[Koha] Koha Ldap Auth

Daniele Piccoli daniele.piccoli at riseup.net
Thu Jun 27 01:13:33 NZST 2019


Il 26/06/19 00:44, Hector Gonzalez ha scritto:
> 
> 
>> On Jun 25, 2019, at 8:28 AM, Daniele Piccoli <daniele.piccoli at riseup.net> wrote:
>>
>> Il 24/06/19 21:30, Hector Gonzalez ha scritto:
>>> Hi Daniele
>>
>> Hi
>>
>>>> On Jun 24, 2019, at 4:22 AM, Daniele Piccoli <daniele.piccoli at riseup.net> wrote:
>>>>
>>>> Software error:
>>>> Error reading file /etc/koha/sites/biblioname/koha-conf.xml.
>>>> Try running this again as the koha instance user (or use the koha-shell
>>>> command in debian)
>>>
>>>
>>> Is the file readable by koha?  Permissions should be 640, with user root and biblioname-koha as the group (if that is the group that owns koha).
>>
>> The file is readable by Koha and in fact it has the correct permission
>> as you said.

I missed an end tag in a comment before, and so it gave me the error
about reading

Now, the error disappeared

> Ok, then try making these changes:
> 
> <ldapserver id="ldapserver"  listenref="ldapserver">
> <hostname>*IP-OF-DC*</hostname> <ldaps://*IP-OF-DC*</hostname>>
> <base>ou=Users,dc=*sub*,dc=*domain*,dc=*tld*</base>
> <replicate>1</replicate>
> <update>1</update>
> <auth_by_bind>1</auth_by_bind>
> <anonymous_bind>0</anonymous_bind>
> <principal_name>uid=%s@*sub*.*domain*.*tld*</principal_name>
>  <mapping>record field names -->
>   <userid       is="uid"></userid>
>   <password     is="userpassword"></password>
>   <email        is="mail"></email>
>   <branchcode is="">YOURLIBRARYCODEinKoha</branchcode>
>     <categorycode is="">STUDENT</categorycode>
>  </mapping>
> </ldapserver>
> 
> 1. change the hostname to the actual hostname of the ldap server, if it is using ldaps, it might want to check the certificate, and that is based on the name.
> 2. remove the <user> and <pass> tags, as you are using auth_by_bind.  (I don´t know if they are needed for <update> so you might want to leave that there).
> 3. Add a line that says: <anonymous_bind>0</anonymous_bind>  which is needed with AD logins when you are using auth_by_bind  (sounds weird, but it works that way)
> 4. Change principal_name, the format is <principal_name>%s@*your.domain.name*</principal_name> which is needed with AD too.  It looks like an email address.
> 5. Add a mapping for "categorycode" with the text of the main user category (staff, students, faculty...)  It IS required for login, and is assigned to the user automatically.
> 6. Add the branchcode for the library.
> 
> Also, I would change the userid mapping to <userid       is="sAMAccountName"></userid>  which is a unique name for every user with AD.
> If it still gives you trouble, check the tags above and below your ldap configuration, and be sure those were not affected by editing the file.

I've been trying to adapt the configuration in according to my DC server
but, for the moment, ldap auth doesn't work.

I'm monitoring the traffic on 389 port on DC and no traffic come from
the Koha server...that's quite strange.


>>>
>>
>> Daniele
>> _______________________________________________
>> Koha mailing list  http://koha-community.org
>> Koha at lists.katipo.co.nz
>> https://lists.katipo.co.nz/mailman/listinfo/koha
> 
> --
> Héctor González
> cacho at genac.org
> 
> _______________________________________________
> Koha mailing list  http://koha-community.org
> Koha at lists.katipo.co.nz
> https://lists.katipo.co.nz/mailman/listinfo/koha
> 

Bye

Daniele


More information about the Koha mailing list