[Koha-devel] Re: [Koha] ldap in 2.2.6RC2

mourik jan c heupink heupink at merit.unu.edu
Sun Oct 15 17:44:47 CEST 2006 

Dear koha developers,

Did anyone ever check out this ldap-authentication patch that I sent to 
this mailinglist in september? I received no replies, and just checked 
cvs which still has the original file.

If there are problems with this patch, could anyone tell me what they are?

Kind regards,
Mourik Jan

MJ Ray wrote:
> Mourik Jan
> 
> I am resending your message to the koha-devel list, so that hopefully
> a developer can test and commit the improved LDAP authenticator to the
> next versions.  I may be offline for some of next week and hesitate to
> commit something I won't have enought time to test and support.  Thank 
> you for chasing up this useful upgrade.
> 
> Forwarded message:
>> From koha-bounces at lists.katipo.co.nz Fri Sep 15 15:17:17 2006
>> Date: Fri, 15 Sep 2006 12:31:06 +0200
>> From: mourik jan heupink <heupink at merit.unu.edu>
>> To: Koha at lists.katipo.co.nz
>> Cc: paul.poulain at free.fr
>> Subject: [Koha] ldap in 2.2.6RC2
>> List-Id: Discussion list for the Koha Library system <koha.lists.katipo.co.nz>
>>
>> dear list,
>>
>> There has been some discussion on koha at lists.katipo.co.nz about the ldap 
>> authentication bit of koha. (mostly in december 2005) The outcome of 
>> that discussion was (as far as I understood it) that the actual checking 
>> of the password should be done by trying to connect (authenticate) to 
>> the ldap server with a specific username/password and see if ldap 
>> accepts the connection.
>>
>> What koha does: It tries to receive the password field from the ldap 
>> server, and compares that to the password the user has typed, to check 
>> if they are the same.
>>
>> There are some problems with this approach:
>> - most (if not all..?) ldap servers will be configured NOT to provide a 
>> user's password to an anonymous connection. Meaning koha would have to 
>> logon with a rootdn (or use acl's) to be able to 'read' the users password.
>> - if the ldap server uses a a way to encrypt the password, comparing the 
>> (encrypted) password with the plain text (or otherwise encrypted) 
>> plassword two values will not give the desired result.
>>
>> Anyway, a solution was provided on this list. To my surprise I noticed 
>> that in the new koha 2.2.6RC2 the old method was still in place.
>>
>> Is there anything I missed? Are there reasons NOT to use the trying to 
>> connect (authenticate) to the ldap server with a specific 
>> username/password approach? Does it break other things?
>>
>> The Auth.pm provided by KL Nasveschuk is quoted below, and works here.
>>
>> Kind regards,
>> Mourik Jan
>>
>>     ##################################################
>>     ### LOCAL
>>     ### Change the code below to match your own LDAP server.
>>     ##################################################
>>
>>     # LDAP connection parameters
>>
>>     # LDAP server
>>     my $ldapserver = 'ldap.server.com';
>>
>>     # Base DN for users
>>     my $name  = "ou=users,dc=server,dc=com";
>>
>>     # Bind uses the users full DN, if uid doesn't work try "cn"
>>     my $binddn = "uid=$userid,$name";
>>
>>     my $db = Net::LDAP->new( $ldapserver );
>>    
>>     # do bind
>>     my $res =$db->bind(
>>             dn    =>$binddn,
>>             password =>$password);
>>    
>>     # check connexion, anything other code than LDAP_SUCCESS (0)
>>     # is a problem
>>     if($res->code != 0 ) {
>>         # auth refused
>>         warn "LDAP Auth failed server not responding or wrong user 
>> password combination";
>>         return 0;
>>     # search user
>>     }else {
>>    
>>         my $userdnsearch = $db->search(base => "$name",
>>                 filter =>"(cn=$userid)",
>>                 );
>>         my $userldapentry=$userdnsearch -> shift_entry;
>>        
>>         # build LDAP hash
>>         my %memberhash;
>>         my $x =$userldapentry->{asn}{attributes};
>>         my $key;
>>         foreach my $k ( @$x) {
>>             foreach my $k2 (keys %$k) {
>>                 if ($k2 eq 'type') {
>>                     $key = $$k{$k2};
>>                 } else {
>>                     my $a = @$k{$k2};
>>                     foreach my $k3 (@$a) {
>>                         $memberhash{$key} .= $k3." ";
>>                     }
>>                 }
>>             }
>>         }
>>         #
>>         # BUILD %borrower to CREATE or MODIFY BORROWER
>>         # change $memberhash{'xxx'} to fit your ldap structure.
>>         # check twice that mandatory fields are correctly filled
>>         #
>>         my %borrower;
>>         $borrower{cardnumber} = $userid;
>>         $borrower{firstname} = $memberhash{givenName}; # MANDATORY FIELD
>>         $borrower{surname} = $memberhash{sn}; # MANDATORY FIELD
>>         $borrower{initials} = 
>> substr($borrower{firstname},0,1).substr($borrower{surname},0,1)."  "; # 
>> MANDATORY FIELD
>>         $borrower{streetaddress} = $memberhash{postalAddress}." "; # 
>> MANDATORY FIELD
>>         $borrower{city} = $memberhash{l}." "; # MANDATORY FIELD
>>         $borrower{phone} = $memberhash{telephoneNumber}." "; # MANDATORY 
>> FIELD
>>         $borrower{branchcode} = "MERIT"; # MANDATORY FIELD
>>         $borrower{emailaddress} = $memberhash{mail};
>>         $borrower{categorycode} = $memberhash{employeeType};
>>
>>     ##################################################
>>     ### /LOCAL
>>     ### No change needed after this line (unless there's a bug ;-) )
>>     ##################################################
>>
>> _______________________________________________
>> Koha mailing list
>> Koha at lists.katipo.co.nz
>> http://lists.katipo.co.nz/mailman/listinfo/koha
>>
> 
> Thanks,

More information about the Koha-devel mailing list