[Koha] Koha authentication against existing LDAP directory

Joe Atzberger ohiocore at gmail.com
Fri Jun 5 02:20:45 NZST 2009


On Wed, Jun 3, 2009 at 8:15 PM, Ben Finney
<ben+koha at benfinney.id.au<ben%2Bkoha at benfinney.id.au>
> wrote:

> Cab Vinton <bibliwho at gmail.com> writes:
>
> > Can someone provide a newbie summary of what functionality LDAP + Koha
> > is supposed to provide?
>
> LDAP (Lightweight Directory Access Protocol) is a standard query
> protocol into “directories” of information, where a directory is a
> hierarchical organisation of information optimised for fast and flexible
> query.
>
> Such directories can, of course, be directories of people: they are
> often used for providing a directory of people for various purposes,
> including authentication.
>
> > I gather it has something to do with authentication, but who's being
> > authenticated for what?
>
> LDAP authentication is normally done at login time by querying the LDAP
> server and asking it to authenticate the user based on the login
> credentials, in order to grant further access to the information in the
> directory (this process is termed “binding to” the directory).
>
> Koha 3.0 (and perhaps earlier) includes a feature for querying an LDAP
> directory for the user account details when a user attempts to log in.
>
> My messages have led to the conclusion that this is currently done in a
> rather naive and insecure way: not using the standard LDAP-server-based
> authentication, but instead using an access-all-accounts privileged
> directory account to pull all the details across the connection and
> perform authentication on the webserver
> <URL:http://wiki.koha.org/doku.php?id=en:development:ldap>.
>
> Future (currently-in-development) Koha code may, I'm told, have the
> ability to use the correct authentication on the LDAP server, without a
> need for insecure access to the LDAP accounts.
>

The HEAD version of Koha suggests the functionality you want with
"auth_by_bind" lines in C4::Auth_with_LDAP.  I'm not vouching for their
operation because I haven't tested it firsthand, but Active Directory is
specifically what the code has in mind.

Looking at the implementation, I don't like how it was done though.  It
seems to require anonymous binding to work first, then ignores that and goes
for a separate user bind.

As for the non-auth_by_bind implementation being "naive", it isn't.  It
anticipates batch import/update functionality that would be very desirable.
Obviously, importing a whole directory of unspecified users would require
the privileged account info.
-- 
Joe Atzberger
LibLime - Open Source Library Solutions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.katipo.co.nz/pipermail/koha/attachments/20090604/0d643f94/attachment-0001.htm 


More information about the Koha mailing list