[Koha] Koha authentication against existing LDAP directory

Ben Finney ben+koha at benfinney.id.au
Wed May 27 06:21:28 UTC 2009 

Mason James <mason.loves.sushi at gmail.com>
writes:

> On 2009/05/26, at 12:19 AM, Ben Finney wrote:
> 
> > Ben Finney <ben+koha at benfinney.id.au> writes:
> >> When I use the same username and password that worked in the direct
> >> LDAP query, and enter those into the Koha login form, the return
> >> page simply shows the same form with “Error: Invalid username or
> >> password”.
> >>
> >> How can I get authentication working with Koha like with other LDAP
> >> clients?
> 
> >> In particular, without duplicating or storing privileged user
> >> credentials in the Koha configuration.
> 
> well, this specifically is tricky - as koha expects some basic user
> records, as Joe stated...

This doesn't follow. Koha can get access to any user's record by
authenticating as that user when they log in. Shouldn't Koha be using
whatever credentials a user attempts to authenticate with at the login
form, and querying against the LDAP server to see whether they're valid?

In fact, this is what I was told Koha actually does, by requiring a user
to log in before retrieving that user's record from the LDAP directory.

> why not try to get a basic koha+LDAP system first, then aim for this  
> advanced setup

I don't think “avoid storing the plain-text password of a privileged
user for the LDAP directory” is a particularly advanced request Surely
that's the whole point of having a centralised authentication service
with a secure query protocol: to avoid duplication and insecure storage
of credentials?

> > Is LDAP authentication something I should expect to be working? The
> > documentation leads me to believe it should work, but the lack of
> > responses here concerns me that it might not actually be in common
> > use.
> 
> I got it going recently with no previous experience with LDAP. and
> people attempting and succeeding LDAP setup is quite frequent, i think

Well, if the only way to get LDAP authentication working is to avoid
using it as intended, that doesn't seem to me to qualify as “working”.

>From what I can see of other LDAP clients, it's perfectly normal to do
the following when attempting to query the directory non-anonymously:

* client application requests credentials at runtime

* client application computes appropriate hash for credentials

* client application binds (authenticates for the purpose of the query)
  to the LDAP server using the hashed credentials

* server responds with appropraite status and query result

* client application proceeds on that basis

What documentation is there for getting Koha working as a normal LDAP
authentication client?

-- 
 \       “Free thought is a necessary, but not a sufficient, condition |
  `\                                       for democracy.” —Carl Sagan |
_o__)                                                                  |
Ben Finney

More information about the Koha mailing list