[Koha] LDAP authentication

mourik jan c heupink heupink at intech.unu.edu
Fri Dec 16 01:01:27 NZDT 2005 

Hi all,

I DO see the problem now...

Cheered too early...

Mourik Jan

mourik jan heupink wrote:
> Dear Kent and list,
>
> I'm not sure if this last mail was only meant to go to me 
> personally... (as you say: Can ANYONE shed some light on this)
>
> Anyway, I have tried your code, and it works beautyfully.
>
> Could you indicate the required steps to generate the errors you talk 
> about? (I've clicked my way through various menu's, and no errors so 
> far..)
>
> Kind regards,
> Mourik Jan
>
> KL Nasveschuk wrote:
>> This works but fixed one problem and created another problem. Modifying
>> "Auth.pm" for LDAP has caused some of the scripts fail with the error:
>>
>> [Wed Dec 14 14:37:45 2005] [error] [client 172.16.56.200] Can't use
>> string ("0")  as a HASH ref while "strict refs" in use
>> at /usr/local/koha/intranet/modules/C4 /Auth.pm line 143., referer:
>> http://172.16.60.186:8000/cgi-bin/koha/opac-main.pl
>>
>> So if I go to opac-main.pl and comment out "use strict;" the script
>> runs.
>>
>> Can anyone shed some light on this? I've been up and down Auth.pm and I
>> think I only changed what was between ##LOCAL /LOCAL## to get LDAP to
>> work.
>>
>>
>>
>> Kent N
>>
>> On Wed, 2005-12-14 at 19:54 +0100, mourik jan c heupink wrote:
>>  
>>> I will try it tomorrow, and give feedback to the list.
>>>
>>> This solution looks better to me, because also as far I understand 
>>> things, the old solution will not work when your slapd.conf contains:
>>>
>>> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
>>>       by self write
>>>       by anonymous auth
>>>       by * none
>>> access to *
>>>       by * read
>>>
>>> Anyway, kind regards!
>>>
>>> Mourik Jan
>>>
>>>  KL Nasveschuk wrote:
>>>    
>>>> Hi,
>>>>
>>>> I believe I have a solution that will make this work. An anonymous 
>>>> bind
>>>> to LDAP requires us to compare passwords by retrieving the password 
>>>> then
>>>> comparing to what the user has supplied. If passwords stored in 
>>>> LDAP are
>>>> hashed using different mechanisms, the burden of determining what
>>>> mechanism is used is on the the Koha application. I changed the 
>>>> code in
>>>> Auth.pm a little so that bind() uses the persons DN and password. The
>>>> burden of what password hash is used is on LDAP and not Koha.
>>>>
>>>> Between local in Auth.pm 
>>>>     ##################################################
>>>>     ### LOCAL
>>>>     ### Change the code below to match your own LDAP server.
>>>>     ##################################################
>>>>     # LDAP connexion parameters
>>>>
>>>>     # LDAP server
>>>>     my $ldapserver = '172.16.0.24';
>>>>
>>>>     # Base DN for users
>>>>     my $name  = "ou=users,dc=tow,dc=net";
>>>>
>>>>     # Bind uses the users full DN, if uid doesn't work try "cn"
>>>> #    my $binddn = "cn=$userid,$name";
>>>>     my $binddn = "uid=$userid,$name";
>>>>
>>>>     my $db = Net::LDAP->new( $ldapserver );
>>>>     
>>>>     # do bind
>>>>     my $res =$db->bind(
>>>>             dn    =>$binddn,
>>>>             password =>$password);
>>>>     
>>>>     # check connexion, anything other code than LDAP_SUCCESS (0)
>>>>     # is a problem
>>>>     if($res->code != 0 ) {
>>>>         # auth refused
>>>>         warn "LDAP Auth failed server not responding or wrong user 
>>>> password
>>>> combination";
>>>>         return 0;
>>>>     # search user
>>>>     }else {
>>>>     
>>>>         my $userdnsearch = $db->search(base => "$name",
>>>>                 filter =>"(cn=$userid)",
>>>>                 );
>>>>         my $userldapentry=$userdnsearch -> shift_entry;
>>>>        
>>>>         # build LDAP hash
>>>>         my %memberhash;
>>>>         my $x =$userldapentry->{asn}{attributes};
>>>>         my $key;
>>>>         foreach my $k ( @$x) {
>>>>             foreach my $k2 (keys %$k) {
>>>>                 if ($k2 eq 'type') {
