[Koha] LDAP authentication
KL Nasveschuk
klnasveschuk at klnconsulting.net
Fri Dec 16 01:25:11 NZDT 2005
Mourik,
That's why I asked if anyone could shed some light on it. The error come
from the scripts that say "use strict;".
Below is a typical error message where "use strict;" is not commented
out:
[Wed Dec 14 14:37:45 2005] [error] [client 172.16.56.200] Can't use
string ("0") as a HASH ref while "strict refs" in use
at /usr/local/koha/intranet/modules/C4/Auth.pm line 143., referer:
http://172.16.60.186:8000/cgi-bin/koha/opac-main.pl
When I run into the problem I check either the opac-error_log or
koha-error_log and comment out "use strict;".
Kent N
On Thu, 2005-12-15 at 13:01 +0100, mourik jan c heupink wrote:
> Hi all,
>
> I DO see the problem now...
>
> Cheered too early...
>
> Mourik Jan
>
> mourik jan heupink wrote:
> > Dear Kent and list,
> >
> > I'm not sure if this last mail was only meant to go to me
> > personally... (as you say: Can ANYONE shed some light on this)
> >
> > Anyway, I have tried your code, and it works beautyfully.
> >
> > Could you indicate the required steps to generate the errors you talk
> > about? (I've clicked my way through various menu's, and no errors so
> > far..)
> >
> > Kind regards,
> > Mourik Jan
> >
> > KL Nasveschuk wrote:
> >> This works but fixed one problem and created another problem. Modifying
> >> "Auth.pm" for LDAP has caused some of the scripts fail with the error:
> >>
> >> [Wed Dec 14 14:37:45 2005] [error] [client 172.16.56.200] Can't use
> >> string ("0") as a HASH ref while "strict refs" in use
> >> at /usr/local/koha/intranet/modules/C4 /Auth.pm line 143., referer:
> >> http://172.16.60.186:8000/cgi-bin/koha/opac-main.pl
> >>
> >> So if I go to opac-main.pl and comment out "use strict;" the script
> >> runs.
> >>
> >> Can anyone shed some light on this? I've been up and down Auth.pm and I
> >> think I only changed what was between ##LOCAL /LOCAL## to get LDAP to
> >> work.
> >>
> >>
> >>
> >> Kent N
> >>
> >> On Wed, 2005-12-14 at 19:54 +0100, mourik jan c heupink wrote:
> >>
> >>> I will try it tomorrow, and give feedback to the list.
> >>>
> >>> This solution looks better to me, because also as far I understand
> >>> things, the old solution will not work when your slapd.conf contains:
> >>>
> >>> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
> >>> by self write
> >>> by anonymous auth
> >>> by * none
> >>> access to *
> >>> by * read
> >>>
> >>> Anyway, kind regards!
> >>>
> >>> Mourik Jan
> >>>
> >>> KL Nasveschuk wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> I believe I have a solution that will make this work. An anonymous
> >>>> bind
> >>>> to LDAP requires us to compare passwords by retrieving the password
> >>>> then
> >>>> comparing to what the user has supplied. If passwords stored in
> >>>> LDAP are
> >>>> hashed using different mechanisms, the burden of determining what
> >>>> mechanism is used is on the the Koha application. I changed the
> >>>> code in
> >>>> Auth.pm a little so that bind() uses the persons DN and password. The
> >>>> burden of what password hash is used is on LDAP and not Koha.
> >>>>
> >>>> Between local in Auth.pm
> >>>> ##################################################
> >>>> ### LOCAL
> >>>> ### Change the code below to match your own LDAP server.
> >>>> ##################################################
> >>>> # LDAP connexion parameters
> >>>>
> >>>> # LDAP server
> >>>> my $ldapserver = '172.16.0.24';
> >>>>
> >>>> # Base DN for users
> >>>> my $name = "ou=users,dc=tow,dc=net";
> >>>>
> >>>> # Bind uses the users full DN, if uid doesn't work try "cn"
> >>>> # my $binddn = "cn=$userid,$name";
> >>>> my $binddn = "uid=$userid,$name";
> >>>>
> >>>> my $db = Net::LDAP->new( $ldapserver );
> >>>>
> >>>> # do bind
> >>>> my $res =$db->bind(
> >>>> dn =>$binddn,
> >>>> password =>$password);
> >>>>
> >>>> # check connexion, anything other code than LDAP_SUCCESS (0)
> >>>> # is a problem
> >>>> if($res->code != 0 ) {
> >>>> # auth refused
> >>>> warn "LDAP Auth failed server not responding or wrong user
> >>>> password
> >>>> combination";
> >>>> return 0;
> >>>> # search user
> >>>> }else {
> >>>>
> >>>> my $userdnsearch = $db->search(base => "$name",
> >>>> filter =>"(cn=$userid)",
> >>>> );
> >>>> my $userldapentry=$userdnsearch -> shift_entry;
> >>>>
> >>>> # build LDAP hash
> >>>> my %memberhash;
> >>>> my $x =$userldapentry->{asn}{attributes};
> >>>> my $key;
> >>>> foreach my $k ( @$x) {
> >>>> foreach my $k2 (keys %$k) {
> >>>> if ($k2 eq 'type') {
> >>>> $key = $$k{$k2};
> >>>> } else {
> >>>> my $a = @$k{$k2};
> >>>> foreach my $k3 (@$a) {
> >>>> $memberhash{$key} .= $k3." ";
> >>>> }
> >>>> }
> >>>> }
> >>>> }
> >>>> #
> >>>> # BUILD %borrower to CREATE or MODIFY BORROWER
> >>>> # change $memberhash{'xxx'} to fit your ldap structure.
