[Koha-devel] Re: [Koha] ldap in 2.2.6RC2

MJ Ray mjr at phonecoop.coop
Sat Sep 16 17:21:44 CEST 2006 

Mourik Jan

I am resending your message to the koha-devel list, so that hopefully
a developer can test and commit the improved LDAP authenticator to the
next versions.  I may be offline for some of next week and hesitate to
commit something I won't have enought time to test and support.  Thank 
you for chasing up this useful upgrade.

Forwarded message:
> From koha-bounces at lists.katipo.co.nz Fri Sep 15 15:17:17 2006
> Date: Fri, 15 Sep 2006 12:31:06 +0200
> From: mourik jan heupink <heupink at merit.unu.edu>
> To: Koha at lists.katipo.co.nz
> Cc: paul.poulain at free.fr
> Subject: [Koha] ldap in 2.2.6RC2
> List-Id: Discussion list for the Koha Library system <koha.lists.katipo.co.nz>
>
> dear list,
>
> There has been some discussion on koha at lists.katipo.co.nz about the ldap 
> authentication bit of koha. (mostly in december 2005) The outcome of 
> that discussion was (as far as I understood it) that the actual checking 
> of the password should be done by trying to connect (authenticate) to 
> the ldap server with a specific username/password and see if ldap 
> accepts the connection.
>
> What koha does: It tries to receive the password field from the ldap 
> server, and compares that to the password the user has typed, to check 
> if they are the same.
>
> There are some problems with this approach:
> - most (if not all..?) ldap servers will be configured NOT to provide a 
> user's password to an anonymous connection. Meaning koha would have to 
> logon with a rootdn (or use acl's) to be able to 'read' the users password.
> - if the ldap server uses a a way to encrypt the password, comparing the 
> (encrypted) password with the plain text (or otherwise encrypted) 
> plassword two values will not give the desired result.
>
> Anyway, a solution was provided on this list. To my surprise I noticed 
> that in the new koha 2.2.6RC2 the old method was still in place.
>
> Is there anything I missed? Are there reasons NOT to use the trying to 
> connect (authenticate) to the ldap server with a specific 
> username/password approach? Does it break other things?
>
> The Auth.pm provided by KL Nasveschuk is quoted below, and works here.
>
> Kind regards,
> Mourik Jan
>
>     ##################################################
>     ### LOCAL
>     ### Change the code below to match your own LDAP server.
>     ##################################################
>
>     # LDAP connection parameters
>
>     # LDAP server
>     my $ldapserver = 'ldap.server.com';
>
>     # Base DN for users
>     my $name  = "ou=users,dc=server,dc=com";
>
>     # Bind uses the users full DN, if uid doesn't work try "cn"
>     my $binddn = "uid=$userid,$name";
>
>     my $db = Net::LDAP->new( $ldapserver );
>    
>     # do bind
>     my $res =$db->bind(
>             dn    =>$binddn,
>             password =>$password);
>    
>     # check connexion, anything other code than LDAP_SUCCESS (0)
>     # is a problem
>     if($res->code != 0 ) {
>         # auth refused
>         warn "LDAP Auth failed server not responding or wrong user 
> password combination";
>         return 0;
>     # search user
>     }else {
>    
>         my $userdnsearch = $db->search(base => "$name",
>                 filter =>"(cn=$userid)",
>                 );
>         my $userldapentry=$userdnsearch -> shift_entry;
>        
>         # build LDAP hash
>         my %memberhash;
>         my $x =$userldapentry->{asn}{attributes};
>         my $key;
>         foreach my $k ( @$x) {
>             foreach my $k2 (keys %$k) {
>                 if ($k2 eq 'type') {
>                     $key = $$k{$k2};
>                 } else {
>                     my $a = @$k{$k2};
>                     foreach my $k3 (@$a) {
>                         $memberhash{$key} .= $k3." ";
>                     }
>                 }
>             }
>         }
>         #
>         # BUILD %borrower to CREATE or MODIFY BORROWER
>         # change $memberhash{'xxx'} to fit your ldap structure.
>         # check twice that mandatory fields are correctly filled
>         #
>         my %borrower;
>         $borrower{cardnumber} = $userid;
>         $borrower{firstname} = $memberhash{givenName}; # MANDATORY FIELD
>         $borrower{surname} = $memberhash{sn}; # MANDATORY FIELD
>         $borrower{initials} = 
> substr($borrower{firstname},0,1).substr($borrower{surname},0,1)."  "; # 
> MANDATORY FIELD
>         $borrower{streetaddress} = $memberhash{postalAddress}." "; # 
> MANDATORY FIELD
>         $borrower{city} = $memberhash{l}." "; # MANDATORY FIELD
>         $borrower{phone} = $memberhash{telephoneNumber}." "; # MANDATORY 
> FIELD
>         $borrower{branchcode} = "MERIT"; # MANDATORY FIELD
>         $borrower{emailaddress} = $memberhash{mail};
>         $borrower{categorycode} = $memberhash{employeeType};
>
>     ##################################################
>     ### /LOCAL
>     ### No change needed after this line (unless there's a bug ;-) )
>     ##################################################
>
> _______________________________________________
> Koha mailing list
> Koha at lists.katipo.co.nz
> http://lists.katipo.co.nz/mailman/listinfo/koha
>

Thanks,
-- 
MJ Ray - see http://mjr.towers.org.uk/email.html
North End, Lynn, Norfolk, England
Work: http://www.ttllp.co.uk/
IRC/Jabber/SIP: on request

More information about the Koha-devel mailing list