[Koha] Koha authentication against existing LDAP directory

Ben Finney ben+koha at benfinney.id.au
Fri Jun 5 11:22:16 NZST 2009 

Joe Atzberger <ohiocore at gmail.com> writes:

> The HEAD version of Koha suggests the functionality you want with
> "auth_by_bind" lines in C4::Auth_with_LDAP. I'm not vouching for their
> operation because I haven't tested it firsthand, but Active Directory
> is specifically what the code has in mind.

Thank you.

Who here *has* tested this functionality first-hand? (I'm unconcerned
with Active Directory, at present, only with OpenLDAP servers.)

> Looking at the implementation, I don't like how it was done though. It
> seems to require anonymous binding to work first, then ignores that
> and goes for a separate user bind.

Hmm. An anonymous bind attempt could succeed, but then such a binding
isn't likely to work for login as a specific user. Is that what you
don't like about it? Or is there something further that is objectionable
about this implementation?

> As for the non-auth_by_bind implementation being "naive", it isn't. It
> anticipates batch import/update functionality that would be very
> desirable.

I refer to the import-entire-user-account-via-privileged-account as
“naive” because it requires multiple otherwise-unnecessary security
holes that could have been avoided by considering possible failure
modes.

Having an account in the directory privileged to read all account
password fields isn't necessary at all for LDAP authentication and is
unnecessary exposure, yet as described so far this implementation won't
work without it.

Having such a privileged account's credentials stored in a configuration
file where the web-server user can read it is a further security hole,
one that again seems necessary for operation of the current
authentication system.

These statements aren't intended to raise anyone's hackles, only to
support my claim that the Koha 3.0 authentication against an LDAP
directory is implemented naively.

If there's an implementation that uses the standard LDAP authentication
mechanism I'd like to try it out. Are there specific instructions I
should follow beyond those for Koha 3.0?

-- 
 \        “Somebody told me how frightening it was how much topsoil we |
  `\   are losing each year, but I told that story around the campfire |
_o__)                             and nobody got scared.” —Jack Handey |
Ben Finney

More information about the Koha mailing list