[Koha] adding second ldap server

Mohamad F Barham mbarham at birzeit.edu
Thu Feb 20 21:10:06 NZDT 2020


Dear Coehoorn,

Thanks for all your notes and advises, especially Microsoft update.

I highly appreciate your efforts and help.







[cid:image002.png at 01D327F4.25E9A910]


Mohamad Barham

System Engineer | Information Technology Department

Birzeit University

P.O.Box. 14, Birzeit, Palestine

Tel: + 970 22982012 | Mob: +970 597 861929 | Ext: 5616

mbarham at birzeit.edu | www.birzeit.edu<http://www.birzeit.edu/>






________________________________
From: Koha <koha-bounces at lists.katipo.co.nz> on behalf of Coehoorn, Joel <jcoehoorn at york.edu>
Sent: Wednesday, February 19, 2020 12:04 AM
To: Katrin Fischer <katrin.fischer.83 at web.de>; koha <koha at lists.katipo.co.nz>
Subject: Re: [Koha] adding second ldap server

If that ldap server happens to be Active Directory, you can take
advantage of features inside of AD to accomplish your goal here in a way
that's invisible to Koha.

But before I get into that, there is an issue coming for Active Directory
sites that I haven't seen pushed out to this list yet:

*BEGINNING IN MARCH, MICROSOFT WILL NO LONGER ALLOW UNSECURED LDAP
CONNECTIONS TO ACTIVE DIRECTORY.*

That is, after applying Windows Updates next month, if you have Koha
configured to authenticate users against Active Directory via a normal LDAP
connection over port 389, your connection will be broken!
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows


To avoid a broken system, or fix this afterwards, you *MUST *set up the
connection to use LDAP+TLS over port 636.

I manage two Koha servers which authenticate via Active Directory. I'm not
impacted by this personally: one already uses LDAP+S and will retire soon,
the other uses SAML SSO. But I may start a separate thread just to get more
attention in the community... I feel like a *lot* of people will get caught
by this and end up broken next month unless it's publicized a lot more, and
least it would nice to have an existing list thread dedicated to resolving
the issue.

That out of the way, let's move on to the question at hand. There are two
scenarios here.

First, if you want the second ldap connection only for redundancy. I don't
have the docs in front of me, but you basically add a special DNS
record for your domain with a low TTL. If one domain controller is the
record will automatically point to the alternate, even for ldap
connections. This assumes Active Directory is also running your DNS (which
is best practice for AD sites). Again, this is for redundancy, not for
separate sources.

If you want separate ldap sources, where different ldap connections would
have different sets of users, you can set up a trust relationship to link
the two servers into a single Active Directory forest, and then point the
single ldap connection at the forrest instead of either individual server.

In both cases, Koha just sees the single ldap connection, but you get the
intended results.

Joel Coehoorn
Director of Information Technology
402.363.5603
*jcoehoorn at york.edu <jcoehoorn at york.edu>*

*Please contact helpdesk at york.edu <helpdesk at york.edu> for technical
assistance.*


The mission of York College is to transform lives through
Christ-centered education and to equip students for lifelong service to
God, family, and society


On Tue, Feb 18, 2020 at 3:40 PM Katrin Fischer <katrin.fischer.83 at web.de>
wrote:

> Hi,
>
> to my understanding it's currently not possible to connect more than one
> LDAP server to Koha. I found an open bug for adding this feature:
>
> *Bug 20735*
> <https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20735> -
> Multiple LDAP servers
>
> Katrin
>
> On 18.02.20 13:36, Mohamad F Barham wrote:
> > Dears,
> >
> > I am trying to add a second ldap server but fails, is there a
> restriction for only one server? how to solve that?
> >
> > notice:
> >   koha 19.11
> > debian 9
> > first ldap server work correctly, we have two ldap servers, one for
> students and one for staff, both have different mapping
> >
> > <ldapserver id="ldapserver">
> > <hostname>ldaps://172.16.2.101</hostname>
> > <base>DC=STBZU,DC=EDU</base>
> > <user>CN=Mohamad F. Barham,OU=CCsupport,DC=STBZU,DC=EDU</user> <!-- DN,
> if not anonymous -->
> > <pass>PASSWORD</pass> <!-- password, if not anonymous -->
> > <replicate>0</replicate> <!-- add new users from LDAP to Koha database
> -->
> > <update>0</update> <!-- update existing users in Koha database , dont
> update to dont override koha edits ex category type-->
> > <anonymous_bind>0</anonymous_bind>
> > <auth_by_bind>1</auth_by_bind> <!-- set to 1 to authenticate by binding
> instead ofpassword comparison, e.g., to use Active Directory -->
> > <principal_name>%s at STBZU.EDU</principal_name> <!-- optional, for
> auth_by_bind: a printf format to make userPrincipalName from koha userid -->
> > <mapping> <!-- match koha SQL field names to your LDAP record field
> names -->
> > <firstname is="givenname"></firstname>
> > <surname is="sn"></surname>
> > <userid is="samaccountname"></userid>
> > <email is="mail"></email>
> > <othernames is ="cn"></othernames>
> > <branchcode is="">MAIN</branchcode>
> > <categorycode is="">ST</categorycode>
> > </mapping>
> > </ldapserver>
> >
> >
> >
> >
> >
> > [cid:image002.png at 01D327F4.25E9A910]
> >
> >
> > Mohamad Barham
> >
> > System Engineer | Information Technology Department
> >
> > Birzeit University
> >
> > P.O.Box. 14, Birzeit, Palestine
> >
> > Tel: + 970 22982012 | Mob: +970 597 861929 | Ext: 5616
> >
> > mbarham at birzeit.edu | www.birzeit.edu<http://www.birzeit.edu/>
> >
> >
> >
> >
> >
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~
> > The information contained in this communication is intended solely for
> the use of the individual or entity to whom it is addressed and others
> authorized to receive it. It may contain confidential or legally privileged
> information. If you are not the intended recipient you are hereby notified
> that any disclosure, copying, distribution or taking any action in reliance
> on the contents of this information is strictly prohibited and may be
> unlawful. If you have received this communication in error, please notify
> us immediately by responding to this email and then delete it from your
> system. The University is neither liable for the proper and complete
> transmission of the information contained in this communication nor for any
> delay in its receipt.
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~
> > _______________________________________________
> > Koha mailing list  http://koha-community.org
> > Koha at lists.katipo.co.nz
> > https://lists.katipo.co.nz/mailman/listinfo/koha
> _______________________________________________
> Koha mailing list  http://koha-community.org
> Koha at lists.katipo.co.nz
> https://lists.katipo.co.nz/mailman/listinfo/koha
>
_______________________________________________
Koha mailing list  http://koha-community.org
Koha at lists.katipo.co.nz
https://lists.katipo.co.nz/mailman/listinfo/koha
~~~~~~~~~~~~~~~~~~~~~~~~~~
The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. The University is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.
~~~~~~~~~~~~~~~~~~~~~~~~~~


More information about the Koha mailing list