[Koha] LDAP authentication

mourik jan c heupink heupink at intech.unu.edu
Thu Dec 15 07:54:22 NZDT 2005


I will try it tomorrow, and give feedback to the list.

This solution looks better to me, because also as far I understand 
things, the old solution will not work when your slapd.conf contains:

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
      by self write
      by anonymous auth
      by * none
access to *
      by * read

Anyway, kind regards!

Mourik Jan

 KL Nasveschuk wrote:
> Hi,
>
> I believe I have a solution that will make this work. An anonymous bind
> to LDAP requires us to compare passwords by retrieving the password then
> comparing to what the user has supplied. If passwords stored in LDAP are
> hashed using different mechanisms, the burden of determining what
> mechanism is used is on the the Koha application. I changed the code in
> Auth.pm a little so that bind() uses the persons DN and password. The
> burden of what password hash is used is on LDAP and not Koha.
>
> Between local in Auth.pm 
> 	##################################################
> 	### LOCAL
> 	### Change the code below to match your own LDAP server.
> 	##################################################
> 	# LDAP connexion parameters
>
> 	# LDAP server
> 	my $ldapserver = '172.16.0.24';
>
> 	# Base DN for users
> 	my $name  = "ou=users,dc=tow,dc=net";
>
> 	# Bind uses the users full DN, if uid doesn't work try "cn"
> #	my $binddn = "cn=$userid,$name";
> 	my $binddn = "uid=$userid,$name";
>
> 	my $db = Net::LDAP->new( $ldapserver );
> 	
> 	# do bind
> 	my $res =$db->bind(
> 			dn	=>$binddn,
> 			password =>$password);
> 	
> 	# check connexion, anything other code than LDAP_SUCCESS (0)
> 	# is a problem
> 	if($res->code != 0 ) {
> 		# auth refused
> 		warn "LDAP Auth failed server not responding or wrong user password
> combination";
> 		return 0;
> 	# search user
> 	}else {
> 	
> 		my $userdnsearch = $db->search(base => "$name",
> 				filter =>"(cn=$userid)",
> 				);
> 		my $userldapentry=$userdnsearch -> shift_entry;
> 		
> 		# build LDAP hash
> 		my %memberhash;
> 		my $x =$userldapentry->{asn}{attributes};
> 		my $key;
> 		foreach my $k ( @$x) {
> 			foreach my $k2 (keys %$k) {
> 				if ($k2 eq 'type') {
> 					$key = $$k{$k2};
> 				} else {
> 					my $a = @$k{$k2};
> 					foreach my $k3 (@$a) {
> 						$memberhash{$key} .= $k3." ";
> 					}
> 				}
> 			}
> 		}
> 		#
> 		# BUILD %borrower to CREATE or MODIFY BORROWER
> 		# change $memberhash{'xxx'} to fit your ldap structure.
> 		# check twice that mandatory fields are correctly filled
> 		#
> 		my %borrower;
> 		$borrower{cardnumber} = $userid;
> 		$borrower{firstname} = $memberhash{givenName}; # MANDATORY FIELD
> 		$borrower{surname} = $memberhash{sn}; # MANDATORY FIELD
> 		$borrower{initials} =
> substr($borrower{firstname},0,1).substr($borrower{surname},0,1)."  "; #
> MANDATORY FIELD
> 		$borrower{streetaddress} = $memberhash{homePostalAddress}." "; #
> MANDATORY FIELD
> 		$borrower{city} = $memberhash{l}." "; # MANDATORY FIELD
> 		$borrower{phone} = $memberhash{homePhone}." "; # MANDATORY FIELD
> 		$borrower{branchcode} = $memberhash{businessCategory}; # MANDATORY
> FIELD
> 		$borrower{emailaddress} = $memberhash{mail};
> 		$borrower{categorycode} = $memberhash{employeeType};
> 	##################################################
> 	### /LOCAL
> 	### No change needed after this line (unless there's a bug ;-) )
> 	##################################################
>
> This works for passwords stored in LDAP that use MD5 or SMD5. I imagine
> it will work for other hashing mechanisms also.
>
> Kent N
>   
> On Tue, 2005-12-13 at 17:22 +0100, Paul POULAIN wrote:
>   
>> mourik jan c heupink a écrit :
>>     
>>> Dear Kent and list,
>>>
>>>       
>>>> I'm using OpenLDAP 2.2.29 on Fedora Core 4.
>>>>  
>>>>
>>>>         
>>> I'm on SuSE Linux Enterprise server 9, with OpenLDAP 2.2.24
>>>
>>>       
>>>>> And a question to Paul Poulain: which ldap server are you using? I'm on 
>>>>> openldap, and things don't work... Koha says the users's password is 
>>>>> wrong, where I am pretty sure that it *IS* the right password.
>>>>>
>>>>>    
>>>>>
>>>>>           
>>>> Password encryption is where I think Auth.pm falls down. This entry
>>>>
>>>> These are all the same password. The SMD5,MD5 doesn't work in Koha the
>>>> bottom one does. The bottom password was uploaded to LDAP using
>>>> ldapmodify, as clear text. OpenLDAP must have a default method for
>>>> encryption.
>>>>
>>>> I, (we) have to figure a way for the code to try other methods. I'm not
>>>> very well versed in Perl and will have to seek help to get this to
>>>> work. 
>>>>         
>> I'm quite good in Perl, but a dummy in LDAP.
>> I just can say that Auth_with_ldap.pm works for sure in Ecole des Mines 
>> de Nantes, as i've set it up with the code I've commited.
>> I think, but am not sure, that it's LDAP too, on Solaris.
>>
>> I don't know the structure of the directory, I just used the query the 
>> system admin gave me.
>>
>> Sorry, but you'll have to investigate...
>>     
>
> _______________________________________________
> Koha mailing list
> Koha at lists.katipo.co.nz
> http://lists.katipo.co.nz/mailman/listinfo/koha
>   


More information about the Koha mailing list