[Koha] Koha Ldap Auth
Mason James
mtj at kohaaloha.com
Thu Jun 27 03:12:32 NZST 2019
On 27/06/19 1:13 AM, Daniele Piccoli wrote:
> Il 26/06/19 00:44, Hector Gonzalez ha scritto:
>>> On Jun 25, 2019, at 8:28 AM, Daniele Piccoli <daniele.piccoli at riseup.net> wrote:
>>>
>>> Il 24/06/19 21:30, Hector Gonzalez ha scritto:
>>>> Hi Daniele
>>> Hi
>>>
>>>>> On Jun 24, 2019, at 4:22 AM, Daniele Piccoli <daniele.piccoli at riseup.net> wrote:
>>>>>
>>>>> Software error:
>>>>> Error reading file /etc/koha/sites/biblioname/koha-conf.xml.
>>>>> Try running this again as the koha instance user (or use the koha-shell
>>>>> command in debian)
>>>> Is the file readable by koha? Permissions should be 640, with user root and biblioname-koha as the group (if that is the group that owns koha).
>>> The file is readable by Koha and in fact it has the correct permission
>>> as you said.
> I missed an end tag in a comment before, and so it gave me the error
> about reading
>
> Now, the error disappeared
>
>> Ok, then try making these changes:
>>
>> <ldapserver id="ldapserver" listenref="ldapserver">
>> <hostname>*IP-OF-DC*</hostname> <ldaps://*IP-OF-DC*</hostname>>
>> <base>ou=Users,dc=*sub*,dc=*domain*,dc=*tld*</base>
>> <replicate>1</replicate>
>> <update>1</update>
>> <auth_by_bind>1</auth_by_bind>
>> <anonymous_bind>0</anonymous_bind>
>> <principal_name>uid=%s@*sub*.*domain*.*tld*</principal_name>
>> <mapping>record field names -->
>> <userid is="uid"></userid>
>> <password is="userpassword"></password>
>> <email is="mail"></email>
>> <branchcode is="">YOURLIBRARYCODEinKoha</branchcode>
>> <categorycode is="">STUDENT</categorycode>
>> </mapping>
>> </ldapserver>
>>
>> 1. change the hostname to the actual hostname of the ldap server, if it is using ldaps, it might want to check the certificate, and that is based on the name.
>> 2. remove the <user> and <pass> tags, as you are using auth_by_bind. (I don´t know if they are needed for <update> so you might want to leave that there).
>> 3. Add a line that says: <anonymous_bind>0</anonymous_bind> which is needed with AD logins when you are using auth_by_bind (sounds weird, but it works that way)
>> 4. Change principal_name, the format is <principal_name>%s@*your.domain.name*</principal_name> which is needed with AD too. It looks like an email address.
>> 5. Add a mapping for "categorycode" with the text of the main user category (staff, students, faculty...) It IS required for login, and is assigned to the user automatically.
>> 6. Add the branchcode for the library.
>>
>> Also, I would change the userid mapping to <userid is="sAMAccountName"></userid> which is a unique name for every user with AD.
>> If it still gives you trouble, check the tags above and below your ldap configuration, and be sure those were not affected by editing the file.
> I've been trying to adapt the configuration in according to my DC server
> but, for the moment, ldap auth doesn't work.
>
> I'm monitoring the traffic on 389 port on DC and no traffic come from
> the Koha server...that's quite strange.
>
hi Daniele
here is a working config example of a Koha (v18.05.05) talking to an AD server
hope that helps...
--------------------------
<useldapserver>1</useldapserver>
<ldapserver id="ldapserver">
<hostname>ldaps://1.2.3.4:30040</hostname>
<base>DC=aaa,DC=bbb,DC=gov,DC=au</base>
<replicate>1</replicate>
<update>1</update>
<auth_by_bind>1</auth_by_bind>
<anonymous_bind>0</anonymous_bind>
<update_password>0</update_password>
<principal_name>%s at aaa.bbb.gov.au</principal_name>
<mapping>
<userid is="sAMAccountName" />
<firstname is="givenname" ></firstname>
<surname is="sn" ></surname>
<email is="userPrincipalName" />
<categorycode is="employeetype" >S</categorycode>
<branchcode is="branch" >AAA</branchcode>
<phone is="telephoneNumber" />
</mapping>
</ldapserver>
--------------------------
More information about the Koha
mailing list