[Koha] LDAP authentication

KL Nasveschuk klnasveschuk at klnconsulting.net
Thu Dec 15 03:56:02 NZDT 2005 

Hi,

I believe I have a solution that will make this work. An anonymous bind
to LDAP requires us to compare passwords by retrieving the password then
comparing to what the user has supplied. If passwords stored in LDAP are
hashed using different mechanisms, the burden of determining what
mechanism is used is on the the Koha application. I changed the code in
Auth.pm a little so that bind() uses the persons DN and password. The
burden of what password hash is used is on LDAP and not Koha.

Between local in Auth.pm 
	##################################################
	### LOCAL
	### Change the code below to match your own LDAP server.
	##################################################
	# LDAP connexion parameters

	# LDAP server
	my $ldapserver = '172.16.0.24';

	# Base DN for users
	my $name  = "ou=users,dc=tow,dc=net";

	# Bind uses the users full DN, if uid doesn't work try "cn"
#	my $binddn = "cn=$userid,$name";
	my $binddn = "uid=$userid,$name";

	my $db = Net::LDAP->new( $ldapserver );
	
	# do bind
	my $res =$db->bind(
			dn	=>$binddn,
			password =>$password);
	
	# check connexion, anything other code than LDAP_SUCCESS (0)
	# is a problem
	if($res->code != 0 ) {
		# auth refused
		warn "LDAP Auth failed server not responding or wrong user password
combination";
		return 0;
	# search user
	}else {
	
		my $userdnsearch = $db->search(base => "$name",
				filter =>"(cn=$userid)",
				);
		my $userldapentry=$userdnsearch -> shift_entry;
		
		# build LDAP hash
		my %memberhash;
		my $x =$userldapentry->{asn}{attributes};
		my $key;
		foreach my $k ( @$x) {
			foreach my $k2 (keys %$k) {
				if ($k2 eq 'type') {
					$key = $$k{$k2};
				} else {
					my $a = @$k{$k2};
					foreach my $k3 (@$a) {
						$memberhash{$key} .= $k3." ";
					}
				}
			}
		}
		#
		# BUILD %borrower to CREATE or MODIFY BORROWER
		# change $memberhash{'xxx'} to fit your ldap structure.
		# check twice that mandatory fields are correctly filled
		#
		my %borrower;
		$borrower{cardnumber} = $userid;
		$borrower{firstname} = $memberhash{givenName}; # MANDATORY FIELD
		$borrower{surname} = $memberhash{sn}; # MANDATORY FIELD
		$borrower{initials} =
substr($borrower{firstname},0,1).substr($borrower{surname},0,1)."  "; #
MANDATORY FIELD
		$borrower{streetaddress} = $memberhash{homePostalAddress}." "; #
MANDATORY FIELD
		$borrower{city} = $memberhash{l}." "; # MANDATORY FIELD
		$borrower{phone} = $memberhash{homePhone}." "; # MANDATORY FIELD
		$borrower{branchcode} = $memberhash{businessCategory}; # MANDATORY
FIELD
		$borrower{emailaddress} = $memberhash{mail};
		$borrower{categorycode} = $memberhash{employeeType};
	##################################################
	### /LOCAL
	### No change needed after this line (unless there's a bug ;-) )
	##################################################

This works for passwords stored in LDAP that use MD5 or SMD5. I imagine
it will work for other hashing mechanisms also.

Kent N
  
On Tue, 2005-12-13 at 17:22 +0100, Paul POULAIN wrote:
> mourik jan c heupink a écrit :
> > Dear Kent and list,
> > 
> >>I'm using OpenLDAP 2.2.29 on Fedora Core 4.
> >>  
> >>
> > I'm on SuSE Linux Enterprise server 9, with OpenLDAP 2.2.24
> > 
> >>>And a question to Paul Poulain: which ldap server are you using? I'm on 
> >>>openldap, and things don't work... Koha says the users's password is 
> >>>wrong, where I am pretty sure that it *IS* the right password.
> >>>
> >>>    
> >>>
> >>Password encryption is where I think Auth.pm falls down. This entry
> >>
> >>These are all the same password. The SMD5,MD5 doesn't work in Koha the
> >>bottom one does. The bottom password was uploaded to LDAP using
> >>ldapmodify, as clear text. OpenLDAP must have a default method for
> >>encryption.
> >>
> >>I, (we) have to figure a way for the code to try other methods. I'm not
> >>very well versed in Perl and will have to seek help to get this to
> >>work. 
> 
> I'm quite good in Perl, but a dummy in LDAP.
> I just can say that Auth_with_ldap.pm works for sure in Ecole des Mines 
> de Nantes, as i've set it up with the code I've commited.
> I think, but am not sure, that it's LDAP too, on Solaris.
> 
> I don't know the structure of the directory, I just used the query the 
> system admin gave me.
> 
> Sorry, but you'll have to investigate...

More information about the Koha mailing list