[Koha] LDAP authentication

mourik jan c heupink heupink at intech.unu.edu
Sat Dec 17 00:18:34 NZDT 2005


Dear Kent,

I just realised that there is a koka-developer list as well. Maybe you 
should ask there..?
Because this seems to be development related, and as there haven't been 
may responses to this thread...

Have a nice weekend!

Mourik Jan

KL Nasveschuk wrote:
> Mourik,
>
> That's why I asked if anyone could shed some light on it. The error come
> from the scripts that say "use strict;".
>
> Below is a typical error message where "use strict;" is not commented
> out:
>
> [Wed Dec 14 14:37:45 2005] [error] [client 172.16.56.200] Can't use
> string ("0") as a HASH ref while "strict refs" in use
> at /usr/local/koha/intranet/modules/C4/Auth.pm line 143., referer:
> http://172.16.60.186:8000/cgi-bin/koha/opac-main.pl
>
> When I run into the problem I check either the opac-error_log or
> koha-error_log and comment out "use strict;".
>
> Kent N
>
>
> On Thu, 2005-12-15 at 13:01 +0100, mourik jan c heupink wrote:
>   
>> Hi all,
>>
>> I DO see the problem now...
>>
>> Cheered too early...
>>
>> Mourik Jan
>>
>> mourik jan heupink wrote:
>>     
>>> Dear Kent and list,
>>>
>>> I'm not sure if this last mail was only meant to go to me 
>>> personally... (as you say: Can ANYONE shed some light on this)
>>>
>>> Anyway, I have tried your code, and it works beautyfully.
>>>
>>> Could you indicate the required steps to generate the errors you talk 
>>> about? (I've clicked my way through various menu's, and no errors so 
>>> far..)
>>>
>>> Kind regards,
>>> Mourik Jan
>>>
>>> KL Nasveschuk wrote:
>>>       
>>>> This works but fixed one problem and created another problem. Modifying
>>>> "Auth.pm" for LDAP has caused some of the scripts fail with the error:
>>>>
>>>> [Wed Dec 14 14:37:45 2005] [error] [client 172.16.56.200] Can't use
>>>> string ("0")  as a HASH ref while "strict refs" in use
>>>> at /usr/local/koha/intranet/modules/C4 /Auth.pm line 143., referer:
>>>> http://172.16.60.186:8000/cgi-bin/koha/opac-main.pl
>>>>
>>>> So if I go to opac-main.pl and comment out "use strict;" the script
>>>> runs.
>>>>
>>>> Can anyone shed some light on this? I've been up and down Auth.pm and I
>>>> think I only changed what was between ##LOCAL /LOCAL## to get LDAP to
>>>> work.
>>>>
>>>>
>>>>
>>>> Kent N
>>>>
>>>> On Wed, 2005-12-14 at 19:54 +0100, mourik jan c heupink wrote:
>>>>  
>>>>         
>>>>> I will try it tomorrow, and give feedback to the list.
>>>>>
>>>>> This solution looks better to me, because also as far I understand 
>>>>> things, the old solution will not work when your slapd.conf contains:
>>>>>
>>>>> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
>>>>>       by self write
>>>>>       by anonymous auth
>>>>>       by * none
>>>>> access to *
>>>>>       by * read
>>>>>
>>>>> Anyway, kind regards!
>>>>>
>>>>> Mourik Jan
>>>>>
>>>>>  KL Nasveschuk wrote:
>>>>>    
>>>>>           
>>>>>> Hi,
>>>>>>
>>>>>> I believe I have a solution that will make this work. An anonymous 
>>>>>> bind
>>>>>> to LDAP requires us to compare passwords by retrieving the password 
>>>>>> then
>>>>>> comparing to what the user has supplied. If passwords stored in 
>>>>>> LDAP are
>>>>>> hashed using different mechanisms, the burden of determining what
>>>>>> mechanism is used is on the the Koha application. I changed the 
>>>>>> code in
>>>>>> Auth.pm a little so that bind() uses the persons DN and password. The
>>>>>> burden of what password hash is used is on LDAP and not Koha.
>>>>>>
>>>>>> Between local in Auth.pm 
>>>>>>     ##################################################
>>>>>>     ### LOCAL
>>>>>>     ### Change the code below to match your own LDAP server.
>>>>>>     ##################################################
>>>>>>     # LDAP connexion parameters
>>>>>>
>>>>>>     # LDAP server
>>>>>>     my $ldapserver = '172.16.0.24';
>>>>>>
>>>>>>     # Base DN for users
>>>>>>     my $name  = "ou=users,dc=tow,dc=net";
>>>>>>
>>>>>>     # Bind uses the users full DN, if uid doesn't work try "cn"
>>>>>> #    my $binddn = "cn=$userid,$name";
>>>>>>     my $binddn = "uid=$userid,$name";
>>>>>>
>>>>>>     my $db = Net::LDAP->new( $ldapserver );
>>>>>>     
>>>>>>     # do bind
>>>>>>     my $res =$db->bind(
>>>>>>             dn    =>$binddn,
>>>>>>             password =>$password);
>>>>>>     
>>>>>>     # check connexion, anything other code than LDAP_SUCCESS (0)
>>>>>>     # is a problem
>>>>>>     if($res->code != 0 ) {
>>>>>>         # auth refused
>>>>>>         warn "LDAP Auth failed server not responding or wrong user 
>>>>>> password
>>>>>> combination";
>>>>>>         return 0;
>>>>>>     # search user
>>>>>>     }else {
>>>>>>     
>>>>>>         my $userdnsearch = $db->search(base => "$name",
>>>>>>                 filter =>"(cn=$userid)",
