[Koha] Koha and LDAP: Password comparison fails
mourik jan heupink
heupink at merit.unu.edu
Thu Sep 10 20:07:03 NZST 2015
Here is the AD bit from our koha-conf.xml:
> <ldapserver id="DC">
> <hostname>samba.domain.com</hostname>
> <base>CN=Users,DC=samba,DC=domain,DC=com</base>
> <replicate>1</replicate>
> <update>1</update>
> <auth_by_bind>1</auth_by_bind>
> <principal_name>%s at samba.domain.com</principal_name>
> <mapping> <!-- match koha SQL field names to your LDAP record field names -->
> <firstname is="givenName" ></firstname>
> <surname is="sn" ></surname>
> <address is="streetAddress" ></address>
> <city is="l" ></city>
> <zipcode is="postalCode" ></zipcode>
> <branchcode is="branch" >our_branch</branchcode>
> <userid is="uid" ></userid>
> <password is="userPassword" ></password>
> <email is="mail" ></email>
> <categorycode is="employeeType" >A</categorycode>
> <phone is="telephoneNumber"></phone>
> </mapping>
> </ldapserver>
Explained:
samba.domain.com is the name of our active directory, if you specify
that as hostname to bind to, koha will use (round robin) dns to connect
to all DC's. Gives you a nice load spread, plus if one DC happens to be
down, only some logons will fail.
(verify with "host samba.domain.com" reveral times in a row, it should
normally return different ip's, dependin on your number of dc's)
Base should be your users container.
Principal took me some time to understand:
<principal_name>%s at samba.domain.com</principal_name>
%s is replaced with a username, so in my example koha tries to bind as
username at samba.domain.com
I think the above explains it all?
MJ
On 09/10/2015 09:18 AM, Ahmad Amanullah Khan wrote:
> Dear All
>
> I will appreciate if you guide us how you integrated KOHA with AD. Any
> guide will be highly appreciated.
>
> Thanks
>
> On Thu, Sep 10, 2015, 3:45 AM uwe <singlespeedfahrer at yandex.com> wrote:
>
>> Am Freitag, den 21.08.2015, 10:36 +0200 schrieb mourik jan heupink:
>>> I have no other clues, no. Must say I'm rather surprised to read that
>>> auth by bind is no option for you. Are you sure? Why not
>>
>> It seems that I misunderstood the auth-by-bind function. Finally
>> someone who has more ldap knowledge helped out to connect the ldap to
>> our koha installation. Now it works with auth-by-bind as you suggested.
>> Thank you very much. Your hint guided us into the right way to get it
>> to work.
>>
>> Best wishes
>> Uwe
>>
>>>
>>>
>>> On 08/20/2015 03:02 PM, uwe wrote:
>>>> Hello,
>>>>
>>>> Am Mittwoch, den 19.08.2015, 22:24 +0200 schrieb mourik jan
>>>> heupink:
>>>>> I'm not sure if it will help you, but we have never had much luck
>>>>>
>>>>> with the password compare routine, which koha seems to like.
>>>>>
>>>>> I don't know any other ldap client that works like that. The
>>>>> usual
>>>>> way
>>>>> (and this one works perfectly here, using openldap and also
>>>>> samba4/AD)
>>>>> is: use <auth_by_bind>1</auth_by_bind>
>>>>>
>>>>> Your principal_name would then be something like:
>>>>>
>>>>> <principal_name>dn=%s,ou=id,dc=MY_ORG,dc=org</principal_name>
>>>>
>>>> Thank you for your answer and hints but unfortunally auth_by_bind
>>>> seems
>>>> to be no option for us.
>>>>
>>>> Is there another way to solve the issue?
>>>>
>>>> Thanks in advance
>>>> Uwe
>>>>
>>>>> Hopefully this helps you as well.
>>>>>
>>>>> MJ
>>>>>
>>>>> On 8/18/2015 14:35, uwe wrote:
>>>>>> Hello,
>>>>>>
>>>>>> we have a Koha-Installation and would like to connect to our
>>>>>> OpenLDAP
>>>>>> -server, but I can't get it to work.
>>>>>>
>>>>>> First our Koha setup:
>>>>>>
>>>>>>> OS: debian wheezy
>>>>>>> Koha: 3.20.02
>>>>>>
>>>>>> Connecting to ldap-server works fine but the password
>>>>>> comparison
>>>>>> fails
>>>>>> with the follwing error (tested in the console but also fails
>>>>>> in
>>>>>> the
>>>>>> web gui; also given password is correct):
>>>>>>
>>>>>>> root at biblio:/etc/koha/sites/MY_SITE# env
>>>>>>> PERL5LIB=/usr/share/koha/lib
>>>>>> KOHA_CONF=/etc/koha/sites/MY_SITE/koha-conf.xml perl
>>>>>> /usr/share/koha/opac/cgi-bin/opac/opac-user.pl
>>>>>> userid=MY_MAIL_NAME at MY_
>>>>>> ORG.org password=MY_PASSWORD. | head -5
>>>>>>
>>>>>>> Got 2 ldap mapkeys ( total ): userid
>>>>>>> Got 2 ldap mapkeys (populated): userid
>>>>>>> Checking Auth at /usr/share/koha/lib/C4/Auth.pm line 703,
>>>>>>> <DATA>
>>>>>>> line
>>>>>> 558.
