[Koha] Koha and LDAP: Password comparison fails

Ahmad Amanullah Khan ahmadamanullahkhan at gmail.com
Sat Sep 12 17:00:45 NZST 2015


Thankyou for the reply.

We tried it but not working and getting exception:

koha_opac_error_log:

/cgi-bin/koha/opac-user.pl
[Fri Sep 11 17:11:44 2015] [error] [client 10.15.0.200] [Fri Sep 11
17:11:44 2015] opac-user.pl: LDAP Auth rejected :
(sAMAccountName=xxxx.xxxx) gets 0 hits, referer:
https://librarydemo.abc.edu/cgi-bin/koha/opac-user.pl
[Fri Sep 11 17:11:44 2015] [error] [client 10.15.0.200] [Fri Sep 11
17:11:44 2015] opac-user.pl: Use of uninitialized value $retuserid in
string ne at

koha_error_log:

LDAP error #32: LDAP_NO_SUCH_OBJECT, referer:
https://stafflibrarydemo.abc.edu/
[Thu Sep 10 17:02:22 2015] [error] [client 10.15.2.17] [Thu Sep 10 17:02:22
2015] mainpage.pl: # The server cannot find an object specified in the
request, referer: https://stafflibrarydemo.abc.edu/
[Thu Sep 10 17:02:22 2015] [error] [client 10.15.2.17] [Thu Sep 10 17:02:22
2015] mainpage.pl: , referer: https://stafflibrarydemo.habib.edu.pk/


Our KOHA version: 3.12.04.000

Seems that KOHA is unable to search user in LDAP.

Any suggestion what could be the reason ? Your support is highly
appreciated.


Thanks
Ahmad Amanullah Khan

On Thu, Sep 10, 2015 at 1:07 PM, mourik jan heupink <heupink at merit.unu.edu>
wrote:

