From address@hidden Fri Sep 15 15:17:17 2006
Date: Fri, 15 Sep 2006 12:31:06 +0200
From: mourik jan heupink <address@hidden>
To: address@hidden
Cc: address@hidden
Subject: [Koha] ldap in 2.2.6RC2
List-Id: Discussion list for the Koha Library system <koha.lists.katipo.co.nz>
dear list,
There has been some discussion on address@hidden about the ldap
authentication bit of koha. (mostly in december 2005) The outcome of
that discussion was (as far as I understood it) that the actual checking
of the password should be done by trying to connect (authenticate) to
the ldap server with a specific username/password and see if ldap
accepts the connection.
What koha does: It tries to receive the password field from the ldap
server, and compares that to the password the user has typed, to check
if they are the same.
There are some problems with this approach:
- most (if not all..?) ldap servers will be configured NOT to provide a
user's password to an anonymous connection. Meaning koha would have to
logon with a rootdn (or use acl's) to be able to 'read' the users password.
- if the ldap server uses a a way to encrypt the password, comparing the
(encrypted) password with the plain text (or otherwise encrypted)
plassword two values will not give the desired result.
Anyway, a solution was provided on this list. To my surprise I noticed
that in the new koha 2.2.6RC2 the old method was still in place.
Is there anything I missed? Are there reasons NOT to use the trying to
connect (authenticate) to the ldap server with a specific
username/password approach? Does it break other things?
The Auth.pm provided by KL Nasveschuk is quoted below, and works here.
Kind regards,
Mourik Jan
##################################################
### LOCAL
### Change the code below to match your own LDAP server.
##################################################
# LDAP connection parameters
# LDAP server
my $ldapserver = 'ldap.server.com';
# Base DN for users
my $name = "ou=users,dc=server,dc=com";
# Bind uses the users full DN, if uid doesn't work try "cn"
my $binddn = "uid=$userid,$name";
my $db = Net::LDAP->new( $ldapserver );
# do bind
my $res =$db->bind(
dn =>$binddn,
password =>$password);
# check connexion, anything other code than LDAP_SUCCESS (0)
# is a problem
if($res->code != 0 ) {
# auth refused
warn "LDAP Auth failed server not responding or wrong user
password combination";
return 0;
# search user
}else {
my $userdnsearch = $db->search(base => "$name",
filter =>"(cn=$userid)",
);
my $userldapentry=$userdnsearch -> shift_entry;
# build LDAP hash
my %memberhash;
my $x =$userldapentry->{asn}{attributes};
my $key;
foreach my $k ( @$x) {
foreach my $k2 (keys %$k) {
if ($k2 eq 'type') {
$key = $$k{$k2};
} else {
my $a = @$k{$k2};
foreach my $k3 (@$a) {
$memberhash{$key} .= $k3." ";
}
}
}
}
#
# BUILD %borrower to CREATE or MODIFY BORROWER
# change $memberhash{'xxx'} to fit your ldap structure.
# check twice that mandatory fields are correctly filled
#
my %borrower;
$borrower{cardnumber} = $userid;
$borrower{firstname} = $memberhash{givenName}; # MANDATORY FIELD
$borrower{surname} = $memberhash{sn}; # MANDATORY FIELD
$borrower{initials} =
substr($borrower{firstname},0,1).substr($borrower{surname},0,1)." "; #
MANDATORY FIELD
$borrower{streetaddress} = $memberhash{postalAddress}." "; #
MANDATORY FIELD
$borrower{city} = $memberhash{l}." "; # MANDATORY FIELD
$borrower{phone} = $memberhash{telephoneNumber}." "; # MANDATORY
FIELD
$borrower{branchcode} = "MERIT"; # MANDATORY FIELD
$borrower{emailaddress} = $memberhash{mail};
$borrower{categorycode} = $memberhash{employeeType};
##################################################
### /LOCAL
### No change needed after this line (unless there's a bug ;-) )
##################################################
_______________________________________________
Koha mailing list
address@hidden
http://lists.katipo.co.nz/mailman/listinfo/koha