have an error in the following code :
my $userdnsearch = $db->search(base => "$name", filter =>"(uid=$userid)", ); if($userdnsearch->code || ! ( $userdnsearch-> count eq 1 ) ) { warn "LDAP Auth impossible : user unknown in LDAP"; return 0; };
That means : * connexion was successful (otherwise, you would have LDAP Auth impossible : server not responding). A good news ;-) * the LDAP search failed. Meaning : uid=$userid is probably not what you had to do. The query you have to do depends on your LDAP structure, I can't help you more. just another hint. Change to : warn "LDAP Auth impossible : user unknown in LDAP for $userid"; to see which value is in $userid ! That could help you. HTH Anyway, I can ensure you I have 1 (and soon 2) libraries using LDAP auth. Quite tricky to tune, but works fine when it's done ! Just one reminder : the member record is created in Koha when the user logs in in OPAC. So you MUST request all your users to log in at least once. That's a good solution to show you now "have the great free ILS called Koha" & show what it can do. -- Paul POULAIN Consultant indépendant en logiciels libres responsable francophone de koha (SIGB libre http://www.koha-fr.org)
Hello, The query to LDAP works correctly. I put the ldap server in debug (slapd -d 3) and watch what transpires. In debug mode ldap returns all attributes for a user on search (error and output goes to screen). If I put in a bogus uid it returns: bdb_search: no candidates Cn or uid works, I guess it just matters what is being indexed in LDAP. I can't determine what is happening in the Koha side. Any suggestions on how to better debug the Perl side (from anyone). Just wondering on if Perl is using one password hashing algorithm which is not the same as what is in LDAP. Ex. of LDAP attribute stored in userPassword: SMD5}ox3RAPB79VIHB+KZZw+dpxKIx3A Kent N On Mon, 2005-12-12 at 16:46 +0100, Paul POULAIN wrote:
KL Nasveschuk a écrit :
Hello,
I'm still trying to get LDAP authentication to work on Koha. I've modified Auth.pm with the following:
################################################## ### LOCAL ### Change the code below to match your own LDAP server. ################################################## # LDAP connexion parameters my $ldapserver = '172.16.0.24'; # Infos to do an anonymous bind my $ldapinfos = 'ou=users,dc=tow,dc=net '; my $name = "ou=users,dc=tow,dc=net"; my $db = Net::LDAP->new( $ldapserver );
# do an anonymous bind my $res =$db->bind(); # check connexion if($res->code) { # auth refused warn "LDAP Auth impossible : server not responding"; return 0; # search user } else {
this log
[Mon Dec 12 12:04:36 2005] [error] [client 172.16.60.186] LDAP Auth impossible : user unknown in LDAP at /usr/local/koha/intranet/modules/C4/Auth.pm line 464.
means you have an error in the following code :
my $userdnsearch = $db->search(base => "$name", filter =>"(uid=$userid)", ); if($userdnsearch->code || ! ( $userdnsearch-> count eq 1 ) ) { warn "LDAP Auth impossible : user unknown in LDAP"; return 0; };
That means : * connexion was successful (otherwise, you would have LDAP Auth impossible : server not responding). A good news ;-) * the LDAP search failed. Meaning : uid=$userid is probably not what you had to do. The query you have to do depends on your LDAP structure, I can't help you more.
just another hint. Change to : warn "LDAP Auth impossible : user unknown in LDAP for $userid"; to see which value is in $userid !
That could help you.
HTH
Anyway, I can ensure you I have 1 (and soon 2) libraries using LDAP auth. Quite tricky to tune, but works fine when it's done !
Just one reminder : the member record is created in Koha when the user logs in in OPAC. So you MUST request all your users to log in at least once. That's a good solution to show you now "have the great free ILS called Koha" & show what it can do.
Dear Kent, I am no ldap expert at all, but I did notice in your Auth.pm: my $userdnsearch = $db->search(base => "$name", filter =>"(uid=$userid)", ); maybe instead of "$name" it should say $name (without ") (that's what it says in my version of the file, and I don't think we are meant to change that...?) And a question to Paul Poulain: which ldap server are you using? I'm on openldap, and things don't work... Koha says the users's password is wrong, where I am pretty sure that it *IS* the right password. Could there be differences with passwords encryption between various ldap servers..? Kind regards! Mourik Jan KL Nasveschuk wrote:
Hello, The query to LDAP works correctly. I put the ldap server in debug (slapd -d 3) and watch what transpires. In debug mode ldap returns all attributes for a user on search (error and output goes to screen).
If I put in a bogus uid it returns: bdb_search: no candidates
Cn or uid works, I guess it just matters what is being indexed in LDAP.
