[Koha] Koha Ldap Auth

Hector Gonzalez cacho at genac.org
Wed Jun 26 10:44:03 NZST 2019 


> On Jun 25, 2019, at 8:28 AM, Daniele Piccoli <daniele.piccoli at riseup.net> wrote:
> 
> Il 24/06/19 21:30, Hector Gonzalez ha scritto:
>> Hi Daniele
> 
> Hi
> 
>>> On Jun 24, 2019, at 4:22 AM, Daniele Piccoli <daniele.piccoli at riseup.net> wrote:
>>> 
>>> Software error:
>>> Error reading file /etc/koha/sites/biblioname/koha-conf.xml.
>>> Try running this again as the koha instance user (or use the koha-shell
>>> command in debian)
>> 
>> 
>> Is the file readable by koha?  Permissions should be 640, with user root and biblioname-koha as the group (if that is the group that owns koha).
> 
> The file is readable by Koha and in fact it has the correct permission
> as you said.

Ok, then try making these changes:

<ldapserver id="ldapserver"  listenref="ldapserver">
<hostname>*IP-OF-DC*</hostname> <ldaps://*IP-OF-DC*</hostname>>
<base>ou=Users,dc=*sub*,dc=*domain*,dc=*tld*</base>
<replicate>1</replicate>
<update>1</update>
<auth_by_bind>1</auth_by_bind>
<anonymous_bind>0</anonymous_bind>
<principal_name>uid=%s@*sub*.*domain*.*tld*</principal_name>
 <mapping>record field names -->
  <userid       is="uid"></userid>
  <password     is="userpassword"></password>
  <email        is="mail"></email>
  <branchcode is="">YOURLIBRARYCODEinKoha</branchcode>
    <categorycode is="">STUDENT</categorycode>
 </mapping>
</ldapserver>

1. change the hostname to the actual hostname of the ldap server, if it is using ldaps, it might want to check the certificate, and that is based on the name.
2. remove the <user> and <pass> tags, as you are using auth_by_bind.  (I don´t know if they are needed for <update> so you might want to leave that there).
3. Add a line that says: <anonymous_bind>0</anonymous_bind>  which is needed with AD logins when you are using auth_by_bind  (sounds weird, but it works that way)
4. Change principal_name, the format is <principal_name>%s@*your.domain.name*</principal_name> which is needed with AD too.  It looks like an email address.
5. Add a mapping for "categorycode" with the text of the main user category (staff, students, faculty...)  It IS required for login, and is assigned to the user automatically.
6. Add the branchcode for the library.

Also, I would change the userid mapping to <userid       is="sAMAccountName"></userid>  which is a unique name for every user with AD.
If it still gives you trouble, check the tags above and below your ldap configuration, and be sure those were not affected by editing the file.

>> 
> 
> Daniele
> _______________________________________________
> Koha mailing list  http://koha-community.org
> Koha at lists.katipo.co.nz
> https://lists.katipo.co.nz/mailman/listinfo/koha

--
Héctor González
cacho at genac.org

More information about the Koha mailing list