[Koha] LDAP authentication

KL Nasveschuk klnasveschuk at klnconsulting.net
Wed Dec 14 04:26:10 NZDT 2005


On Tue, 2005-12-13 at 12:33 +0100, mourik jan c heupink wrote:
> Dear Kent,
> 
> I am no ldap expert at all, but I did notice in your Auth.pm:
> 
This works though. I also used cn instead of uid. When I put the LDAP
server in debug it returns the correct user and all attributes.

>                 my $userdnsearch = $db->search(base => "$name",
>                                 filter =>"(uid=$userid)",
>                                 );
> 
> maybe instead of "$name" it should say $name (without ") (that's what it 
> says in my version of the file, and I don't think we are meant to change 
> that...?)
> 

I'm using OpenLDAP 2.2.29 on Fedora Core 4.
 
> And a question to Paul Poulain: which ldap server are you using? I'm on 
> openldap, and things don't work... Koha says the users's password is 
> wrong, where I am pretty sure that it *IS* the right password.
> 
Password encryption is where I think Auth.pm falls down. This entry

my $cmpmesg = $db -> compare ( $userldapentry, attr => 'userPassword',
value => $password );

seems to compare a password encrypted by another method to what is in
LDAP. In my case passwords are encrypted using a couple different
methods. Here's a typical password entry in LDAP as attribute
userPassword:

{SMD5}KjuP+wOsUoBqpDSv3zOeH/+1XmY=
{MD5}tNsHZEz+OsGo5TKotec1Hg==

Mjg2Ymx1ZTZn

These are all the same password. The SMD5,MD5 doesn't work in Koha the
bottom one does. The bottom password was uploaded to LDAP using
ldapmodify, as clear text. OpenLDAP must have a default method for
encryption.

I, (we) have to figure a way for the code to try other methods. I'm not
very well versed in Perl and will have to seek help to get this to
work. 


> Could there be differences with passwords encryption between various 
> ldap servers..?

You can store an encrypted password in any form in LDAP. LDAP doesn't
care.

Kent N
  
> 
> Kind regards!
> 
> Mourik Jan
> 
> 
> 
> KL Nasveschuk wrote:
> > Hello,
> > The query to LDAP works correctly. I put the ldap server in debug (slapd
> > -d 3) and watch what transpires. In debug mode ldap returns all
> > attributes for a user on search (error and output goes to screen).
> >
> > If I put in a bogus uid it returns:
> > bdb_search: no candidates
> >  
> > Cn or uid works, I guess it just matters what is being indexed in LDAP.
> >
> > I can't determine what is happening in the Koha side. Any suggestions on
> > how to better debug the Perl side (from anyone). Just wondering on if
> > Perl is using one password hashing algorithm which is not the same as
> > what is in LDAP.
> >
> > Ex. of LDAP attribute stored in userPassword:
> >
> > SMD5}ox3RAPB79VIHB+KZZw+dpxKIx3A
> >
> > Kent N
> >
> >
> > On Mon, 2005-12-12 at 16:46 +0100, Paul POULAIN wrote:
> >   
> >> KL Nasveschuk a écrit :
> >>     
> >>> Hello,
> >>>
> >>> I'm still trying to get LDAP authentication to work on Koha. I've
> >>> modified Auth.pm with the following:
> >>>
> >>>  ##################################################
> >>>         ### LOCAL
> >>>         ### Change the code below to match your own LDAP server.
> >>>         ##################################################
> >>>         # LDAP connexion parameters
> >>>         my $ldapserver = '172.16.0.24';
> >>>         # Infos to do an anonymous bind
> >>>         my $ldapinfos = 'ou=users,dc=tow,dc=net ';
> >>>         my $name  = "ou=users,dc=tow,dc=net";
> >>>         my $db = Net::LDAP->new( $ldapserver );
> >>>
> >>>         # do an anonymous bind
> >>>         my $res =$db->bind();
> >>>         # check connexion
> >>>         if($res->code) {
> >>>                 # auth refused
> >>>                 warn "LDAP Auth impossible : server not responding";
> >>>                 return 0;
> >>>         # search user
> >>>         } else {
> >>>       
> >> this log
> >>  > [Mon Dec 12 12:04:36 2005] [error] [client 172.16.60.186] LDAP Auth
> >>  > impossible : user unknown in LDAP
> >>  > at /usr/local/koha/intranet/modules/C4/Auth.pm line 464.
> >>
> >> means you have an error in the following code :
> >>
> >>     
> >>>                 my $userdnsearch = $db->search(base => "$name",
> >>>                                 filter =>"(uid=$userid)",
> >>>                                 );
> >>>                 if($userdnsearch->code || ! ( $userdnsearch-> count eq
> >>> 1 ) ) {
> >>>                         warn "LDAP Auth impossible : user unknown in
> >>> LDAP";
> >>>                         return 0;
> >>>                 };
> >>>       
> >> That means :
> >> * connexion was successful (otherwise, you would have LDAP Auth 
> >> impossible : server not responding). A good news ;-)
> >> * the LDAP search failed. Meaning : uid=$userid is probably not what you 
> >> had to do. The query you have to do depends on your LDAP structure, I 
> >> can't help you more.
> >>
> >> just another hint. Change to :
> >>   warn "LDAP Auth impossible : user unknown in LDAP for $userid";
> >> to see which value is in $userid !
> >>
> >> That could help you.
> >>
> >> HTH
> >>
> >> Anyway, I can ensure you I have 1 (and soon 2) libraries using LDAP 
> >> auth. Quite tricky to tune, but works fine when it's done !
> >>
> >> Just one reminder : the member record is created in Koha when the user 
> >> logs in in OPAC. So you MUST request all your users to log in at least 
> >> once. That's a good solution to show you now "have the great free ILS 
> >> called Koha" & show what it can do.
> >>
> >>     
> >
> > _______________________________________________
> > Koha mailing list
> > Koha at lists.katipo.co.nz
> > http://lists.katipo.co.nz/mailman/listinfo/koha
> >   
> _______________________________________________
> Koha mailing list
> Koha at lists.katipo.co.nz
> http://lists.katipo.co.nz/mailman/listinfo/koha
> 



More information about the Koha mailing list