Hi all, I have succeed to get a stable system in our production server . However i have always a little problem to set authentication using an Active Directory ! Witch file have I to configure and how do that ? Any helps are welcome and many thanks at advance . Kind Regards Abdel -- View this message in context: http://www.nabble.com/Koha3.0-against-Active-Directory-tp19549558p19549558.h... Sent from the Koha - Dev mailing list archive at Nabble.com.
In the POD of C4/Auth_with_ldap.pm, near the bottom, there is an example of what has to be added to koha_conf.xml to get ldap auth to work. Have a look at that, and send another message up here if you want more help. Good luck. On Thu, 2008-09-18 at 03:00 -0700, abdel514 wrote:
Hi all, I have succeed to get a stable system in our production server . However i have always a little problem to set authentication using an Active Directory ! Witch file have I to configure and how do that ? Any helps are welcome and many thanks at advance . Kind Regards Abdel
Michael Hafen-3 wrote:
In the POD of C4/Auth_with_ldap.pm, near the bottom, there is an example of what has to be added to koha_conf.xml to get ldap auth to work. Have a look at that, and send another message up here if you want more help.
Good luck.
On Thu, 2008-09-18 at 03:00 -0700, abdel514 wrote:
Hi all, I have succeed to get a stable system in our production server . However i have always a little problem to set authentication using an Active Directory ! Witch file have I to configure and how do that ? Any helps are welcome and many thanks at advance . Kind Regards Abdel
_______________________________________________ Koha-devel mailing list Koha-devel@lists.koha.org http://lists.koha.org/mailman/listinfo/koha-devel
thnks for your answer I have done what is required in the file auth_with_ldap.pm in C4. but it does not why? because it goes simple auth in the Active Directory. and when he passes me the following error in the log: "opac-user.pl: LDAP Auth rejected : invalid password for user 'dmadmin' LDAP error #16: LDAP_NO_SUCH_ATTRIBUTE, referer: http://****************/cgi-bin/koha/opac-user.pl" thanks more. -- View this message in context: http://www.nabble.com/Koha3.0-against-Active-Directory-tp19549558p19687006.h... Sent from the Koha - Dev mailing list archive at Nabble.com.
On Fri, 2008-09-26 at 04:55 -0700, abdel514 wrote:
thnks for your answer
I have done what is required in the file auth_with_ldap.pm in C4. but it does not why? because it goes simple auth in the Active Directory. and when he passes me the following error in the log: "opac-user.pl: LDAP Auth rejected : invalid password for user 'dmadmin' LDAP error #16: LDAP_NO_SUCH_ATTRIBUTE, referer: http://****************/cgi-bin/koha/opac-user.pl" thanks more.
This is a problem that is being discussed on this list, being whether to use 'bind-auth' or 'comparison auth'. The problem, specifically, is that Active Directory does not have the attribute auth_with_ldap.pm is looking for to compare to the user entered password. This is, in my opinion, a flaw in Microsoft's implementation as well. The rest of the problem is that auth_with_ldap.pm expects an attribute with password stored in the plain, which Active Directory does not have. So some trickery will have to be used to get this to work. What will have to be done is to figure out which attribute Active Directory stores a password in, and how that password is changed before being stored. Then to change in the code $password variable, and the attribute it is compared to in the function checkpw_ldap(). After looking at Active Directory a bit I don't think this will actually be possible unless you have the Microsoft Services For Unix installed. Then you get the msSFU30Password Attribute, which is probably an md5 with a certain seed by the looks of it. This isn't the easy way, but is possible. I think it would be easier to switch to the 'bind-auth' method here. It will require some changes to the code in auth_with_ldap.pm around line 103, where the password is compared, through line 107. Replace these lines with something like: $db->unbind; $db->disconnect(); $db = Net::LDAP->new( [$prefhost] ); $res = $db->bind( $userldapentry, password = $password ); unless ( $db && ! $res->code ) { warn "LDAP Auth rejected : invalid password for user '$userid'"; return 0; } As long as $userldapentry isn't lost when unbind() and disconnect() are called this should work. Good luck.
On Fri, Sep 26, 2008 at 09:17:13AM -0600, Michael Hafen wrote:
that Active Directory does not have the attribute auth_with_ldap.pm is looking for to compare to the user entered password.
this can be set with xpath /ldapserver/mapping/password@is but it will fail because you can't compare a clear text with an AD encrypted passwd!
problem is that auth_with_ldap.pm expects an attribute with password stored in the plain,
i don't think so! can you imagine a password stored in plain in a modern and secure system? i think that the current code expect that the plain text used for comparaison will be encrypted by the server.
$db->unbind; $db->disconnect(); $db = Net::LDAP->new( [$prefhost] );
why unbind ? you'll loose the benefit of mod_ldap cached data. $dbuser = Net::LDAP->new( [$prefhost] );
$res = $db->bind( $userldapentry, password = $password );
password = $password will fail as perl vars begins with $ sigil! $res = $db->bind( $userldapentry, password => $password ); works better regards marc
problem is that auth_with_ldap.pm expects an attribute with password stored in the plain,
i don't think so! can you imagine a password stored in plain in a modern and secure system? i think that the current code expect that the plain text used for comparaison will be encrypted by the server.
I read somewhere recently that having the password in the plain is actually part of the LDAP spec. I think it was because the open source LDAP server, slapd, was going to move to having a very secured attribute holding the clear text password. It's been long enough that I don't remember the specifics now.
$db->unbind; $db->disconnect(); $db = Net::LDAP->new( [$prefhost] );
why unbind ? you'll loose the benefit of mod_ldap cached data.
$dbuser = Net::LDAP->new( [$prefhost] );
Yes, this is a good point. That's a much better way to do it. Just replace $db with $dbuser in the code from my previous email and ignore the unbind/disconnect calls entirely. Thanks.
On Fri, Sep 26, 2008 at 09:51:13AM -0600, Michael Hafen wrote:
i don't think so! can you imagine a password stored in plain in a modern and secure system? i think that the current code expect that the plain text used for comparaison will be encrypted by the server.
I read somewhere recently that having the password in the plain is actually part of the LDAP spec.
you *can* have a clear text passwd with something like that userPassword: {cleartext}boohISmySECRET an ldap administrator can assume it with an acl that make this attribute readable and writable only by the admin and the self object but i seen it only one (to provide a kind of poor SSO). regards marc
participants (3)
-
abdel514 -
Marc Chantreux -
Michael Hafen