[Koha] Koha Digest, Vol 40, Issue 35

Library Guy library.guy.zero at gmail.com
Tue Jul 14 09:03:04 NZST 2009 

James, I'm running Koha 3.00.02 which includes the new
<auth_by_bind>1</auth_by_bind> for Active Directory, but I still cannot
authenticate against our M$ LDAP.  The Koha OPAC reports "Error: Invalid
Username or Password.  Specifically I'm unsure what to do with the
<password></password> tag because our Microsoft AD LDAP schema has no
exposed "userpassword".   Do I simply use <password = ""></password>?   I
wish to create and update Koha user records when they login to Koha, so I
have:

<ldapserver id="ldapserver"  listenref="ldapserver">
 <hostname>ldap://ldap.example.com:389</hostname>
 <base>dc=example,dc=com</base>
 <user>CN=KOHA_LDAP_USER</user>             <!-- DN, if not anonymous -->
 <pass>secretpasswd</pass>          <!-- password, if not anonymous -->
 <replicate>1</replicate>       <!-- add new users from LDAP to Koha
database -->
 <update>1</update>             <!-- update existing users in Koha database
-->
 <auth_by_bind>1</auth_by_bind> <!-- set to 1 to authenticate by binding
instead of
                                     password comparison, e.g., to use
Active Directory -->
 <mapping>             <!-- match koha SQL field names to your LDAP record
field names -->
                <firstname    is="givenName"      ></firstname>
                <surname      is="sn"             ></surname>
                <address      is="streetAddress"  ></address>
                <city         is="l"              ></city>
                <zipcode      is="postalCode"     ></zipcode>
                <userid       is="sAMAccountName" ></userid>
                <password     is=""           ></password>
                <email        is="mail"           ></email>
                <phone        is="telephoneNumber"></phone>
 </mapping>
</ldapserver>

After a failed login attempt, /var/log/koha/koha-error_log :

[Mon Jul 13 15:56:11 2009] [error] [client] [Mon Jul 13 15:56:11 2009]
mainpage.pl: LDAP Auth rejected : invalid password for user 'johndoe'. LDAP
error #16: LDAP_NO_SUCH_ATTRIBUTE, referer:
http://koha.example.com:8080/cgi-bin/koha/mainpage.pl
[Mon Jul 13 15:56:11 2009] [error] [client] [Mon Jul 13 15:56:11 2009]
mainpage.pl: # The request referenced an attribute that does not exist,
referer: http://koha.example.com:8080/cgi-bin/koha/mainpage.pl
[Mon Jul 13 15:56:11 2009] [error] [client] [Mon Jul 13 15:56:11 2009]
mainpage.pl: , referer:
http://koha.example.com:8080/cgi-bin/koha/mainpage.pl


thank you!



