[Koha] Koha and LDAP: Password comparison fails

mourik jan heupink heupink at merit.unu.edu
Thu Aug 20 08:24:41 NZST 2015


Hi Uwe,

I'm not sure if it will help you, but we have never had much luck with 
the password compare routine, which koha seems to like.

I don't know any other ldap client that works like that. The usual way 
(and this one works perfectly here, using openldap and also samba4/AD) 
is: use <auth_by_bind>1</auth_by_bind>

Your principal_name would then be something like:

<principal_name>dn=%s,ou=id,dc=MY_ORG,dc=org</principal_name>

Hopefully this helps you as well.

MJ

On 8/18/2015 14:35, uwe wrote:
> Hello,
>
> we have a Koha-Installation and would like to connect to our OpenLDAP
> -server, but I can't get it to work.
>
> First our Koha setup:
>
>> OS: debian wheezy
>> Koha: 3.20.02
>
> Connecting to ldap-server works fine but the password comparison fails
> with the follwing error (tested in the console but also fails in the
> web gui; also given password is correct):
>
>> root at biblio:/etc/koha/sites/MY_SITE# env PERL5LIB=/usr/share/koha/lib
> KOHA_CONF=/etc/koha/sites/MY_SITE/koha-conf.xml perl
> /usr/share/koha/opac/cgi-bin/opac/opac-user.pl  userid=MY_MAIL_NAME at MY_
> ORG.org password=MY_PASSWORD. | head -5
>
>> Got 2 ldap mapkeys (  total  ): userid
>> Got 2 ldap mapkeys (populated): userid
>> Checking Auth at /usr/share/koha/lib/C4/Auth.pm line 703, <DATA> line
> 558.
>> kohaversion : 3.2002000
>> ## checkpw - checking LDAP
>> LDAP Auth rejected : invalid password for user 'MY_MAIL_NAME at MY_ORG.o
> rg'. LDAP error #5: LDAP_COMPARE_FALSE
>> # This code is returned when a compare request completes and the
> attribute value given is not in the entry specified
>>
>> Login failed, resetting anonymous session... at
> /usr/share/koha/lib/C4/Auth.pm line 1107, <DATA> line 595.
>
> Configuration in koha-conf.xml, see below. Our ldap-server uses SSHA as
> password sheme. Could this be the problem?
>
> How can I solve it? Can't find much usefull when searching internet for
> the problem.
>
> Thanks and best wishes
> Uwe
>
>> <useldapserver>1</useldapserver> <!-- see C4::Auth_with_ldap for
> extra configs you must add if you want to turn this on -->
>>
>> <!-- LDAP SERVER (optional) -->
>>
>> <ldapserver id="ldapserver"  listenref="ldapserver">
>>        <hostname>MY_LDAP_SERVER</hostname>
>>          <base>ou=id,dc=MY_ORG,dc=org</base>
>>          <user>cn=biblio,ou=daemons,dc=MY_ORG,dc=org</user> <!-- DN,
> if not anonymous -->
>>          <pass>MY_SECRET_PASSWORD</pass>  <!-- password, if not
> anonymous -->
>>         <replicate>0</replicate> <!-- add new users from LDAP to Koha
> database -->
>>          <update>0</update>  <!-- update existing users in Koha
> database -->
>>          <anonymous_bind>0</anonymous_bind>
>>          <auth_by_bind>0</auth_by_bind> <!-- set to 1 to authenticate
> by binding instead of password comparison, e.g., to use Active
> Directory -->
>>         <!--<principal_name>%s at MY_ORG.org</principal_name>-->
>>          <mapping> <!-- match koha SQL field names to your LDAP record
> field names -->
>>                  <!--<firstname is="firstname"></firstname>
>>                  <surname is="surname"></surname>
>>                  <address is="postaladdress">hier</address>
>>                  <city is="l">Berlin</city>
>>                  <zipcode is="postalcode">1000</zipcode>
>>                  <branchcode is="businesscategory"></branchcode> -->
>>                  <userid is="uid"></userid>
>>                  <!--<password is="USER_PASSWORD"></password>
>>                  <email is="mail"></email>
>>                  <categorycode is="employeetype">PT</categorycode>
>>                  <phone is="telephonenumber">11111</phone>
>>                  <flags is="flags">2</flags> -->
>>          </mapping>
>> </ldapserver>
>
>
> (hint: some private data is anonymized with large letters)
>


More information about the Koha mailing list