[Koha] Koha Ldap Auth

Mason James mtj at kohaaloha.com
Thu Jun 27 03:12:32 NZST 2019



On 27/06/19 1:13 AM, Daniele Piccoli wrote:
> Il 26/06/19 00:44, Hector Gonzalez ha scritto:
>>> On Jun 25, 2019, at 8:28 AM, Daniele Piccoli <daniele.piccoli at riseup.net> wrote:
>>>
>>> Il 24/06/19 21:30, Hector Gonzalez ha scritto:
>>>> Hi Daniele
>>> Hi
>>>
>>>>> On Jun 24, 2019, at 4:22 AM, Daniele Piccoli <daniele.piccoli at riseup.net> wrote:
>>>>>
>>>>> Software error:
>>>>> Error reading file /etc/koha/sites/biblioname/koha-conf.xml.
>>>>> Try running this again as the koha instance user (or use the koha-shell
>>>>> command in debian)
>>>> Is the file readable by koha?  Permissions should be 640, with user root and biblioname-koha as the group (if that is the group that owns koha).
>>> The file is readable by Koha and in fact it has the correct permission
>>> as you said.
> I missed an end tag in a comment before, and so it gave me the error
> about reading
>
> Now, the error disappeared
>
>> Ok, then try making these changes:
>>
>> <ldapserver id="ldapserver"  listenref="ldapserver">
>> <hostname>*IP-OF-DC*</hostname> <ldaps://*IP-OF-DC*</hostname>>
>> <base>ou=Users,dc=*sub*,dc=*domain*,dc=*tld*</base>
>> <replicate>1</replicate>
>> <update>1</update>
>> <auth_by_bind>1</auth_by_bind>
>> <anonymous_bind>0</anonymous_bind>
>> <principal_name>uid=%s@*sub*.*domain*.*tld*</principal_name>
>>  <mapping>record field names -->
>>   <userid       is="uid"></userid>
>>   <password     is="userpassword"></password>
>>   <email        is="mail"></email>
>>   <branchcode is="">YOURLIBRARYCODEinKoha</branchcode>
>>     <categorycode is="">STUDENT</categorycode>
>>  </mapping>
>> </ldapserver>
>>
>> 1. change the hostname to the actual hostname of the ldap server, if it is using ldaps, it might want to check the certificate, and that is based on the name.
>> 2. remove the <user> and <pass> tags, as you are using auth_by_bind.  (I don´t know if they are needed for <update> so you might want to leave that there).
>> 3. Add a line that says: <anonymous_bind>0</anonymous_bind>  which is needed with AD logins when you are using auth_by_bind  (sounds weird, but it works that way)
>> 4. Change principal_name, the format is <principal_name>%s@*your.domain.name*</principal_name> which is needed with AD too.  It looks like an email address.
>> 5. Add a mapping for "categorycode" with the text of the main user category (staff, students, faculty...)  It IS required for login, and is assigned to the user automatically.
>> 6. Add the branchcode for the library.
>>
>> Also, I would change the userid mapping to <userid       is="sAMAccountName"></userid>  which is a unique name for every user with AD.
>> If it still gives you trouble, check the tags above and below your ldap configuration, and be sure those were not affected by editing the file.
> I've been trying to adapt the configuration in according to my DC server
> but, for the moment, ldap auth doesn't work.
>
> I'm monitoring the traffic on 389 port on DC and no traffic come from
> the Koha server...that's quite strange.
>


hi Daniele
here is a working config example of a Koha (v18.05.05) talking to an AD server

hope that helps...
--------------------------
<useldapserver>1</useldapserver>
<ldapserver id="ldapserver">

    <hostname>ldaps://1.2.3.4:30040</hostname>
    <base>DC=aaa,DC=bbb,DC=gov,DC=au</base>

    <replicate>1</replicate>
    <update>1</update>

    <auth_by_bind>1</auth_by_bind>

    <anonymous_bind>0</anonymous_bind>
    <update_password>0</update_password>

<principal_name>%s at aaa.bbb.gov.au</principal_name>

    <mapping>
 <userid   is="sAMAccountName" />
 <firstname    is="givenname"      ></firstname>
 <surname      is="sn"             ></surname>
 <email   is="userPrincipalName" />

  <categorycode is="employeetype"   >S</categorycode>
   <branchcode   is="branch"         >AAA</branchcode>

 <phone is="telephoneNumber"   />
    </mapping>

 </ldapserver>
--------------------------




More information about the Koha mailing list