[Koha-bugs] [Bug 7973] Allow for new type of LDAP authentication

[bugzilla-daemon at bugs.koha-community.org]

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7973

--- Comment #33 from acowell at daviscollege.edu ---
Those steps are exactly how I believe it should be handled. However, I notice
this line.

- The <principal_name> setting in koha-conf.xml isn't used anymore;

That appears to be the problem with AD LDAP. I wish I could upload a picture of
my Wireshark results. On the bindRequest(1) "<ROOT>" packet coming from Koha
login attempt it says that the authentication is simple, but the authentication
name is missing. I'm wondering if it's missing because the principal_name is
not passed to AD/LDAP now? On the ldapsearch in Ubuntu, when I capture those
packets. The authentication is simple, but it has the binding account username
& password filled in, in the bindRequest.

I'm not sure if this site might help you at all, but I just stumbled a crossed
it and thought I'd share.

http://www.netid.washington.edu/documentation/ldapAuth.aspx

Basically, password are passed to LDAP to verify that an account can connect.
If it can, then success and then grab Attributes. Now AD LDAP Doesn't store
passwords in readable formats in attributes, instead I believe it utilizes some
type of tokens. Koha should not store the password for the user that
authenticated or tokens. I don't know how Koha actually looks at
authentication, like if it always attempts ldap before local auth lookups if
use ldap is set to 1 or not. But LDAP auth should be prioritized over local
auth and the locally stored record of the users account should be created with
a field or tagged some how indicating that it's an LDAP user, so whenever the
system tries to verify the account it always checks against LDAP. Maybe I'm
just babbling and Koha already does this in some sort.

Aaron

-- 
You are receiving this mail because:
You are watching all bug changes.