[Koha] Koha authentication against existing LDAP directory

Ben Finney ben+koha at benfinney.id.au
Tue Jun 9 01:06:10 NZST 2009


Galen Charlton <galen.charlton at liblime.com>
writes:

> See the auth_by_bind configuration option description on the wiki page
> <http://wiki.koha.org/doku.php?id=en:development:ldap>. Note that this
> option is currently available in HEAD, but would be a candidate for
> backporting into 3.0.x.

Thanks for this. Okay, I have installed Koha from Git HEAD as of a few
days ago (rev ID a8bfa5ffc0695089669478817cc443cc6e009764) over the top
of the existing installation (which was Koha 3.0) and re-configured it.

The config file now contains the following relevant for LDAP:

=====
<config>
 …
 <useldapserver>1</useldapserver><!-- see C4::Auth_with_ldap for extra
 configs you must add if you want to turn this on -->
    <!-- LDAP SERVER (optional) -->
    <ldapserver id="ldapserver"  listenref="ldapserver">
        <hostname>trimserver-admin.lan</hostname>
        <base>ou=People,dc=lan</base>
        <replicate>1</replicate>       <!-- add new users from LDAP to Koha database -->
        <update>1</update>             <!-- update existing users in Koha database -->
        <auth_by_bind>1</auth_by_bind> <!-- set to 1 to authenticate by binding instead of
                                            password comparison, e.g., to use Active Directory -->
        <mapping>             <!-- match koha SQL field names to your LDAP record field names -->
            <firstname    is="givenname"      ></firstname>
            <surname      is="sn"             ></surname>
            <!-- <address      is="postaladdress"  ></address> -->
            <!-- <city         is="l"              >Athens, OH</city> -->
            <!-- <zipcode      is="postalcode"     ></zipcode> -->
            <branchcode   is="branch"         >MAIN</branchcode>
            <userid       is="uid"            ></userid>
            <password     is="userpassword"   ></password>
            <!-- <email        is="mail"           ></email> -->
            <categorycode is="employeetype"   >PT</categorycode>
            <!-- <phone        is="telephonenumber"></phone> -->
        </mapping>
    </ldapserver>
</config>
=====

When I connect from this machine using the following command, I get the
connection fine:

=====
$ ldapsearch -LLL "(uid=percy)" -x -D "uid=percy,ou=People,dc=lan" -W
dn: uid=percy,ou=People,dc=lan
cn: Percy
uid: percy
uidNumber: 1006
loginShell: /bin/sh
homeDirectory: /home/percy
gidNumber: 100
userPassword:: <omitted>
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: inetOrgPerson
shadowLastChange: 14355
gecos: Percy
sn: Percy
=====

Yet when I try to give the same credentials via Koha, I get the message
“Error: Unauthorized user”. (This is at least different from before,
which tells me it actually is using the LDAP server for authentication
this time.)

How can I diagnose this further to see why correct LDAP account
credentials are not granting access via Koha?

-- 
 \     “No matter how far down the wrong road you've gone, turn back.” |
  `\                                                  —Turkish proverb |
_o__)                                                                  |
Ben Finney



More information about the Koha mailing list