https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18947 Bug ID: 18947 Summary: Active Directory LDAP authentication broken Change sponsored?: --- Product: Koha Version: 17.05 Hardware: All OS: Linux Status: NEW Severity: normal Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: helpdesk@neci.edu QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org Commit 68c365ea8ab536a85d92d3769b0bbaa0e1691116 introduced the following line in Auth_with_ldap.pm: $ldap->{anonymous_bind} = 1 unless $ldapname && $ldappassword; There is no comment in the code or the Git commit log as to why. This change silently overrides the settings in koha-conf.xml and causes a previously functional setup with LDAP authentication against Active Directory to fail unless koha-conf.xml defines values for <user> and <pass>. As user and pass are only used if auth_by_bind and anonymous_bind are both false, their values should not come into play in the other cases. Prior to this change, KOHA would bind against AD with the user supplied credentials, as expected. With the change, KOHA attempts an anonymous bind and then tries to search for the supplied user name. As there was no valid bind in place, AD rejects the attempt. Workaround: enter some value for <user> and <pass> in the ldapserver configuration block. These do not have to be real credentials as KOHA will not attempt to use them now that auth_by_bind has priority again. Note: there is an apparent duplicate attempt to do the same further down, by setting $config{anonymous} to ($ldapname and $ldappassword) ? 0 : 1, although that key is not used anywhere in Auth_by_ldap.pm -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.