> >>>> # check twice that mandatory fields are correctly filled
> >>>> #
> >>>> my %borrower;
> >>>> $borrower{cardnumber} = $userid;
> >>>> $borrower{firstname} = $memberhash{givenName}; # MANDATORY
> >>>> FIELD
> >>>> $borrower{surname} = $memberhash{sn}; # MANDATORY FIELD
> >>>> $borrower{initials} =
> >>>> substr($borrower{firstname},0,1).substr($borrower{surname},0,1)."
> >>>> "; #
> >>>> MANDATORY FIELD
> >>>> $borrower{streetaddress} = $memberhash{homePostalAddress}."
> >>>> "; #
> >>>> MANDATORY FIELD
> >>>> $borrower{city} = $memberhash{l}." "; # MANDATORY FIELD
> >>>> $borrower{phone} = $memberhash{homePhone}." "; # MANDATORY
> >>>> FIELD
> >>>> $borrower{branchcode} = $memberhash{businessCategory}; #
> >>>> MANDATORY
> >>>> FIELD
> >>>> $borrower{emailaddress} = $memberhash{mail};
> >>>> $borrower{categorycode} = $memberhash{employeeType};
> >>>> ##################################################
> >>>> ### /LOCAL
> >>>> ### No change needed after this line (unless there's a bug ;-) )
> >>>> ##################################################
> >>>>
> >>>> This works for passwords stored in LDAP that use MD5 or SMD5. I
> >>>> imagine
> >>>> it will work for other hashing mechanisms also.
> >>>>
> >>>> Kent N
> >>>> On Tue, 2005-12-13 at 17:22 +0100, Paul POULAIN wrote:
> >>>>
> >>>>> mourik jan c heupink a écrit :
> >>>>>
> >>>>>> Dear Kent and list,
> >>>>>>
> >>>>>>
> >>>>>>> I'm using OpenLDAP 2.2.29 on Fedora Core 4.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> I'm on SuSE Linux Enterprise server 9, with OpenLDAP 2.2.24
> >>>>>>
> >>>>>>
> >>>>>>>> And a question to Paul Poulain: which ldap server are you
> >>>>>>>> using? I'm on openldap, and things don't work... Koha says the
> >>>>>>>> users's password is wrong, where I am pretty sure that it *IS*
> >>>>>>>> the right password.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>> Password encryption is where I think Auth.pm falls down. This entry
> >>>>>>>
> >>>>>>> These are all the same password. The SMD5,MD5 doesn't work in
> >>>>>>> Koha the
> >>>>>>> bottom one does. The bottom password was uploaded to LDAP using
> >>>>>>> ldapmodify, as clear text. OpenLDAP must have a default method for
> >>>>>>> encryption.
> >>>>>>>
> >>>>>>> I, (we) have to figure a way for the code to try other methods.
> >>>>>>> I'm not
> >>>>>>> very well versed in Perl and will have to seek help to get this to
> >>>>>>> work.
> >>>>> I'm quite good in Perl, but a dummy in LDAP.
> >>>>> I just can say that Auth_with_ldap.pm works for sure in Ecole des
> >>>>> Mines de Nantes, as i've set it up with the code I've commited.
> >>>>> I think, but am not sure, that it's LDAP too, on Solaris.
> >>>>>
> >>>>> I don't know the structure of the directory, I just used the query
> >>>>> the system admin gave me.
> >>>>>
> >>>>> Sorry, but you'll have to investigate...
> >>>>>
> >>>> _______________________________________________
> >>>> Koha mailing list
> >>>> Koha at lists.katipo.co.nz
> >>>> http://lists.katipo.co.nz/mailman/listinfo/koha
> >>>>
> >>> _______________________________________________
> >>> Koha mailing list
> >>> Koha at lists.katipo.co.nz
> >>> http://lists.katipo.co.nz/mailman/listinfo/koha
> >>>
> >>>
> >>
> >>
> > _______________________________________________
> > Koha mailing list
> > Koha at lists.katipo.co.nz
> > http://lists.katipo.co.nz/mailman/listinfo/koha
>
More information about the Koha
mailing list