[Koha] Koha authentication against existing LDAP directory

[Ben Finney]

Cab Vinton <bibliwho at gmail.com> writes:

> Can someone provide a newbie summary of what functionality LDAP + Koha
> is supposed to provide?

LDAP (Lightweight Directory Access Protocol) is a standard query
protocol into “directories” of information, where a directory is a
hierarchical organisation of information optimised for fast and flexible
query.

Such directories can, of course, be directories of people: they are
often used for providing a directory of people for various purposes,
including authentication.

> I gather it has something to do with authentication, but who's being
> authenticated for what?

LDAP authentication is normally done at login time by querying the LDAP
server and asking it to authenticate the user based on the login
credentials, in order to grant further access to the information in the
directory (this process is termed “binding to” the directory).

Koha 3.0 (and perhaps earlier) includes a feature for querying an LDAP
directory for the user account details when a user attempts to log in.

My messages have led to the conclusion that this is currently done in a
rather naive and insecure way: not using the standard LDAP-server-based
authentication, but instead using an access-all-accounts privileged
directory account to pull all the details across the connection and
perform authentication on the webserver
<URL:http://wiki.koha.org/doku.php?id=en:development:ldap>.

Future (currently-in-development) Koha code may, I'm told, have the
ability to use the correct authentication on the LDAP server, without a
need for insecure access to the LDAP accounts.

-- 
 \                            “Only the educated are free.” —Epictetus |
  `\                                                                   |
_o__)                                                                  |
Ben Finney