>>>>>>                 );
>>>>>>         my $userldapentry=$userdnsearch -> shift_entry;
>>>>>>        
>>>>>>         # build LDAP hash
>>>>>>         my %memberhash;
>>>>>>         my $x =$userldapentry->{asn}{attributes};
>>>>>>         my $key;
>>>>>>         foreach my $k ( @$x) {
>>>>>>             foreach my $k2 (keys %$k) {
>>>>>>                 if ($k2 eq 'type') {
>>>>>>                     $key = $$k{$k2};
>>>>>>                 } else {
>>>>>>                     my $a = @$k{$k2};
>>>>>>                     foreach my $k3 (@$a) {
>>>>>>                         $memberhash{$key} .= $k3." ";
>>>>>>                     }
>>>>>>                 }
>>>>>>             }
>>>>>>         }
>>>>>>         #
>>>>>>         # BUILD %borrower to CREATE or MODIFY BORROWER
>>>>>>         # change $memberhash{'xxx'} to fit your ldap structure.
>>>>>>         # check twice that mandatory fields are correctly filled
>>>>>>         #
>>>>>>         my %borrower;
>>>>>>         $borrower{cardnumber} = $userid;
>>>>>>         $borrower{firstname} = $memberhash{givenName}; # MANDATORY 
>>>>>> FIELD
>>>>>>         $borrower{surname} = $memberhash{sn}; # MANDATORY FIELD
>>>>>>         $borrower{initials} =
>>>>>> substr($borrower{firstname},0,1).substr($borrower{surname},0,1)."  
>>>>>> "; #
>>>>>> MANDATORY FIELD
>>>>>>         $borrower{streetaddress} = $memberhash{homePostalAddress}." 
>>>>>> "; #
>>>>>> MANDATORY FIELD
>>>>>>         $borrower{city} = $memberhash{l}." "; # MANDATORY FIELD
>>>>>>         $borrower{phone} = $memberhash{homePhone}." "; # MANDATORY 
>>>>>> FIELD
>>>>>>         $borrower{branchcode} = $memberhash{businessCategory}; # 
>>>>>> MANDATORY
>>>>>> FIELD
>>>>>>         $borrower{emailaddress} = $memberhash{mail};
>>>>>>         $borrower{categorycode} = $memberhash{employeeType};
>>>>>>     ##################################################
>>>>>>     ### /LOCAL
>>>>>>     ### No change needed after this line (unless there's a bug ;-) )
>>>>>>     ##################################################
>>>>>>
>>>>>> This works for passwords stored in LDAP that use MD5 or SMD5. I 
>>>>>> imagine
>>>>>> it will work for other hashing mechanisms also.
>>>>>>
>>>>>> Kent N
>>>>>>   On Tue, 2005-12-13 at 17:22 +0100, Paul POULAIN wrote:
>>>>>>        
>>>>>>             
>>>>>>> mourik jan c heupink a écrit :
>>>>>>>            
>>>>>>>               
>>>>>>>> Dear Kent and list,
>>>>>>>>
>>>>>>>>                
>>>>>>>>                 
>>>>>>>>> I'm using OpenLDAP 2.2.29 on Fedora Core 4.
>>>>>>>>>  
>>>>>>>>>
>>>>>>>>>                     
>>>>>>>>>                   
>>>>>>>> I'm on SuSE Linux Enterprise server 9, with OpenLDAP 2.2.24
>>>>>>>>
>>>>>>>>                
>>>>>>>>                 
>>>>>>>>>> And a question to Paul Poulain: which ldap server are you 
>>>>>>>>>> using? I'm on openldap, and things don't work... Koha says the 
>>>>>>>>>> users's password is wrong, where I am pretty sure that it *IS* 
>>>>>>>>>> the right password.
>>>>>>>>>>
>>>>>>>>>>   
>>>>>>>>>>                         
>>>>>>>>>>                     
>>>>>>>>> Password encryption is where I think Auth.pm falls down. This entry
>>>>>>>>>
>>>>>>>>> These are all the same password. The SMD5,MD5 doesn't work in 
>>>>>>>>> Koha the
>>>>>>>>> bottom one does. The bottom password was uploaded to LDAP using
>>>>>>>>> ldapmodify, as clear text. OpenLDAP must have a default method for
>>>>>>>>> encryption.
>>>>>>>>>
>>>>>>>>> I, (we) have to figure a way for the code to try other methods. 
>>>>>>>>> I'm not
>>>>>>>>> very well versed in Perl and will have to seek help to get this to
>>>>>>>>> work.                     
>>>>>>>>>                   
>>>>>>> I'm quite good in Perl, but a dummy in LDAP.
>>>>>>> I just can say that Auth_with_ldap.pm works for sure in Ecole des 
>>>>>>> Mines de Nantes, as i've set it up with the code I've commited.
>>>>>>> I think, but am not sure, that it's LDAP too, on Solaris.
>>>>>>>
>>>>>>> I don't know the structure of the directory, I just used the query 
>>>>>>> the system admin gave me.
>>>>>>>
>>>>>>> Sorry, but you'll have to investigate...
>>>>>>>             
>>>>>>>               
>>>>>> _______________________________________________
>>>>>> Koha mailing list
>>>>>> Koha at lists.katipo.co.nz
>>>>>> http://lists.katipo.co.nz/mailman/listinfo/koha
>>>>>>         
>>>>>>             
>>>>> _______________________________________________
>>>>> Koha mailing list
>>>>> Koha at lists.katipo.co.nz
>>>>> http://lists.katipo.co.nz/mailman/listinfo/koha
>>>>>
>>>>>     
>>>>>           
>>>>   
>>>>         
>>> _______________________________________________
>>> Koha mailing list
>>> Koha at lists.katipo.co.nz
>>> http://lists.katipo.co.nz/mailman/listinfo/koha
>>>       
>
>   


More information about the Koha mailing list