I can't determine what is happening in the Koha side. Any suggestions on how to better debug the Perl side (from anyone). Just wondering on if Perl is using one password hashing algorithm which is not the same as what is in LDAP.
Ex. of LDAP attribute stored in userPassword:
SMD5}ox3RAPB79VIHB+KZZw+dpxKIx3A
Kent N
On Mon, 2005-12-12 at 16:46 +0100, Paul POULAIN wrote:
KL Nasveschuk a écrit :
Hello,
I'm still trying to get LDAP authentication to work on Koha. I've modified Auth.pm with the following:
################################################## ### LOCAL ### Change the code below to match your own LDAP server. ################################################## # LDAP connexion parameters my $ldapserver = '172.16.0.24'; # Infos to do an anonymous bind my $ldapinfos = 'ou=users,dc=tow,dc=net '; my $name = "ou=users,dc=tow,dc=net"; my $db = Net::LDAP->new( $ldapserver );
# do an anonymous bind my $res =$db->bind(); # check connexion if($res->code) { # auth refused warn "LDAP Auth impossible : server not responding"; return 0; # search user } else {
this log
[Mon Dec 12 12:04:36 2005] [error] [client 172.16.60.186] LDAP Auth impossible : user unknown in LDAP at /usr/local/koha/intranet/modules/C4/Auth.pm line 464.
means you have an error in the following code :
my $userdnsearch = $db->search(base => "$name", filter =>"(uid=$userid)", ); if($userdnsearch->code || ! ( $userdnsearch-> count eq 1 ) ) { warn "LDAP Auth impossible : user unknown in LDAP"; return 0; };
That means : * connexion was successful (otherwise, you would have LDAP Auth impossible : server not responding). A good news ;-) * the LDAP search failed. Meaning : uid=$userid is probably not what you had to do. The query you have to do depends on your LDAP structure, I can't help you more.
just another hint. Change to : warn "LDAP Auth impossible : user unknown in LDAP for $userid"; to see which value is in $userid !
That could help you.
HTH
Anyway, I can ensure you I have 1 (and soon 2) libraries using LDAP auth. Quite tricky to tune, but works fine when it's done !
Just one reminder : the member record is created in Koha when the user logs in in OPAC. So you MUST request all your users to log in at least once. That's a good solution to show you now "have the great free ILS called Koha" & show what it can do.
_______________________________________________ Koha mailing list Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
On Tue, 2005-12-13 at 12:33 +0100, mourik jan c heupink wrote:
Dear Kent,
I am no ldap expert at all, but I did notice in your Auth.pm:
This works though. I also used cn instead of uid. When I put the LDAP server in debug it returns the correct user and all attributes.
my $userdnsearch = $db->search(base => "$name", filter =>"(uid=$userid)", );
maybe instead of "$name" it should say $name (without ") (that's what it says in my version of the file, and I don't think we are meant to change that...?)
I'm using OpenLDAP 2.2.29 on Fedora Core 4.
And a question to Paul Poulain: which ldap server are you using? I'm on openldap, and things don't work... Koha says the users's password is wrong, where I am pretty sure that it *IS* the right password.
Password encryption is where I think Auth.pm falls down. This entry my $cmpmesg = $db -> compare ( $userldapentry, attr => 'userPassword', value => $password ); seems to compare a password encrypted by another method to what is in LDAP. In my case passwords are encrypted using a couple different methods. Here's a typical password entry in LDAP as attribute userPassword: {SMD5}KjuP+wOsUoBqpDSv3zOeH/+1XmY= {MD5}tNsHZEz+OsGo5TKotec1Hg== Mjg2Ymx1ZTZn These are all the same password. The SMD5,MD5 doesn't work in Koha the bottom one does. The bottom password was uploaded to LDAP using ldapmodify, as clear text. OpenLDAP must have a default method for encryption. I, (we) have to figure a way for the code to try other methods. I'm not very well versed in Perl and will have to seek help to get this to work.
Could there be differences with passwords encryption between various ldap servers..?
You can store an encrypted password in any form in LDAP. LDAP doesn't care. Kent N
Kind regards!
Mourik Jan
KL Nasveschuk wrote:
Hello, The query to LDAP works correctly. I put the ldap server in debug (slapd -d 3) and watch what transpires. In debug mode ldap returns all attributes for a user on search (error and output goes to screen).
If I put in a bogus uid it returns: bdb_search: no candidates
Cn or uid works, I guess it just matters what is being indexed in LDAP.
I can't determine what is happening in the Koha side. Any suggestions on how to better debug the Perl side (from anyone). Just wondering on if Perl is using one password hashing algorithm which is not the same as what is in LDAP.
