[Koha] LDAP authentication

mourik jan c heupink heupink at intech.unu.edu
Fri Dec 16 00:56:45 NZDT 2005


Dear Kent and list,

I'm not sure if this last mail was only meant to go to me personally... 
(as you say: Can ANYONE shed some light on this)

Anyway, I have tried your code, and it works beautyfully.

Could you indicate the required steps to generate the errors you talk 
about? (I've clicked my way through various menu's, and no errors so far..)

Kind regards,
Mourik Jan

KL Nasveschuk wrote:
> This works but fixed one problem and created another problem. Modifying
> "Auth.pm" for LDAP has caused some of the scripts fail with the error:
>
> [Wed Dec 14 14:37:45 2005] [error] [client 172.16.56.200] Can't use
> string ("0")  as a HASH ref while "strict refs" in use
> at /usr/local/koha/intranet/modules/C4 /Auth.pm line 143., referer:
> http://172.16.60.186:8000/cgi-bin/koha/opac-main.pl
>
> So if I go to opac-main.pl and comment out "use strict;" the script
> runs.
>
> Can anyone shed some light on this? I've been up and down Auth.pm and I
> think I only changed what was between ##LOCAL /LOCAL## to get LDAP to
> work.
>
>
>
> Kent N
>
> On Wed, 2005-12-14 at 19:54 +0100, mourik jan c heupink wrote:
>   
>> I will try it tomorrow, and give feedback to the list.
>>
>> This solution looks better to me, because also as far I understand 
>> things, the old solution will not work when your slapd.conf contains:
>>
>> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
>>       by self write
>>       by anonymous auth
>>       by * none
>> access to *
>>       by * read
>>
>> Anyway, kind regards!
>>
>> Mourik Jan
>>
>>  KL Nasveschuk wrote:
>>     
>>> Hi,
>>>
>>> I believe I have a solution that will make this work. An anonymous bind
>>> to LDAP requires us to compare passwords by retrieving the password then
>>> comparing to what the user has supplied. If passwords stored in LDAP are
>>> hashed using different mechanisms, the burden of determining what
>>> mechanism is used is on the the Koha application. I changed the code in
>>> Auth.pm a little so that bind() uses the persons DN and password. The
>>> burden of what password hash is used is on LDAP and not Koha.
>>>
>>> Between local in Auth.pm 
>>> 	##################################################
>>> 	### LOCAL
>>> 	### Change the code below to match your own LDAP server.
>>> 	##################################################
>>> 	# LDAP connexion parameters
>>>
>>> 	# LDAP server
>>> 	my $ldapserver = '172.16.0.24';
>>>
>>> 	# Base DN for users
>>> 	my $name  = "ou=users,dc=tow,dc=net";
>>>
>>> 	# Bind uses the users full DN, if uid doesn't work try "cn"
>>> #	my $binddn = "cn=$userid,$name";
>>> 	my $binddn = "uid=$userid,$name";
>>>
>>> 	my $db = Net::LDAP->new( $ldapserver );
>>> 	
>>> 	# do bind
>>> 	my $res =$db->bind(
>>> 			dn	=>$binddn,
>>> 			password =>$password);
>>> 	
>>> 	# check connexion, anything other code than LDAP_SUCCESS (0)
>>> 	# is a problem
>>> 	if($res->code != 0 ) {
>>> 		# auth refused
>>> 		warn "LDAP Auth failed server not responding or wrong user password
>>> combination";
>>> 		return 0;
>>> 	# search user
>>> 	}else {
>>> 	
>>> 		my $userdnsearch = $db->search(base => "$name",
>>> 				filter =>"(cn=$userid)",
>>> 				);
>>> 		my $userldapentry=$userdnsearch -> shift_entry;
>>> 		
>>> 		# build LDAP hash
>>> 		my %memberhash;
>>> 		my $x =$userldapentry->{asn}{attributes};
>>> 		my $key;
>>> 		foreach my $k ( @$x) {
>>> 			foreach my $k2 (keys %$k) {
>>> 				if ($k2 eq 'type') {
