>
> On Fri, Sep 26, 2008 at 09:17:13AM -0600, Michael Hafen wrote:
> >* that Active Directory does not have the attribute auth_with_ldap.pm is
> *>* looking for to compare to the user entered password.
> *
> this can be set with xpath /ldapserver/mapping/password at is <http://lists.koha.org/mailman/listinfo/koha-devel> but it will
> fail because you can't compare a clear text with an AD encrypted passwd!
>
> >* problem is that auth_with_ldap.pm expects an attribute with password
> *>* stored in the plain,
> *
> i don't think so! can you imagine a password stored in plain in a modern
>
> and secure system? i think that the current code expect that the plain
> text used for comparaison will be encrypted by the server.
>
> >* $db->unbind;
> *>* $db->disconnect();
> *>* $db = Net::LDAP->new( [$prefhost] );
> *
> why unbind ? you'll loose the benefit of mod_ldap cached data.
>
> $dbuser = Net::LDAP->new( [$prefhost] );
>
> >* $res = $db->bind( $userldapentry, password = $password );
> *
> password = $password will fail as perl vars begins with $ sigil!
>
> $res = $db->bind( $userldapentry, password => $password );
>
> works better
>
>
> regards
>
> marc
>
>
so what would the suggested final mod look like if the current auth section
of Auth_with_ldap.pm is:
sub checkpw_ldap {
my ($dbh, $userid, $password) = @_;
my $db = Net::LDAP->new([$prefhost]);
#$debug and $db->debug(5);
my $uid_field = $mapping{userid}->{is} or die
ldapserver_error("mapping for 'userid'");
my $filter = Net::LDAP::Filter->new("$uid_field=$userid") or die
"Failed to create new Net::LDAP::Filter";
my $res = ($config{anonymous}) ? $db->bind : $db->bind($ldapname,
password=>$ldappassword);
if ($res->code) { # connection refused
warn "LDAP bind failed as $ldapname: " . description($res);
return 0;
}
Reply below. On Wed, 2008-10-22 at 14:45 -0500, Library Guy wrote:
On Fri, Sep 26, 2008 at 09:17:13AM -0600, Michael Hafen wrote: > that Active Directory does not have the attribute auth_with_ldap.pm is
> looking for to compare to the user entered password.
this can be set with xpath /ldapserver/mapping/password at is but it will
fail because you can't compare a clear text with an AD encrypted passwd!
> problem is that auth_with_ldap.pm expects an attribute with password > stored in the plain,
i don't think so! can you imagine a password stored in plain in a modern
and secure system? i think that the current code expect that the plain text used for comparaison will be encrypted by the server.
> $db->unbind; > $db->disconnect(); > $db = Net::LDAP->new( [$prefhost] );
why unbind ? you'll loose the benefit of mod_ldap cached data.
$dbuser = Net::LDAP->new( [$prefhost] );
> $res = $db->bind( $userldapentry, password = $password );
password = $password will fail as perl vars begins with $ sigil!
$res = $db->bind( $userldapentry, password => $password );
works better
regards
marc
so what would the suggested final mod look like if the current auth section of Auth_with_ldap.pm is:
sub checkpw_ldap { my ($dbh, $userid, $password) = @_; my $db = Net::LDAP->new([$prefhost]); #$debug and $db->debug(5); my $uid_field = $mapping{userid}->{is} or die ldapserver_error("mapping for 'userid'"); my $filter = Net::LDAP::Filter->new("$uid_field=$userid") or die "Failed to create new Net::LDAP::Filter"; my $res = ($config{anonymous}) ? $db->bind : $db->bind($ldapname, password=>$ldappassword); if ($res->code) { # connection refused warn "LDAP bind failed as $ldapname: " . description($res); return 0; }
That bit would stay the same. The bit of code that needs to change is further down: my $cmpmesg = $db->compare( $userldapentry, attr=>'userpassword', value => $password ); if ($cmpmesg->code != 6) { warn "LDAP Auth rejected : invalid password for user '$userid'. " . description($cmpmesg); return 0; } Would become more like: my $user_ldapname = $userldapentry->dn(); my $user_db = Net::LDAP->new( [$prefhost] ); $res = $user_db->bind( $user_ldapname, password => $password ); if ( $res->code ) { $debug and warn "Bind as user failed". description( $res ); return 0; }
Michael, this mod resolved the AD/LDAP problem for me. Thank you very much. Devs, somehow incorporate this to 3.2? On Thu, Oct 23, 2008 at 10:41 AM, Michael Hafen <mdhafen@tech.washk12.org>wrote:
Reply below.
