[Koha-devel] Koha3.0 against Active Directory

Michael Hafen mdhafen at tech.washk12.org
Fri Sep 26 17:17:13 CEST 2008 

On Fri, 2008-09-26 at 04:55 -0700, abdel514 wrote:
> 
> > 
> > 
> thnks for your answer
> 	
> I have done what is required in the file auth_with_ldap.pm in C4.
> but it does not 
> why?
> because it goes simple auth in the Active Directory.
> and when he passes me the following error in the log:
> "opac-user.pl: LDAP Auth rejected : invalid password for user 'dmadmin' LDAP
> error #16: LDAP_NO_SUCH_ATTRIBUTE, referer:
> http://****************/cgi-bin/koha/opac-user.pl"
> thanks more.

This is a problem that is being discussed on this list, being whether to
use 'bind-auth' or 'comparison auth'.  The problem, specifically, is
that Active Directory does not have the attribute auth_with_ldap.pm is
looking for to compare to the user entered password.  This is, in my
opinion, a flaw in Microsoft's implementation as well.  The rest of the
problem is that auth_with_ldap.pm expects an attribute with password
stored in the plain, which Active Directory does not have.  So some
trickery will have to be used to get this to work.

What will have to be done is to figure out which attribute Active
Directory stores a password in, and how that password is changed before
being stored.  Then to change in the code $password variable, and the
attribute it is compared to in the function checkpw_ldap().

After looking at Active Directory a bit I don't think this will actually
be possible unless you have the Microsoft Services For Unix installed.
Then you get the msSFU30Password Attribute, which is probably an md5
with a certain seed by the looks of it.  This isn't the easy way, but is
possible.

I think it would be easier to switch to the 'bind-auth' method here.  It
will require some changes to the code in auth_with_ldap.pm around line
103, where the password is compared, through line 107.  Replace these
lines with something like:

$db->unbind;
$db->disconnect();
$db = Net::LDAP->new( [$prefhost] );
$res = $db->bind( $userldapentry, password = $password );
unless ( $db && ! $res->code ) {
	warn "LDAP Auth rejected : invalid password for user '$userid'";
	return 0;
}

As long as $userldapentry isn't lost when unbind() and disconnect() are
called this should work.

Good luck.

More information about the Koha-devel mailing list