>>> 					$key = $$k{$k2};
>>> 				} else {
>>> 					my $a = @$k{$k2};
>>> 					foreach my $k3 (@$a) {
>>> 						$memberhash{$key} .= $k3." ";
>>> 					}
>>> 				}
>>> 			}
>>> 		}
>>> 		#
>>> 		# BUILD %borrower to CREATE or MODIFY BORROWER
>>> 		# change $memberhash{'xxx'} to fit your ldap structure.
>>> 		# check twice that mandatory fields are correctly filled
>>> 		#
>>> 		my %borrower;
>>> 		$borrower{cardnumber} = $userid;
>>> 		$borrower{firstname} = $memberhash{givenName}; # MANDATORY FIELD
>>> 		$borrower{surname} = $memberhash{sn}; # MANDATORY FIELD
>>> 		$borrower{initials} =
>>> substr($borrower{firstname},0,1).substr($borrower{surname},0,1)."  "; #
>>> MANDATORY FIELD
>>> 		$borrower{streetaddress} = $memberhash{homePostalAddress}." "; #
>>> MANDATORY FIELD
>>> 		$borrower{city} = $memberhash{l}." "; # MANDATORY FIELD
>>> 		$borrower{phone} = $memberhash{homePhone}." "; # MANDATORY FIELD
>>> 		$borrower{branchcode} = $memberhash{businessCategory}; # MANDATORY
>>> FIELD
>>> 		$borrower{emailaddress} = $memberhash{mail};
>>> 		$borrower{categorycode} = $memberhash{employeeType};
>>> 	##################################################
>>> 	### /LOCAL
>>> 	### No change needed after this line (unless there's a bug ;-) )
>>> 	##################################################
>>>
>>> This works for passwords stored in LDAP that use MD5 or SMD5. I imagine
>>> it will work for other hashing mechanisms also.
>>>
>>> Kent N
>>>   
>>> On Tue, 2005-12-13 at 17:22 +0100, Paul POULAIN wrote:
>>>   
>>>       
>>>> mourik jan c heupink a écrit :
>>>>     
>>>>         
>>>>> Dear Kent and list,
>>>>>
>>>>>       
>>>>>           
>>>>>> I'm using OpenLDAP 2.2.29 on Fedora Core 4.
>>>>>>  
>>>>>>
>>>>>>         
>>>>>>             
>>>>> I'm on SuSE Linux Enterprise server 9, with OpenLDAP 2.2.24
>>>>>
>>>>>       
>>>>>           
>>>>>>> And a question to Paul Poulain: which ldap server are you using? I'm on 
>>>>>>> openldap, and things don't work... Koha says the users's password is 
>>>>>>> wrong, where I am pretty sure that it *IS* the right password.
>>>>>>>
>>>>>>>    
>>>>>>>
>>>>>>>           
>>>>>>>               
>>>>>> Password encryption is where I think Auth.pm falls down. This entry
>>>>>>
>>>>>> These are all the same password. The SMD5,MD5 doesn't work in Koha the
>>>>>> bottom one does. The bottom password was uploaded to LDAP using
>>>>>> ldapmodify, as clear text. OpenLDAP must have a default method for
>>>>>> encryption.
>>>>>>
>>>>>> I, (we) have to figure a way for the code to try other methods. I'm not
>>>>>> very well versed in Perl and will have to seek help to get this to
>>>>>> work. 
>>>>>>         
>>>>>>             
>>>> I'm quite good in Perl, but a dummy in LDAP.
>>>> I just can say that Auth_with_ldap.pm works for sure in Ecole des Mines 
>>>> de Nantes, as i've set it up with the code I've commited.
>>>> I think, but am not sure, that it's LDAP too, on Solaris.
>>>>
>>>> I don't know the structure of the directory, I just used the query the 
>>>> system admin gave me.
>>>>
>>>> Sorry, but you'll have to investigate...
>>>>     
>>>>         
>>> _______________________________________________
>>> Koha mailing list
>>> Koha at lists.katipo.co.nz
>>> http://lists.katipo.co.nz/mailman/listinfo/koha
>>>   
>>>       
>> _______________________________________________
>> Koha mailing list
>> Koha at lists.katipo.co.nz
>> http://lists.katipo.co.nz/mailman/listinfo/koha
>>
>>     
>
>   


More information about the Koha mailing list