[Koha-devel] Koha3.0 against Active Directory

Michael Hafen mdhafen at tech.washk12.org
Thu Oct 23 17:41:25 CEST 2008 

Reply below.

On Wed, 2008-10-22 at 14:45 -0500, Library Guy wrote:
>         On Fri, Sep 26, 2008 at 09:17:13AM -0600, Michael Hafen wrote:
>         > that Active Directory does not have the attribute auth_with_ldap.pm is
>         
>         
>         > looking for to compare to the user entered password.
>         
>         this can be set with xpath /ldapserver/mapping/password at is but it will
>         
>         fail because you can't compare a clear text with an AD encrypted passwd! 
>         
>         
>         > problem is that auth_with_ldap.pm expects an attribute with password
>         > stored in the plain,
>         
>         i don't think so! can you imagine a password stored in plain in a modern
>         
>         
>         and secure system? i think that the current code expect that the plain
>         text used for comparaison will be encrypted by the server.
>         
>         > $db->unbind;
>         > $db->disconnect();
>         > $db = Net::LDAP->new( [$prefhost] );
>         
>         
>         
>         why unbind ? you'll loose the benefit of mod_ldap cached data.
>         
>         $dbuser = Net::LDAP->new( [$prefhost] );
>         
>         > $res = $db->bind( $userldapentry, password = $password );
>         
>         password = $password will fail as perl vars begins with $ sigil! 
>         
>         
>         
>         $res = $db->bind( $userldapentry, password => $password );
>         
>         works better
>         
>         
>         regards
>         
>         marc
> 
> so what would the suggested final mod look like if the current auth
> section of Auth_with_ldap.pm is:
> 
> sub checkpw_ldap {
>     my ($dbh, $userid, $password) = @_;
>     my $db = Net::LDAP->new([$prefhost]);
>         #$debug and $db->debug(5);
>         my $uid_field = $mapping{userid}->{is} or die
> ldapserver_error("mapping for 'userid'");
>         my $filter = Net::LDAP::Filter->new("$uid_field=$userid") or
> die "Failed to create new Net::LDAP::Filter";
>     my $res = ($config{anonymous}) ? $db->bind : $db->bind($ldapname,
> password=>$ldappassword);
>     if ($res->code) {           # connection refused
>         warn "LDAP bind failed as $ldapname: " . description($res);
>         return 0;
>     } 
> 

That bit would stay the same.  The bit of code that needs to change is
further down:
        my $cmpmesg = $db->compare( $userldapentry,
attr=>'userpassword', value => $password );
        if ($cmpmesg->code != 6) {
                warn "LDAP Auth rejected : invalid password for user
'$userid'. " . description($cmpmesg);
                return 0;
        }

Would become more like:
        my $user_ldapname = $userldapentry->dn();
        my $user_db = Net::LDAP->new( [$prefhost] );
        $res = $user_db->bind( $user_ldapname, password => $password );
        if ( $res->code ) {
            $debug and warn "Bind as user failed". description( $res );
            return 0;
        }

More information about the Koha-devel mailing list