[Koha] Koha and LDAP: Password comparison fails

mourik jan heupink heupink at merit.unu.edu
Fri Aug 21 20:36:05 NZST 2015


Hi,

I have no other clues, no. Must say I'm rather surprised to read that
auth by bind is no option for you. Are you sure? Why not?

MJ


On 08/20/2015 03:02 PM, uwe wrote:
> Hello,
> 
> Am Mittwoch, den 19.08.2015, 22:24 +0200 schrieb mourik jan heupink:
>> I'm not sure if it will help you, but we have never had much luck
>>
>> with the password compare routine, which koha seems to like.
>>
>> I don't know any other ldap client that works like that. The usual 
>> way 
>> (and this one works perfectly here, using openldap and also 
>> samba4/AD) 
>> is: use <auth_by_bind>1</auth_by_bind>
>>
>> Your principal_name would then be something like:
>>
>> <principal_name>dn=%s,ou=id,dc=MY_ORG,dc=org</principal_name>
> 
> Thank you for your answer and hints but unfortunally auth_by_bind seems
> to be no option for us. 
> 
> Is there another way to solve the issue? 
> 
> Thanks in advance
> Uwe
> 
>> Hopefully this helps you as well.
>>
>> MJ
>>
>> On 8/18/2015 14:35, uwe wrote:
>>> Hello,
>>>
>>> we have a Koha-Installation and would like to connect to our 
>>> OpenLDAP
>>> -server, but I can't get it to work.
>>>
>>> First our Koha setup:
>>>
>>>> OS: debian wheezy
>>>> Koha: 3.20.02
>>>
>>> Connecting to ldap-server works fine but the password comparison 
>>> fails
>>> with the follwing error (tested in the console but also fails in 
>>> the
>>> web gui; also given password is correct):
>>>
>>>> root at biblio:/etc/koha/sites/MY_SITE# env 
>>>> PERL5LIB=/usr/share/koha/lib
>>> KOHA_CONF=/etc/koha/sites/MY_SITE/koha-conf.xml perl
>>> /usr/share/koha/opac/cgi-bin/opac/opac-user.pl  
>>> userid=MY_MAIL_NAME at MY_
>>> ORG.org password=MY_PASSWORD. | head -5
>>>
>>>> Got 2 ldap mapkeys (  total  ): userid
>>>> Got 2 ldap mapkeys (populated): userid
>>>> Checking Auth at /usr/share/koha/lib/C4/Auth.pm line 703, <DATA> 
>>>> line
>>> 558.
>>>> kohaversion : 3.2002000
>>>> ## checkpw - checking LDAP
>>>> LDAP Auth rejected : invalid password for user 'MY_MAIL_NAME at MY_O
>>>> RG.o
>>> rg'. LDAP error #5: LDAP_COMPARE_FALSE
>>>> # This code is returned when a compare request completes and the
>>> attribute value given is not in the entry specified
>>>>
>>>> Login failed, resetting anonymous session... at
>>> /usr/share/koha/lib/C4/Auth.pm line 1107, <DATA> line 595.
>>>
>>> Configuration in koha-conf.xml, see below. Our ldap-server uses 
>>> SSHA as
>>> password sheme. Could this be the problem?
>>>
>>> How can I solve it? Can't find much usefull when searching internet 
>>> for
>>> the problem.
>>>
>>> Thanks and best wishes
>>> Uwe
>>>
>>>> <useldapserver>1</useldapserver> <!-- see C4::Auth_with_ldap for
>>> extra configs you must add if you want to turn this on -->
>>>>
>>>> <!-- LDAP SERVER (optional) -->
>>>>
>>>> <ldapserver id="ldapserver"  listenref="ldapserver">
>>>>        <hostname>MY_LDAP_SERVER</hostname>
>>>>          <base>ou=id,dc=MY_ORG,dc=org</base>
>>>>          <user>cn=biblio,ou=daemons,dc=MY_ORG,dc=org</user> <!-- 
>>>> DN,
>>> if not anonymous -->
>>>>          <pass>MY_SECRET_PASSWORD</pass>  <!-- password, if not
>>> anonymous -->
>>>>         <replicate>0</replicate> <!-- add new users from LDAP to 
>>>> Koha
>>> database -->
>>>>          <update>0</update>  <!-- update existing users in Koha
>>> database -->
>>>>          <anonymous_bind>0</anonymous_bind>
>>>>          <auth_by_bind>0</auth_by_bind> <!-- set to 1 to 
>>>> authenticate
>>> by binding instead of password comparison, e.g., to use Active
>>> Directory -->
>>>>         <!--<principal_name>%s at MY_ORG.org</principal_name>-->
>>>>          <mapping> <!-- match koha SQL field names to your LDAP 
>>>> record
>>> field names -->
>>>>                  <!--<firstname is="firstname"></firstname>
>>>>                  <surname is="surname"></surname>
>>>>                  <address is="postaladdress">hier</address>
>>>>                  <city is="l">Berlin</city>
>>>>                  <zipcode is="postalcode">1000</zipcode>
>>>>                  <branchcode is="businesscategory"></branchcode> 
>>>> -->
>>>>                  <userid is="uid"></userid>
>>>>                  <!--<password is="USER_PASSWORD"></password>
>>>>                  <email is="mail"></email>
>>>>                  <categorycode 
>>>> is="employeetype">PT</categorycode>
>>>>                  <phone is="telephonenumber">11111</phone>
>>>>                  <flags is="flags">2</flags> -->
>>>>          </mapping>
>>>> </ldapserver>
>>>
>>>
>>> (hint: some private data is anonymized with large letters)
>>>
>> _______________________________________________
>> Koha mailing list  http://koha-community.org
>> Koha at lists.katipo.co.nz
>> https://lists.katipo.co.nz/mailman/listinfo/koha


More information about the Koha mailing list