> Here is the AD bit from our koha-conf.xml:
>
>  <ldapserver id="DC">
>>     <hostname>samba.domain.com</hostname>
>>     <base>CN=Users,DC=samba,DC=domain,DC=com</base>
>>     <replicate>1</replicate>
>>     <update>1</update>
>>     <auth_by_bind>1</auth_by_bind>
>>     <principal_name>%s at samba.domain.com</principal_name>
>>     <mapping>                   <!-- match koha SQL field names to your
>> LDAP record field names -->
>>       <firstname    is="givenName"      ></firstname>
>>       <surname      is="sn"             ></surname>
>>       <address      is="streetAddress"  ></address>
>>       <city         is="l"              ></city>
>>       <zipcode      is="postalCode"     ></zipcode>
>>       <branchcode   is="branch"         >our_branch</branchcode>
>>       <userid       is="uid"              ></userid>
>>       <password     is="userPassword"   ></password>
>>       <email        is="mail"           ></email>
>>       <categorycode is="employeeType"   >A</categorycode>
>>       <phone        is="telephoneNumber"></phone>
>>     </mapping>
>>   </ldapserver>
>>
>
> Explained:
> samba.domain.com is the name of our active directory, if you specify that
> as hostname to bind to, koha will use (round robin) dns to connect to all
> DC's. Gives you a nice load spread, plus if one DC happens to be down, only
> some logons will fail.
>
> (verify with "host samba.domain.com" reveral times in a row, it should
> normally return different ip's, dependin on your number of dc's)
>
> Base should be your users container.
>
> Principal took me some time to understand: <principal_name>%
> s at samba.domain.com</principal_name>
>
> %s is replaced with a username, so in my example koha tries to bind as
> username at samba.domain.com
>
> I think the above explains it all?
>
> MJ
>
>
>
>
> On 09/10/2015 09:18 AM, Ahmad Amanullah Khan wrote:
>
>> Dear All
>>
>> I will appreciate if you guide us how you integrated KOHA with AD. Any
>> guide will be highly appreciated.
>>
>> Thanks
>>
>> On Thu, Sep 10, 2015, 3:45 AM uwe <singlespeedfahrer at yandex.com> wrote:
>>
>> Am Freitag, den 21.08.2015, 10:36 +0200 schrieb mourik jan heupink:
>>>
>>>> I have no other clues, no. Must say I'm rather surprised to read that
>>>> auth by bind is no option for you. Are you sure? Why not
>>>>
>>>
>>> It seems that I misunderstood the auth-by-bind function. Finally
>>> someone who has more ldap knowledge helped out to connect the ldap to
>>> our koha installation. Now it works with auth-by-bind as you suggested.
>>> Thank you very much. Your hint guided us into the right way to get it
>>> to work.
>>>
>>> Best wishes
>>> Uwe
>>>
>>>
>>>>
>>>> On 08/20/2015 03:02 PM, uwe wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> Am Mittwoch, den 19.08.2015, 22:24 +0200 schrieb mourik jan
>>>>> heupink:
>>>>>
>>>>>> I'm not sure if it will help you, but we have never had much luck
>>>>>>
>>>>>> with the password compare routine, which koha seems to like.
>>>>>>
>>>>>> I don't know any other ldap client that works like that. The
>>>>>> usual
>>>>>> way
>>>>>> (and this one works perfectly here, using openldap and also
>>>>>> samba4/AD)
>>>>>> is: use <auth_by_bind>1</auth_by_bind>
>>>>>>
>>>>>> Your principal_name would then be something like:
>>>>>>
>>>>>> <principal_name>dn=%s,ou=id,dc=MY_ORG,dc=org</principal_name>
>>>>>>
>>>>>
>>>>> Thank you for your answer and hints but unfortunally auth_by_bind
>>>>> seems
>>>>> to be no option for us.
>>>>>
>>>>> Is there another way to solve the issue?
>>>>>
>>>>> Thanks in advance
>>>>> Uwe
>>>>>
>>>>> Hopefully this helps you as well.
>>>>>>
>>>>>> MJ
>>>>>>
>>>>>> On 8/18/2015 14:35, uwe wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> we have a Koha-Installation and would like to connect to our
>>>>>>> OpenLDAP
>>>>>>> -server, but I can't get it to work.
>>>>>>>
>>>>>>> First our Koha setup:
>>>>>>>
>>>>>>> OS: debian wheezy
>>>>>>>> Koha: 3.20.02
>>>>>>>>
>>>>>>>
>>>>>>> Connecting to ldap-server works fine but the password
>>>>>>> comparison
>>>>>>> fails
>>>>>>> with the follwing error (tested in the console but also fails
>>>>>>> in
>>>>>>> the
>>>>>>> web gui; also given password is correct):
>>>>>>>
>>>>>>> root at biblio:/etc/koha/sites/MY_SITE# env
>>>>>>>> PERL5LIB=/usr/share/koha/lib
>>>>>>>>
>>>>>>> KOHA_CONF=/etc/koha/sites/MY_SITE/koha-conf.xml perl
>>>>>>> /usr/share/koha/opac/cgi-bin/opac/opac-user.pl
>>>>>>> userid=MY_MAIL_NAME at MY_
>>>>>>> ORG.org password=MY_PASSWORD. | head -5
>>>>>>>
>>>>>>> Got 2 ldap mapkeys (  total  ): userid
>>>>>>>> Got 2 ldap mapkeys (populated): userid
>>>>>>>> Checking Auth at /usr/share/koha/lib/C4/Auth.pm line 703,
>>>>>>>> <DATA>
>>>>>>>> line
>>>>>>>>
>>>>>>> 558.
>>>>>>>
>>>>>>>> kohaversion : 3.2002000
>>>>>>>> ## checkpw - checking LDAP
