[Koha] Koha authentication against existing LDAP directory
Ben Finney
ben+koha at benfinney.id.au
Wed May 27 18:21:28 NZST 2009
Mason James <mason.loves.sushi at gmail.com>
writes:
> On 2009/05/26, at 12:19 AM, Ben Finney wrote:
>
> > Ben Finney <ben+koha at benfinney.id.au> writes:
> >> When I use the same username and password that worked in the direct
> >> LDAP query, and enter those into the Koha login form, the return
> >> page simply shows the same form with “Error: Invalid username or
> >> password”.
> >>
> >> How can I get authentication working with Koha like with other LDAP
> >> clients?
>
> >> In particular, without duplicating or storing privileged user
> >> credentials in the Koha configuration.
>
> well, this specifically is tricky - as koha expects some basic user
> records, as Joe stated...
This doesn't follow. Koha can get access to any user's record by
authenticating as that user when they log in. Shouldn't Koha be using
whatever credentials a user attempts to authenticate with at the login
form, and querying against the LDAP server to see whether they're valid?
In fact, this is what I was told Koha actually does, by requiring a user
to log in before retrieving that user's record from the LDAP directory.
> why not try to get a basic koha+LDAP system first, then aim for this
> advanced setup
I don't think “avoid storing the plain-text password of a privileged
user for the LDAP directory” is a particularly advanced request Surely
that's the whole point of having a centralised authentication service
with a secure query protocol: to avoid duplication and insecure storage
of credentials?
> > Is LDAP authentication something I should expect to be working? The
> > documentation leads me to believe it should work, but the lack of
> > responses here concerns me that it might not actually be in common
> > use.
>
> I got it going recently with no previous experience with LDAP. and
> people attempting and succeeding LDAP setup is quite frequent, i think
Well, if the only way to get LDAP authentication working is to avoid
using it as intended, that doesn't seem to me to qualify as “working”.
More information about the Koha
mailing list