>   1. Re: FW: Koha 3.0 LDAP Question? (Winter, James)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 13 Feb 2009 09:52:45 -0500
> From: "Winter, James" <WinterJ at arcadia.edu>
> Subject: Re: [Koha] FW: Koha 3.0 LDAP Question?
> To: "Barry Cannon" <bc at interleaf.ie>
> Cc: koha at lists.katipo.co.nz
> Message-ID:
>        <195366CE4CF91245936298EEA68FEA980AE3C41E at BISHOP.arcadia.edu>
> Content-Type: text/plain; charset="us-ascii"
>
> Did you comment out the two lines in Auth_with_ldap.pm? If so, it won't
> update or replicate the data. If you didn't, I would make sure you have
> the property names correct. I would start with the required fields
> (surname, address, city, branchcode, categorycode).
>
>
>
> Try using default values by setting is="" for those properties and put
> text between the tags. <address is="">123 Test Street</address> for
> example. If a person is created successfully with default values then
> it's a property name problem. If not, it's a Koha problem.
>
>
>
> James Winter
>
> 215.517.2588
>
>
>
> From: Barry Cannon [mailto:bc at interleaf.ie]
> Sent: Friday, February 13, 2009 7:31 AM
> To: Winter, James
> Cc: koha at lists.katipo.co.nz
> Subject: RE: [Koha] FW: Koha 3.0 LDAP Question?
>
>
>
> James,
>
>                Thanks for this info...I can now authenticate against my
> LDAP server with no problems. However, when I start enabling <replicate>
> and <update> to try and add the AD users into Koha the replication
> doesn't occur. The authentication still works but the users information,
> as per mappings, doesn't come across into Koha. There are no errors
> either?
>
>
>
> Does anyone have any suggestions?
>
>
>
> Thanks
>
> Bar
>
>
>
> From: Winter, James [mailto:WinterJ at arcadia.edu]
> Sent: 12 February 2009 17:35
> To: Barry Cannon
> Cc: koha at lists.katipo.co.nz
> Subject: RE: [Koha] FW: Koha 3.0 LDAP Question?
>
>
>
> Sure, it took me a while to get it working, but we have it working now.
>
>
>
> In our koha-conf.xml, we have this section in the config section
> (between <config> and </config> near the end of the file):
>
>
>
> <useldapserver>1</useldapserver>
>
>  <ldapserver id="ldapserver">
>
>    <hostname>LDAPSERVERNAMEHERE:389</hostname>
>
>    <base>dc=DOMAIN,dc=COM</base>
>
>    <user> CN=[USER THAT CAN BROWSE ACTIVE DIRECTORY],OU=[OU OF USER
> (MULTIPLE ENTRIES IF NESTED OU)],DC=DOMAIN,DC=COM </user>    <!-- DN, if
> not anonymous -->
>
>    <pass>[PASSWORD OF USER]</pass><!-- password, if not anonymous -->
>
>    <replicate>0</replicate>   <!-- add new users from LDAP to Koha
> database -->
>
>    <update>0</update>         <!-- update existing users in Koha
> database -->
>
>    <mapping>                  <!-- match koha SQL field names to your
> LDAP record field names -->
>
>          <!--<cardnumber is="" ></cardnumber>-->
>
>      <!--<firstname    is="givenname"      ></firstname>-->
>
>      <!--<surname      is="sn"             ></surname>-->
>
>      <!--<address              is=""   > </address>-->
>
>      <!--<city                 is=""                           >
> </city>-->
>
>      <!--<zipcode              is=""           ></zipcode>-->
>
>      <!--<branchcode is ="">MAIN</branchcode>-->
>
>      <userid       is="samAccountName" ></userid>
>
>      <password     is=""   ></password>
>
>      <!--<email        is="mail"           ></email>-->
>
>      <!--<categorycode is="employeetype"   > </categorycode>-->
>
>      <!--<phone                is=""></phone>-->
>
>    </mapping>
>
> </ldapserver>
>
>
>
> Most of the attributes are commented out because we populate our users
> in Koha from a different system and they only log in using their AD
> password. We don't want to add new users or update existing users.
>
>
>
> Then in Auth_with_ldap.pm at line 102 (thanks to this thread
> http://lists.koha.org/pipermail/koha-devel/2008-September/008355.html)
>
>
>
> Change these lines:
>
>
>
>      my $userldapentry = $search->shift_entry;
>
>        my $cmpmesg = $db->compare( $userldapentry,
> attr=>'userpassword', value => $password );
>
>        if ($cmpmesg->code != 6) {
>
>                warn "LDAP Auth rejected : invalid password for user
> '$userid'. " . description($cmpmesg);
>
>                return 0;
>
>        }
>
>
>
> To this:
>
>
>
>      my $userldapentry = $search->shift_entry;
>
>
>
>        my $dbuser = Net::LDAP->new( [$prefhost] );
>
>        $res = $dbuser->bind( $userldapentry, password => $password );
>
>        unless ( $db && ! $res->code ) {
>
>                warn "LDAP Auth rejected : invalid password for user
> '$userid'";
>
>                return 0;
>
>        }
>
>
>
> We had an additional problem with the Auth_with_ldap.pm automatically
> updating the card number with the user's login. We have existing cards
> with specific numbers that we're importing, so I had to disable a couple
> of other lines (lines 116 and 117 in Auth_with_ldap.pm, before the first
> edit.)
>
>
>
> #($config{update}   ) and my $c2 =
> &update_local($userid,$password,$borrowernumber,\%borrower) || '';
>
>                #($cardnumber eq $c2) or warn "update_local returned
> cardnumber '$c2' instead of '$cardnumber'";
>
>
>
> Hopefully this helps.
>
>
>
> James Winter
>
> 215.517.2588
>
>
>
> From: Barry Cannon [mailto:bc at interleaf.ie]
> Sent: Thursday, February 12, 2009 12:06 PM
> To: Winter, James
> Subject: RE: [Koha] FW: Koha 3.0 LDAP Question?
>
>
>
> Yes, I am using Active Directory. Do you have any tips?
>
>
>
> From: Winter, James [mailto:WinterJ at arcadia.edu]
> Sent: 12 February 2009 17:06
> To: Barry Cannon
> Subject: RE: [Koha] FW: Koha 3.0 LDAP Question?
>
>
>
> Are you using Active Directory?
>
>
>
> James Winter
>
> 215.517.2588
>
>
>
> From: koha-bounces at lists.katipo.co.nz
> [mailto:koha-bounces at lists.katipo.co.nz] On Behalf Of Barry Cannon
> Sent: Thursday, February 12, 2009 9:17 AM
> To: koha at lists.katipo.co.nz
> Subject: [Koha] FW: Koha 3.0 LDAP Question?
>
>
>
> I have been trying to configure LDAP and have a couple of questions:
>
>
>
> The Wiki says: There are two parts of the KOHA_CONF file (default
> location: /etc/koha.xml) relevant to LDAP authentication: the
> configuration stanza itself, and the "switch" line that enables or
> disables LDAP. The switch appears in the main <config> section, 0 for
> "off" and 1 for "on",....
>
>
>
> Should I take this to mean the koha-conf.xml file? There is no koha.xml
> file on our installed server? If it is this file, do I simply add the
> LDAP server options in the config file.
>
>
>
> I have assumed that is what is needed but I can't figure out where to go
> from there? Is there an Admin tool to configure/test the LPAD
> authentication?
>
>
>
> Thanks
>
> Barry
>
>
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.katipo.co.nz/pipermail/koha/attachments/20090213/87c6d6cd/attachment.htm
>
> ------------------------------
>
> _______________________________________________
> Koha mailing list
> Koha at lists.katipo.co.nz
> http://lists.katipo.co.nz/mailman/listinfo/koha
>
>
> End of Koha Digest, Vol 40, Issue 35
> ************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.katipo.co.nz/pipermail/koha/attachments/20090713/74845ea7/attachment-0001.htm

More information about the Koha mailing list