>>>>>>> kohaversion : 3.2002000
>>>>>>> ## checkpw - checking LDAP
>>>>>>> LDAP Auth rejected : invalid password for user
>>>>>>> 'MY_MAIL_NAME at MY_O
>>>>>>> RG.o
>>>>>> rg'. LDAP error #5: LDAP_COMPARE_FALSE
>>>>>>> # This code is returned when a compare request completes and
>>>>>>> the
>>>>>> attribute value given is not in the entry specified
>>>>>>>
>>>>>>> Login failed, resetting anonymous session... at
>>>>>> /usr/share/koha/lib/C4/Auth.pm line 1107, <DATA> line 595.
>>>>>>
>>>>>> Configuration in koha-conf.xml, see below. Our ldap-server uses
>>>>>> SSHA as
>>>>>> password sheme. Could this be the problem?
>>>>>>
>>>>>> How can I solve it? Can't find much usefull when searching
>>>>>> internet
>>>>>> for
>>>>>> the problem.
>>>>>>
>>>>>> Thanks and best wishes
>>>>>> Uwe
>>>>>>
>>>>>>> <useldapserver>1</useldapserver> <!-- see C4::Auth_with_ldap
>>>>>>> for
>>>>>> extra configs you must add if you want to turn this on -->
>>>>>>>
>>>>>>> <!-- LDAP SERVER (optional) -->
>>>>>>>
>>>>>>> <ldapserver id="ldapserver" listenref="ldapserver">
>>>>>>> <hostname>MY_LDAP_SERVER</hostname>
>>>>>>> <base>ou=id,dc=MY_ORG,dc=org</base>
>>>>>>> <user>cn=biblio,ou=daemons,dc=MY_ORG,dc=org</user>
>>>>>>> <!--
>>>>>>> DN,
>>>>>> if not anonymous -->
>>>>>>> <pass>MY_SECRET_PASSWORD</pass> <!-- password, if
>>>>>>> not
>>>>>> anonymous -->
>>>>>>> <replicate>0</replicate> <!-- add new users from LDAP
>>>>>>> to
>>>>>>> Koha
>>>>>> database -->
>>>>>>> <update>0</update> <!-- update existing users in
>>>>>>> Koha
>>>>>> database -->
>>>>>>> <anonymous_bind>0</anonymous_bind>
>>>>>>> <auth_by_bind>0</auth_by_bind> <!-- set to 1 to
>>>>>>> authenticate
>>>>>> by binding instead of password comparison, e.g., to use Active
>>>>>> Directory -->
>>>>>>> <!--<principal_name>%s at MY_ORG.org</principal_name>-->
>>>>>>> <mapping> <!-- match koha SQL field names to your
>>>>>>> LDAP
>>>>>>> record
>>>>>> field names -->
>>>>>>> <!--<firstname is="firstname"></firstname>
>>>>>>> <surname is="surname"></surname>
>>>>>>> <address is="postaladdress">hier</address>
>>>>>>> <city is="l">Berlin</city>
>>>>>>> <zipcode is="postalcode">1000</zipcode>
>>>>>>> <branchcode
>>>>>>> is="businesscategory"></branchcode>
>>>>>>> -->
>>>>>>> <userid is="uid"></userid>
>>>>>>> <!--<password is="USER_PASSWORD"></password>
>>>>>>> <email is="mail"></email>
>>>>>>> <categorycode
>>>>>>> is="employeetype">PT</categorycode>
>>>>>>> <phone is="telephonenumber">11111</phone>
>>>>>>> <flags is="flags">2</flags> -->
>>>>>>> </mapping>
>>>>>>> </ldapserver>
>>>>>>
>>>>>>
>>>>>> (hint: some private data is anonymized with large letters)
>>>>>>
>>>>> _______________________________________________
>>>>> Koha mailing list http://koha-community.org
>>>>> Koha at lists.katipo.co.nz
>>>>> https://lists.katipo.co.nz/mailman/listinfo/koha
>>> _______________________________________________
>>> Koha mailing list http://koha-community.org
>>> Koha at lists.katipo.co.nz
>>> https://lists.katipo.co.nz/mailman/listinfo/koha
>> --
>> Q: What is green and lives in the ocean?
>> A: Moby Pickle.
>>
>>
>> _______________________________________________
>> Koha mailing list http://koha-community.org
>> Koha at lists.katipo.co.nz
>> https://lists.katipo.co.nz/mailman/listinfo/koha
>>
> _______________________________________________
> Koha mailing list http://koha-community.org
> Koha at lists.katipo.co.nz
> https://lists.katipo.co.nz/mailman/listinfo/koha
>
More information about the Koha
mailing list