[Koha] Active Directory LDAP integration

Christopher Curry ccurry at amphilsoc.org
Fri May 22 07:10:29 NZST 2009


So,

I sorted this out after seeing this post: 
http://lists.koha.org/pipermail/koha-devel/2008-October/008493.html

Active Directory users can log in (and their data in the borrowers table 
is updated) after replacing
"

        my $cmpmesg = $db->compare( $userldapentry,
attr=>'userpassword', value => $password );
        if ($cmpmesg->code != 6) {
                warn "LDAP Auth rejected : invalid password for user
'$userid'. " . description($cmpmesg);
                return 0;
        }
"
with
"
        my $user_ldapname = $userldapentry->dn();
        my $user_db = Net::LDAP->new( [$prefhost] );
        $res = $user_db->bind( $user_ldapname, password => $password );
        if ( $res->code ) {
            $debug and warn "Bind as user failed". description( $res );
            return 0;
"
on line 103 of /usr/share/koha3/lib/C4/Auth_with_ldap.pm

After looking at the rest of the thread, I discovered that this bug was reported in the past and a patch was created in Oct 2008:
http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=2726

According to this record, "This is controlled by the option auth_by_bind, which, if set, causes
this code to try binding instead of comparing." http://bugs.koha.org/cgi-bin/bugzilla3/attachment.cgi?id=494

Unfortunately, it is not clear to me by looking at this record where this option is set.  Is this a patch that is bundled with Koha 3.0.1?

Or has it not been folded into the base code yet?  Is there an easy way to tell whether or not bugs like this have been resolved?

I'm all set for now, but if I could configure this in /etc/koha3koha-conf.xml in the future, that'd be good to know.

Cheers,

Christopher Curry
Assistant Technical Librarian / Assistant IT Officer

American Philosophical Society
105 South Fifth Street
Philadelphia, PA 19106-3386
Tel. (215) 599-4299

ccurry at amphilsoc.org <mailto:ccurry at amphilsoc.org>

*For technical support, please use helpdesk at amphilsoc.org 
<mailto:helpdesk at amphilsoc.org>*
Main Library number: (215)440-3400
APS website: http://www.amphilsoc.org



Christopher Curry wrote:
> Joe,
>
> Thanks for the quick reply.
>
> That's good to know, but something is still not working right because 
> I haven't been able to log in with any of my AD user accounts (whether 
> or not I have an existing borrower in the Koha database with the same 
> username).  I get this error in the logs:
>
> opac-user.pl: LDAP Auth rejected : invalid password for user 
> '[USERNAME]'. LDAP error #16: LDAP_NO_SUCH_ATTRIBUTE, referer: 
> http://avocado/cgi-bin/koha/opac-user.pl
> opac-user.pl: # The request referenced an attribute that does not 
> exist, referer: http://avocado/cgi-bin/koha/opac-user.pl
>
> Cheers,
>
> Christopher Curry
> Assistant Technical Librarian / Assistant IT Officer
>
> American Philosophical Society
> 105 South Fifth Street
> Philadelphia, PA 19106-3386
> Tel. (215) 599-4299
>
> ccurry at amphilsoc.org <mailto:ccurry at amphilsoc.org>
>
> *For technical support, please use helpdesk at amphilsoc.org 
> <mailto:helpdesk at amphilsoc.org>*
> Main Library number: (215)440-3400
> APS website: http://www.amphilsoc.org
>
>
>
> Joe Atzberger wrote:
>> Christopher --
>>
>> You seem to be expecting Koha to extract the entire LDAP directory at 
>> once.  It doesn't.  Instead, it updates the user account when they go 
>> to login.  So you should try to login as one of the users that isn't 
>> yet in your Koha DB, or that has outdated info.  If you want the mass 
>> upload, you should export from LDAP to CSV and use the normal patron 
>> import tool.
>>
>> Having some kind of batch LDAP update mode is desirable, but nobody 
>> has sponsored or worked on such functionality.
>>
>> -- 
>> Joe Atzberger
>> LibLime - Open Source Library Solutions
>>
>>
>> 2009/5/20 Christopher Curry <ccurry at amphilsoc.org 
>> <mailto:ccurry at amphilsoc.org>>
>>
>>     Hello all,
>>
>>     I'm trying to set configure Koha to access my Active Directory
>>     LDAP server.  I don't get errors when I browse to the catalog, so
>>     it seems that the configuration is being accepted, but my
>>     borrowers database has not been updated.  I tried restarting the
>>     server (which should cover restarting apache, as well --
>>     right?).  I used the following documentation:
>>     http://wiki.koha.org/doku.php?id=en:development:ldap.
>>
>>     My configuration is copied below; the ALL-CAPS areas are of
>>     course replaced with the relevant data.
>>
>>     Any thoughts?
>>
>>     I've pasted this into /etc/koha3/koha-conf.xml inside <config>,
>>     inside of <yazgfs>:
>>
>>      <useldapserver>1</useldapserver>
>>
>>     <!-- LDAP SERVER (optional) -->
>>     <ldapserver id="LDAP_IPADDRESS"  listenref="LDAP_IPADDRESS">
>>      <hostname>LDAP_IPADDRESS</hostname>
>>      <base>CN=USERS_FOLDER_NAME,DC=DOMAIN,DC=TOP_LEVEL_DOMAIN</base>
>>      <user>CN=USERNAME,CN=USERS_FOLDER_NAME,DC=DOMAIN,DC=TOP_LEVEL_DOMAIN</user>
>>      <pass>PASSWORD</pass>
>>      <replicate>1</replicate>
>>      <update>1</update>
>>      <mapping>
>>                     <firstname is="givenName"></firstname>
>>                     <surname is="sn"></surname>
>>                     <address is="">ADDRESS</address>
>>                     <city is="">CITY</city>
>>                     <zipcode is="">19106</zipcode>
>>                     <branchcode is="">BRANCHCODE</branchcode>
>>                     <userid is="sAMAccountName"></userid>
>>                     <password is="userPassword"></password>
>>                     <categorycode is="">S</categorycode>
>>                     <email is="">manuscripts at amphilsoc.org
>>     <mailto:manuscripts at amphilsoc.org></email>
>>                     <phone is="">215-440-3400</phone>
>>      </mapping>
>>     </ldapserver>
>>
>>     Cheers,
>>
>>     Christopher Curry
>>     Assistant Technical Librarian / Assistant IT Officer
>>
>>     American Philosophical Society
>>     105 South Fifth Street
>>     Philadelphia, PA 19106-3386
>>     Tel. (215) 599-4299
>>
>>     ccurry at amphilsoc.org <mailto:ccurry at amphilsoc.org>
>>
>>     *For technical support, please use helpdesk at amphilsoc.org
>>     <mailto:helpdesk at amphilsoc.org>*
>>     Main Library number: (215)440-3400
>>     APS website: http://www.amphilsoc.org
>>
>>
>>     _______________________________________________
>>     Koha mailing list
>>     Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>
>>     http://lists.katipo.co.nz/mailman/listinfo/koha
>>
>>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Koha mailing list
> Koha at lists.katipo.co.nz
> http://lists.katipo.co.nz/mailman/listinfo/koha
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.katipo.co.nz/pipermail/koha/attachments/20090521/2b9c0f81/attachment-0001.htm 


More information about the Koha mailing list