>>>>>>>> LDAP Auth rejected : invalid password for user
>>>>>>>> 'MY_MAIL_NAME at MY_O
>>>>>>>> RG.o
>>>>>>>>
>>>>>>> rg'. LDAP error #5: LDAP_COMPARE_FALSE
>>>>>>>
>>>>>>>> # This code is returned when a compare request completes and
>>>>>>>> the
>>>>>>>>
>>>>>>> attribute value given is not in the entry specified
>>>>>>>
>>>>>>>>
>>>>>>>> Login failed, resetting anonymous session... at
>>>>>>>>
>>>>>>> /usr/share/koha/lib/C4/Auth.pm line 1107, <DATA> line 595.
>>>>>>>
>>>>>>> Configuration in koha-conf.xml, see below. Our ldap-server uses
>>>>>>> SSHA as
>>>>>>> password sheme. Could this be the problem?
>>>>>>>
>>>>>>> How can I solve it? Can't find much usefull when searching
>>>>>>> internet
>>>>>>> for
>>>>>>> the problem.
>>>>>>>
>>>>>>> Thanks and best wishes
>>>>>>> Uwe
>>>>>>>
>>>>>>> <useldapserver>1</useldapserver> <!-- see C4::Auth_with_ldap
>>>>>>>> for
>>>>>>>>
>>>>>>> extra configs you must add if you want to turn this on -->
>>>>>>>
>>>>>>>>
>>>>>>>> <!-- LDAP SERVER (optional) -->
>>>>>>>>
>>>>>>>> <ldapserver id="ldapserver"  listenref="ldapserver">
>>>>>>>>         <hostname>MY_LDAP_SERVER</hostname>
>>>>>>>>           <base>ou=id,dc=MY_ORG,dc=org</base>
>>>>>>>>           <user>cn=biblio,ou=daemons,dc=MY_ORG,dc=org</user>
>>>>>>>> <!--
>>>>>>>> DN,
>>>>>>>>
>>>>>>> if not anonymous -->
>>>>>>>
>>>>>>>>           <pass>MY_SECRET_PASSWORD</pass>  <!-- password, if
>>>>>>>> not
>>>>>>>>
>>>>>>> anonymous -->
>>>>>>>
>>>>>>>>          <replicate>0</replicate> <!-- add new users from LDAP
>>>>>>>> to
>>>>>>>> Koha
>>>>>>>>
>>>>>>> database -->
>>>>>>>
>>>>>>>>           <update>0</update>  <!-- update existing users in
>>>>>>>> Koha
>>>>>>>>
>>>>>>> database -->
>>>>>>>
>>>>>>>>           <anonymous_bind>0</anonymous_bind>
>>>>>>>>           <auth_by_bind>0</auth_by_bind> <!-- set to 1 to
>>>>>>>> authenticate
>>>>>>>>
>>>>>>> by binding instead of password comparison, e.g., to use Active
>>>>>>> Directory -->
>>>>>>>
>>>>>>>>          <!--<principal_name>%s at MY_ORG.org</principal_name>-->
>>>>>>>>           <mapping> <!-- match koha SQL field names to your
>>>>>>>> LDAP
>>>>>>>> record
>>>>>>>>
>>>>>>> field names -->
>>>>>>>
>>>>>>>>                   <!--<firstname is="firstname"></firstname>
>>>>>>>>                   <surname is="surname"></surname>
>>>>>>>>                   <address is="postaladdress">hier</address>
>>>>>>>>                   <city is="l">Berlin</city>
>>>>>>>>                   <zipcode is="postalcode">1000</zipcode>
>>>>>>>>                   <branchcode
>>>>>>>> is="businesscategory"></branchcode>
>>>>>>>> -->
>>>>>>>>                   <userid is="uid"></userid>
>>>>>>>>                   <!--<password is="USER_PASSWORD"></password>
>>>>>>>>                   <email is="mail"></email>
>>>>>>>>                   <categorycode
>>>>>>>> is="employeetype">PT</categorycode>
>>>>>>>>                   <phone is="telephonenumber">11111</phone>
>>>>>>>>                   <flags is="flags">2</flags> -->
>>>>>>>>           </mapping>
>>>>>>>> </ldapserver>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> (hint: some private data is anonymized with large letters)
>>>>>>>
>>>>>>> _______________________________________________
>>>>>> Koha mailing list  http://koha-community.org
>>>>>> Koha at lists.katipo.co.nz
>>>>>> https://lists.katipo.co.nz/mailman/listinfo/koha
>>>>>>
>>>>> _______________________________________________
>>>> Koha mailing list  http://koha-community.org
>>>> Koha at lists.katipo.co.nz
>>>> https://lists.katipo.co.nz/mailman/listinfo/koha
>>>>
>>> --
>>> Q:      What is green and lives in the ocean?
>>> A:      Moby Pickle.
>>>
>>>
>>> _______________________________________________
>>> Koha mailing list  http://koha-community.org
>>> Koha at lists.katipo.co.nz
>>> https://lists.katipo.co.nz/mailman/listinfo/koha
>>>
>>> _______________________________________________
>> Koha mailing list  http://koha-community.org
>> Koha at lists.katipo.co.nz
>> https://lists.katipo.co.nz/mailman/listinfo/koha
>>
>> _______________________________________________
> Koha mailing list  http://koha-community.org
> Koha at lists.katipo.co.nz
> https://lists.katipo.co.nz/mailman/listinfo/koha
>



-- 


“*Testing is an infinite process of comparing the invisible to the
ambiguous in order to avoid the unthinkable happening to the anonymous.” -**
James Bach*


*Best Regards,*

*Ahmad Amanullah Khan*
------------------------------------------------------------------------------------------------------
Gmail : ahmadamanullahkhan at gmail.com <ahmadamanullah at gmail.com>
Skype: ahmad.khan922
LinkedIn: http://linkedin.com/in/aaukhan
Cell: +92 314 2042060
-------------------------------------------------------------------------------------------------------


More information about the Koha mailing list