Ex. of LDAP attribute stored in userPassword:
SMD5}ox3RAPB79VIHB+KZZw+dpxKIx3A
Kent N
On Mon, 2005-12-12 at 16:46 +0100, Paul POULAIN wrote:
KL Nasveschuk a écrit :
Hello,
I'm still trying to get LDAP authentication to work on Koha. I've modified Auth.pm with the following:
################################################## ### LOCAL ### Change the code below to match your own LDAP server. ################################################## # LDAP connexion parameters my $ldapserver = '172.16.0.24'; # Infos to do an anonymous bind my $ldapinfos = 'ou=users,dc=tow,dc=net '; my $name = "ou=users,dc=tow,dc=net"; my $db = Net::LDAP->new( $ldapserver );
# do an anonymous bind my $res =$db->bind(); # check connexion if($res->code) { # auth refused warn "LDAP Auth impossible : server not responding"; return 0; # search user } else {
this log
[Mon Dec 12 12:04:36 2005] [error] [client 172.16.60.186] LDAP Auth impossible : user unknown in LDAP at /usr/local/koha/intranet/modules/C4/Auth.pm line 464.
means you have an error in the following code :
my $userdnsearch = $db->search(base => "$name", filter =>"(uid=$userid)", ); if($userdnsearch->code || ! ( $userdnsearch-> count eq 1 ) ) { warn "LDAP Auth impossible : user unknown in LDAP"; return 0; };
That means : * connexion was successful (otherwise, you would have LDAP Auth impossible : server not responding). A good news ;-) * the LDAP search failed. Meaning : uid=$userid is probably not what you had to do. The query you have to do depends on your LDAP structure, I can't help you more.
just another hint. Change to : warn "LDAP Auth impossible : user unknown in LDAP for $userid"; to see which value is in $userid !
That could help you.
HTH
Anyway, I can ensure you I have 1 (and soon 2) libraries using LDAP auth. Quite tricky to tune, but works fine when it's done !
Just one reminder : the member record is created in Koha when the user logs in in OPAC. So you MUST request all your users to log in at least once. That's a good solution to show you now "have the great free ILS called Koha" & show what it can do.
_______________________________________________ Koha mailing list Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
_______________________________________________ Koha mailing list Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
mourik jan c heupink a écrit :
Dear Kent and list,
I'm using OpenLDAP 2.2.29 on Fedora Core 4.
I'm on SuSE Linux Enterprise server 9, with OpenLDAP 2.2.24
And a question to Paul Poulain: which ldap server are you using? I'm on openldap, and things don't work... Koha says the users's password is wrong, where I am pretty sure that it *IS* the right password.
Password encryption is where I think Auth.pm falls down. This entry
These are all the same password. The SMD5,MD5 doesn't work in Koha the bottom one does. The bottom password was uploaded to LDAP using ldapmodify, as clear text. OpenLDAP must have a default method for encryption.
I, (we) have to figure a way for the code to try other methods. I'm not very well versed in Perl and will have to seek help to get this to work.
I'm quite good in Perl, but a dummy in LDAP. I just can say that Auth_with_ldap.pm works for sure in Ecole des Mines de Nantes, as i've set it up with the code I've commited. I think, but am not sure, that it's LDAP too, on Solaris. I don't know the structure of the directory, I just used the query the system admin gave me. Sorry, but you'll have to investigate... -- Paul POULAIN Consultant indépendant en logiciels libres responsable francophone de koha (SIGB libre http://www.koha-fr.org)
