[Koha] ldap in 2.2.6RC2

mourik jan heupink heupink at merit.unu.edu
Fri Sep 15 22:31:06 NZST 2006


dear list,

There has been some discussion on koha at lists.katipo.co.nz about the ldap 
authentication bit of koha. (mostly in december 2005) The outcome of 
that discussion was (as far as I understood it) that the actual checking 
of the password should be done by trying to connect (authenticate) to 
the ldap server with a specific username/password and see if ldap 
accepts the connection.

What koha does: It tries to receive the password field from the ldap 
server, and compares that to the password the user has typed, to check 
if they are the same.

There are some problems with this approach:
- most (if not all..?) ldap servers will be configured NOT to provide a 
user's password to an anonymous connection. Meaning koha would have to 
logon with a rootdn (or use acl's) to be able to 'read' the users password.
- if the ldap server uses a a way to encrypt the password, comparing the 
(encrypted) password with the plain text (or otherwise encrypted) 
plassword two values will not give the desired result.

Anyway, a solution was provided on this list. To my surprise I noticed 
that in the new koha 2.2.6RC2 the old method was still in place.

Is there anything I missed? Are there reasons NOT to use the trying to 
connect (authenticate) to the ldap server with a specific 
username/password approach? Does it break other things?

The Auth.pm provided by KL Nasveschuk is quoted below, and works here.

Kind regards,
Mourik Jan

    ##################################################
    ### LOCAL
    ### Change the code below to match your own LDAP server.
    ##################################################

    # LDAP connection parameters

    # LDAP server
    my $ldapserver = 'ldap.server.com';

    # Base DN for users
    my $name  = "ou=users,dc=server,dc=com";

    # Bind uses the users full DN, if uid doesn't work try "cn"
    my $binddn = "uid=$userid,$name";

    my $db = Net::LDAP->new( $ldapserver );
   
    # do bind
    my $res =$db->bind(
            dn    =>$binddn,
            password =>$password);
   
    # check connexion, anything other code than LDAP_SUCCESS (0)
    # is a problem
    if($res->code != 0 ) {
        # auth refused
        warn "LDAP Auth failed server not responding or wrong user 
password combination";
        return 0;
    # search user
    }else {
   
        my $userdnsearch = $db->search(base => "$name",
                filter =>"(cn=$userid)",
                );
        my $userldapentry=$userdnsearch -> shift_entry;
       
        # build LDAP hash
        my %memberhash;
        my $x =$userldapentry->{asn}{attributes};
        my $key;
        foreach my $k ( @$x) {
            foreach my $k2 (keys %$k) {
                if ($k2 eq 'type') {
                    $key = $$k{$k2};
                } else {
                    my $a = @$k{$k2};
                    foreach my $k3 (@$a) {
                        $memberhash{$key} .= $k3." ";
                    }
                }
            }
        }
        #
        # BUILD %borrower to CREATE or MODIFY BORROWER
        # change $memberhash{'xxx'} to fit your ldap structure.
        # check twice that mandatory fields are correctly filled
        #
        my %borrower;
        $borrower{cardnumber} = $userid;
        $borrower{firstname} = $memberhash{givenName}; # MANDATORY FIELD
        $borrower{surname} = $memberhash{sn}; # MANDATORY FIELD
        $borrower{initials} = 
substr($borrower{firstname},0,1).substr($borrower{surname},0,1)."  "; # 
MANDATORY FIELD
        $borrower{streetaddress} = $memberhash{postalAddress}." "; # 
MANDATORY FIELD
        $borrower{city} = $memberhash{l}." "; # MANDATORY FIELD
        $borrower{phone} = $memberhash{telephoneNumber}." "; # MANDATORY 
FIELD
        $borrower{branchcode} = "MERIT"; # MANDATORY FIELD
        $borrower{emailaddress} = $memberhash{mail};
        $borrower{categorycode} = $memberhash{employeeType};

    ##################################################
    ### /LOCAL
    ### No change needed after this line (unless there's a bug ;-) )
    ##################################################



More information about the Koha mailing list