[Koha-devel] Koha ldap authentication problem

Wed Jun 12 17:24:54 CEST 2013

On Wed, Jun 12, 2013 at 10:00:48AM +0100, Bobby Adesuyan wrote:
> Hi guys, I am experiencing some erratic behavior getting koha to talk to
> our ldap server. I am trying setup where koha updates existing user details
> (mainly passwords) but not replicate. This way only users created on the
> koha server are able to authenticate since the userid on koha is the same
> as on our ldap(openldap). However my experience has been very inconsistent.
> Users are not immediately authenticated until after numerous tries (and
> restarting koha-common) and when a user is eventually authenticated changes
> to the user password on ldap are not immediately reflected. Here are my
> system details

Restarting koha-common doesn't have any effect on authorization since
Koha calls LDAP directly from CGI.

> koha 3.12 using debian Squeeze Packages
> 
> here is my ldap configuration.
> 
> <useldapserver>1</useldapserver><!-- see C4::Auth_with_ldap for extra
> configs you must add if you want to turn this on --> <ldapserver
> id="ldapserver" listenref="ldapserver">
> <hostname>192.168.0.1</hostname>
>     <base>ou=People,dc=example,dc=com</base>
>     <user>admin,ou=People,dc=example,dc=com</user>
>     <pass>password</pass>
>     <replicate>0</replicate>
>     <update>1</update>
>     <mapping>
>     <userid is="uid"></userid>
>     <surname is="sn"></surname>
>     <password is="userPassword"></password>
>     </mapping> </ldapserver>
> 
> I have been able to get other services like pam (library desktops
> running Linux) moodle, and alfresco to authenticate users against our
> ldap. If anyone could point me to with I am doing wrong

To create new users from LDAP in Koha you need to set replicate to 1.
With your configuration, users which doesn't exist in Koha won't be able
to login. This seems to be what you want, so I'm just attemting to
clarify options here.

Looking at your configuration and reading through C4/Auth_with_ldap.pm
code it seems that Koha uses LDAP compare to check LDAP password which
might fail if your admin account doesn't have sufficient priviledges to do
so.

You might try using

<auth_by_bind>1</auth_by_bind>

which will check passwords by binding to LDAP as user which just logged
in into Koha to see if that helps. In that case, you don't need <user>
and <pass> within your kona-conf.xml.

In any case, I would strongly suggest to use

<hostname>ldaps://192.168.0.1</hostname> to enable SSL on your
connection to LDAP so that passwords don't travel in clear over the
network (in your configuration that's admin password, and with
auth_by_bind it's all users passwords).

> and if there is any other switch which need be flipped to get ldap
> working on Koha I would really appreciate. Also any means of getting a
> more verbose log on what happens when koha tries to
> 
> authenticate against ldap.. I have not be able get any log on whats
> from from opac.err intranet.err.

you can set DEBUG enviroment variable see,

http://perldoc.koha-community.org/C4/Debug.html#How_to_Set_%24debug%3A

Even without DEBUG you should get at least some LDAP information in
intranet-error.log similar to:

mainpage.pl: LDAP Auth rejected : (hrEduPersonUniqueID=dpavlin) gets 0 hits

Hope this helps.

-- 
Dobrica Pavlinusic               2share!2flame            dpavlin at rot13.org
Unix addict. Internet consultant.             http://www.rot13.org/~dpavlin