Hi, I believe I have a solution that will make this work. An anonymous bind to LDAP requires us to compare passwords by retrieving the password then comparing to what the user has supplied. If passwords stored in LDAP are hashed using different mechanisms, the burden of determining what mechanism is used is on the the Koha application. I changed the code in Auth.pm a little so that bind() uses the persons DN and password. The burden of what password hash is used is on LDAP and not Koha. Between local in Auth.pm ################################################## ### LOCAL ### Change the code below to match your own LDAP server. ################################################## # LDAP connexion parameters # LDAP server my $ldapserver = '172.16.0.24'; # Base DN for users my $name = "ou=users,dc=tow,dc=net"; # Bind uses the users full DN, if uid doesn't work try "cn" # my $binddn = "cn=$userid,$name"; my $binddn = "uid=$userid,$name"; my $db = Net::LDAP->new( $ldapserver ); # do bind my $res =$db->bind( dn =>$binddn, password =>$password); # check connexion, anything other code than LDAP_SUCCESS (0) # is a problem if($res->code != 0 ) { # auth refused warn "LDAP Auth failed server not responding or wrong user password combination"; return 0; # search user }else { my $userdnsearch = $db->search(base => "$name", filter =>"(cn=$userid)", ); my $userldapentry=$userdnsearch -> shift_entry; # build LDAP hash my %memberhash; my $x =$userldapentry->{asn}{attributes}; my $key; foreach my $k ( @$x) { foreach my $k2 (keys %$k) { if ($k2 eq 'type') { $key = $$k{$k2}; } else { my $a = @$k{$k2}; foreach my $k3 (@$a) { $memberhash{$key} .= $k3." "; } } } } # # BUILD %borrower to CREATE or MODIFY BORROWER # change $memberhash{'xxx'} to fit your ldap structure. # check twice that mandatory fields are correctly filled # my %borrower; $borrower{cardnumber} = $userid; $borrower{firstname} = $memberhash{givenName}; # MANDATORY FIELD $borrower{surname} = $memberhash{sn}; # MANDATORY FIELD $borrower{initials} = substr($borrower{firstname},0,1).substr($borrower{surname},0,1)." "; # MANDATORY FIELD $borrower{streetaddress} = $memberhash{homePostalAddress}." "; # MANDATORY FIELD $borrower{city} = $memberhash{l}." "; # MANDATORY FIELD $borrower{phone} = $memberhash{homePhone}." "; # MANDATORY FIELD $borrower{branchcode} = $memberhash{businessCategory}; # MANDATORY FIELD $borrower{emailaddress} = $memberhash{mail}; $borrower{categorycode} = $memberhash{employeeType}; ################################################## ### /LOCAL ### No change needed after this line (unless there's a bug ;-) ) ################################################## This works for passwords stored in LDAP that use MD5 or SMD5. I imagine it will work for other hashing mechanisms also. Kent N On Tue, 2005-12-13 at 17:22 +0100, Paul POULAIN wrote:
mourik jan c heupink a écrit :
Dear Kent and list,
I'm using OpenLDAP 2.2.29 on Fedora Core 4.
I'm on SuSE Linux Enterprise server 9, with OpenLDAP 2.2.24
And a question to Paul Poulain: which ldap server are you using? I'm on openldap, and things don't work... Koha says the users's password is wrong, where I am pretty sure that it *IS* the right password.
Password encryption is where I think Auth.pm falls down. This entry
These are all the same password. The SMD5,MD5 doesn't work in Koha the bottom one does. The bottom password was uploaded to LDAP using ldapmodify, as clear text. OpenLDAP must have a default method for encryption.
I, (we) have to figure a way for the code to try other methods. I'm not very well versed in Perl and will have to seek help to get this to work.
I'm quite good in Perl, but a dummy in LDAP. I just can say that Auth_with_ldap.pm works for sure in Ecole des Mines de Nantes, as i've set it up with the code I've commited. I think, but am not sure, that it's LDAP too, on Solaris.
I don't know the structure of the directory, I just used the query the system admin gave me.
Sorry, but you'll have to investigate...
I will try it tomorrow, and give feedback to the list. This solution looks better to me, because also as far I understand things, the old solution will not work when your slapd.conf contains: access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none access to * by * read Anyway, kind regards! Mourik Jan KL Nasveschuk wrote:
Hi,
I believe I have a solution that will make this work. An anonymous bind to LDAP requires us to compare passwords by retrieving the password then comparing to what the user has supplied. If passwords stored in LDAP are hashed using different mechanisms, the burden of determining what mechanism is used is on the the Koha application. I changed the code in Auth.pm a little so that bind() uses the persons DN and password. The burden of what password hash is used is on LDAP and not Koha.