>>>>                     $key = $$k{$k2};
>>>>                 } else {
>>>>                     my $a = @$k{$k2};
>>>>                     foreach my $k3 (@$a) {
>>>>                         $memberhash{$key} .= $k3." ";
>>>>                     }
>>>>                 }
>>>>             }
>>>>         }
>>>>         #
>>>>         # BUILD %borrower to CREATE or MODIFY BORROWER
>>>>         # change $memberhash{'xxx'} to fit your ldap structure.
>>>>         # check twice that mandatory fields are correctly filled
>>>>         #
>>>>         my %borrower;
>>>>         $borrower{cardnumber} = $userid;
>>>>         $borrower{firstname} = $memberhash{givenName}; # MANDATORY 
>>>> FIELD
>>>>         $borrower{surname} = $memberhash{sn}; # MANDATORY FIELD
>>>>         $borrower{initials} =
>>>> substr($borrower{firstname},0,1).substr($borrower{surname},0,1)."  
>>>> "; #
>>>> MANDATORY FIELD
>>>>         $borrower{streetaddress} = $memberhash{homePostalAddress}." 
>>>> "; #
>>>> MANDATORY FIELD
>>>>         $borrower{city} = $memberhash{l}." "; # MANDATORY FIELD
>>>>         $borrower{phone} = $memberhash{homePhone}." "; # MANDATORY 
>>>> FIELD
>>>>         $borrower{branchcode} = $memberhash{businessCategory}; # 
>>>> MANDATORY
>>>> FIELD
>>>>         $borrower{emailaddress} = $memberhash{mail};
>>>>         $borrower{categorycode} = $memberhash{employeeType};
>>>>     ##################################################
>>>>     ### /LOCAL
>>>>     ### No change needed after this line (unless there's a bug ;-) )
>>>>     ##################################################
>>>>
>>>> This works for passwords stored in LDAP that use MD5 or SMD5. I 
>>>> imagine
>>>> it will work for other hashing mechanisms also.
>>>>
>>>> Kent N
>>>>   On Tue, 2005-12-13 at 17:22 +0100, Paul POULAIN wrote:
>>>>        
>>>>> mourik jan c heupink a écrit :
>>>>>            
>>>>>> Dear Kent and list,
>>>>>>
>>>>>>                
>>>>>>> I'm using OpenLDAP 2.2.29 on Fedora Core 4.
>>>>>>>  
>>>>>>>
>>>>>>>                     
>>>>>> I'm on SuSE Linux Enterprise server 9, with OpenLDAP 2.2.24
>>>>>>
>>>>>>                
>>>>>>>> And a question to Paul Poulain: which ldap server are you 
>>>>>>>> using? I'm on openldap, and things don't work... Koha says the 
>>>>>>>> users's password is wrong, where I am pretty sure that it *IS* 
>>>>>>>> the right password.
>>>>>>>>
>>>>>>>>   
>>>>>>>>                         
>>>>>>> Password encryption is where I think Auth.pm falls down. This entry
>>>>>>>
>>>>>>> These are all the same password. The SMD5,MD5 doesn't work in 
>>>>>>> Koha the
>>>>>>> bottom one does. The bottom password was uploaded to LDAP using
>>>>>>> ldapmodify, as clear text. OpenLDAP must have a default method for
>>>>>>> encryption.
>>>>>>>
>>>>>>> I, (we) have to figure a way for the code to try other methods. 
>>>>>>> I'm not
>>>>>>> very well versed in Perl and will have to seek help to get this to
>>>>>>> work.                     
>>>>> I'm quite good in Perl, but a dummy in LDAP.
>>>>> I just can say that Auth_with_ldap.pm works for sure in Ecole des 
>>>>> Mines de Nantes, as i've set it up with the code I've commited.
>>>>> I think, but am not sure, that it's LDAP too, on Solaris.
>>>>>
>>>>> I don't know the structure of the directory, I just used the query 
>>>>> the system admin gave me.
>>>>>
>>>>> Sorry, but you'll have to investigate...
>>>>>             
>>>> _______________________________________________
>>>> Koha mailing list
>>>> Koha at lists.katipo.co.nz
>>>> http://lists.katipo.co.nz/mailman/listinfo/koha
>>>>         
>>> _______________________________________________
>>> Koha mailing list
>>> Koha at lists.katipo.co.nz
>>> http://lists.katipo.co.nz/mailman/listinfo/koha
>>>
>>>     
>>
>>   
> _______________________________________________
> Koha mailing list
> Koha at lists.katipo.co.nz
> http://lists.katipo.co.nz/mailman/listinfo/koha

More information about the Koha mailing list