On Wed, 2008-10-22 at 14:45 -0500, Library Guy wrote:
On Fri, Sep 26, 2008 at 09:17:13AM -0600, Michael Hafen wrote: > that Active Directory does not have the attribute
auth_with_ldap.pm is
> looking for to compare to the user entered password.
this can be set with xpath /ldapserver/mapping/password at is but
it will
fail because you can't compare a clear text with an AD encrypted
passwd!
> problem is that auth_with_ldap.pm expects an attribute with
password
> stored in the plain,
i don't think so! can you imagine a password stored in plain in a
modern
and secure system? i think that the current code expect that the
plain
text used for comparaison will be encrypted by the server.
> $db->unbind; > $db->disconnect(); > $db = Net::LDAP->new( [$prefhost] );
why unbind ? you'll loose the benefit of mod_ldap cached data.
$dbuser = Net::LDAP->new( [$prefhost] );
> $res = $db->bind( $userldapentry, password = $password );
password = $password will fail as perl vars begins with $ sigil!
$res = $db->bind( $userldapentry, password => $password );
works better
regards
marc
so what would the suggested final mod look like if the current auth section of Auth_with_ldap.pm is:
sub checkpw_ldap { my ($dbh, $userid, $password) = @_; my $db = Net::LDAP->new([$prefhost]); #$debug and $db->debug(5); my $uid_field = $mapping{userid}->{is} or die ldapserver_error("mapping for 'userid'"); my $filter = Net::LDAP::Filter->new("$uid_field=$userid") or die "Failed to create new Net::LDAP::Filter"; my $res = ($config{anonymous}) ? $db->bind : $db->bind($ldapname, password=>$ldappassword); if ($res->code) { # connection refused warn "LDAP bind failed as $ldapname: " . description($res); return 0; }
That bit would stay the same. The bit of code that needs to change is further down: my $cmpmesg = $db->compare( $userldapentry, attr=>'userpassword', value => $password ); if ($cmpmesg->code != 6) { warn "LDAP Auth rejected : invalid password for user '$userid'. " . description($cmpmesg); return 0; }
Would become more like: my $user_ldapname = $userldapentry->dn(); my $user_db = Net::LDAP->new( [$prefhost] ); $res = $user_db->bind( $user_ldapname, password => $password ); if ( $res->code ) { $debug and warn "Bind as user failed". description( $res ); return 0; }
Hi, On Mon, Oct 27, 2008 at 11:33 AM, Library Guy <library.guy.zero@gmail.com> wrote:
Michael, this mod resolved the AD/LDAP problem for me. Thank you very much. Devs, somehow incorporate this to 3.2?
Please file a bug report in bugs.koha.org so that we don't lose track of this. Regards, Galen -- Galen Charlton VP, Research & Development, LibLime galen.charlton@liblime.com p: 1-888-564-2457 x709 skype: gmcharlt
Filed bug 2726 for this. Working on patch now. On Mon, 2008-10-27 at 13:42 -0400, Galen Charlton wrote:
Hi,
On Mon, Oct 27, 2008 at 11:33 AM, Library Guy <library.guy.zero@gmail.com> wrote:
Michael, this mod resolved the AD/LDAP problem for me. Thank you very much. Devs, somehow incorporate this to 3.2?
Please file a bug report in bugs.koha.org so that we don't lose track of this.
Regards,
Galen
participants (3)
-
Galen Charlton -
Library Guy -
Michael Hafen