Between local in Auth.pm ################################################## ### LOCAL ### Change the code below to match your own LDAP server. ################################################## # LDAP connexion parameters
# LDAP server my $ldapserver = '172.16.0.24';
# Base DN for users my $name = "ou=users,dc=tow,dc=net";
# Bind uses the users full DN, if uid doesn't work try "cn" # my $binddn = "cn=$userid,$name"; my $binddn = "uid=$userid,$name";
my $db = Net::LDAP->new( $ldapserver );
# do bind my $res =$db->bind( dn =>$binddn, password =>$password);
# check connexion, anything other code than LDAP_SUCCESS (0) # is a problem if($res->code != 0 ) { # auth refused warn "LDAP Auth failed server not responding or wrong user password combination"; return 0; # search user }else {
my $userdnsearch = $db->search(base => "$name", filter =>"(cn=$userid)", ); my $userldapentry=$userdnsearch -> shift_entry;
# build LDAP hash my %memberhash; my $x =$userldapentry->{asn}{attributes}; my $key; foreach my $k ( @$x) { foreach my $k2 (keys %$k) { if ($k2 eq 'type') { $key = $$k{$k2}; } else { my $a = @$k{$k2}; foreach my $k3 (@$a) { $memberhash{$key} .= $k3." "; } } } } # # BUILD %borrower to CREATE or MODIFY BORROWER # change $memberhash{'xxx'} to fit your ldap structure. # check twice that mandatory fields are correctly filled # my %borrower; $borrower{cardnumber} = $userid; $borrower{firstname} = $memberhash{givenName}; # MANDATORY FIELD $borrower{surname} = $memberhash{sn}; # MANDATORY FIELD $borrower{initials} = substr($borrower{firstname},0,1).substr($borrower{surname},0,1)." "; # MANDATORY FIELD $borrower{streetaddress} = $memberhash{homePostalAddress}." "; # MANDATORY FIELD $borrower{city} = $memberhash{l}." "; # MANDATORY FIELD $borrower{phone} = $memberhash{homePhone}." "; # MANDATORY FIELD $borrower{branchcode} = $memberhash{businessCategory}; # MANDATORY FIELD $borrower{emailaddress} = $memberhash{mail}; $borrower{categorycode} = $memberhash{employeeType}; ################################################## ### /LOCAL ### No change needed after this line (unless there's a bug ;-) ) ##################################################
This works for passwords stored in LDAP that use MD5 or SMD5. I imagine it will work for other hashing mechanisms also.
Kent N
On Tue, 2005-12-13 at 17:22 +0100, Paul POULAIN wrote:
mourik jan c heupink a écrit :
Dear Kent and list,
I'm using OpenLDAP 2.2.29 on Fedora Core 4.
I'm on SuSE Linux Enterprise server 9, with OpenLDAP 2.2.24
And a question to Paul Poulain: which ldap server are you using? I'm on openldap, and things don't work... Koha says the users's password is wrong, where I am pretty sure that it *IS* the right password.
Password encryption is where I think Auth.pm falls down. This entry
These are all the same password. The SMD5,MD5 doesn't work in Koha the bottom one does. The bottom password was uploaded to LDAP using ldapmodify, as clear text. OpenLDAP must have a default method for encryption.
I, (we) have to figure a way for the code to try other methods. I'm not very well versed in Perl and will have to seek help to get this to work.
I'm quite good in Perl, but a dummy in LDAP. I just can say that Auth_with_ldap.pm works for sure in Ecole des Mines de Nantes, as i've set it up with the code I've commited. I think, but am not sure, that it's LDAP too, on Solaris.
I don't know the structure of the directory, I just used the query the system admin gave me.
Sorry, but you'll have to investigate...
_______________________________________________ Koha mailing list Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
KL Nasveschuk <klnasveschuk@klnconsulting.net> writes:
Hello,
I'm still trying to get LDAP authentication to work on Koha. I've modified Auth.pm with the following:
################################################## ### LOCAL ### Change the code below to match your own LDAP server. ################################################## # LDAP connexion parameters my $ldapserver = '172.16.0.24'; # Infos to do an anonymous bind my $ldapinfos = 'ou=users,dc=tow,dc=net '; my $name = "ou=users,dc=tow,dc=net"; my $db = Net::LDAP->new( $ldapserver );
# do an anonymous bind my $res =$db->bind();
For testing the ldap passwd here, I need to patch this code to not to do an anonymous bind. I don't use the compare() fonction. I just do: my $res =$db->bind( "uid=$userid,$name",password => $password); # check connexion if($res->code) { # auth refused #warn "LDAP Auth: not binded"; return 0; } -- Bruno Marmol. Ingénieur à la Direction Information Scientifique et de la communication Email: Bruno.Marmol@Inrialpes.Fr - Tel: 04 76 61 53 04 - Fax: 04 76 61 52 52 Inria Rhône Alpes. ZIRST - 655 Av de l'Europe. - Montbonnot St Martin 38334 St Ismier Cedex - France
Yesterday at 8:59am -0500 KL Nasveschuk wrote:
I'm still trying to get LDAP authentication to work on Koha. I've modified Auth.pm with the following:
<snip>
LDAP Auth impossible : user unknown in LDAP
If user exists, then are you able to get it authenticated? -- H. S. Rai _____________________________________________________________________ http://www.grex.org/~hsrai | Alternate E-mail: hsrai@gndec.ac.in ___________________________|_________________________________________
participants (5)
-
Bruno Marmol -
H S Rai -
KL Nasveschuk -
mourik jan c heupink -
Paul POULAIN