Re: [Koha] Koha and LDAP: Password comparison fails

Thu, 10 Sep 2015 01:10:10 -0700 

Here is the AD bit from our koha-conf.xml:


 <ldapserver id="DC">
    <hostname>samba.domain.com</hostname>
    <base>CN=Users,DC=samba,DC=domain,DC=com</base>
    <replicate>1</replicate>
    <update>1</update>
    <auth_by_bind>1</auth_by_bind>
    <principal_name>%s...@samba.domain.com</principal_name>
    <mapping>                     <!-- match koha SQL field names to your LDAP 
record field names -->
      <firstname    is="givenName"      ></firstname>
      <surname      is="sn"             ></surname>
      <address      is="streetAddress"  ></address>
      <city         is="l"              ></city>
      <zipcode      is="postalCode"     ></zipcode>
      <branchcode   is="branch"         >our_branch</branchcode>
      <userid       is="uid"                 ></userid>
      <password     is="userPassword"   ></password>
      <email        is="mail"           ></email>
      <categorycode is="employeeType"   >A</categorycode>
      <phone        is="telephoneNumber"></phone>
    </mapping>
  </ldapserver>


Explained:

samba.domain.com is the name of our active directory, if you specify 
that as hostname to bind to, koha will use (round robin) dns to connect 
to all DC's. Gives you a nice load spread, plus if one DC happens to be 
down, only some logons will fail.



(verify with "host samba.domain.com" reveral times in a row, it should 
normally return different ip's, dependin on your number of dc's)


Base should be your users container.


Principal took me some time to understand: 
<principal_name>%s...@samba.domain.com</principal_name>



%s is replaced with a username, so in my example koha tries to bind as 
usern...@samba.domain.com


I think the above explains it all?

MJ



On 09/10/2015 09:18 AM, Ahmad Amanullah Khan wrote:

Dear All

I will appreciate if you guide us how you integrated KOHA with AD. Any
guide will be highly appreciated.

Thanks

On Thu, Sep 10, 2015, 3:45 AM uwe <singlespeedfah...@yandex.com> wrote:


Am Freitag, den 21.08.2015, 10:36 +0200 schrieb mourik jan heupink:

I have no other clues, no. Must say I'm rather surprised to read that
auth by bind is no option for you. Are you sure? Why not


It seems that I misunderstood the auth-by-bind function. Finally
someone who has more ldap knowledge helped out to connect the ldap to
our koha installation. Now it works with auth-by-bind as you suggested.
Thank you very much. Your hint guided us into the right way to get it
to work.

Best wishes
Uwe




On 08/20/2015 03:02 PM, uwe wrote:

Hello,

Am Mittwoch, den 19.08.2015, 22:24 +0200 schrieb mourik jan
heupink:

I'm not sure if it will help you, but we have never had much luck

with the password compare routine, which koha seems to like.

I don't know any other ldap client that works like that. The
usual
way
(and this one works perfectly here, using openldap and also
samba4/AD)
is: use <auth_by_bind>1</auth_by_bind>

Your principal_name would then be something like:

<principal_name>dn=%s,ou=id,dc=MY_ORG,dc=org</principal_name>


Thank you for your answer and hints but unfortunally auth_by_bind
seems
to be no option for us.

Is there another way to solve the issue?

Thanks in advance
Uwe


Hopefully this helps you as well.

MJ

On 8/18/2015 14:35, uwe wrote:

Hello,

we have a Koha-Installation and would like to connect to our
OpenLDAP
-server, but I can't get it to work.

First our Koha setup:


OS: debian wheezy
Koha: 3.20.02


Connecting to ldap-server works fine but the password
comparison
fails
with the follwing error (tested in the console but also fails
in
the
web gui; also given password is correct):


root@biblio:/etc/koha/sites/MY_SITE# env
PERL5LIB=/usr/share/koha/lib

KOHA_CONF=/etc/koha/sites/MY_SITE/koha-conf.xml perl
/usr/share/koha/opac/cgi-bin/opac/opac-user.pl
userid=MY_MAIL_NAME@MY_
ORG.org password=MY_PASSWORD. | head -5


Got 2 ldap mapkeys (  total  ): userid
Got 2 ldap mapkeys (populated): userid
Checking Auth at /usr/share/koha/lib/C4/Auth.pm line 703,
<DATA>
line

558.

kohaversion : 3.2002000
## checkpw - checking LDAP
LDAP Auth rejected : invalid password for user
'MY_MAIL_NAME@MY_O
RG.o

rg'. LDAP error #5: LDAP_COMPARE_FALSE

# This code is returned when a compare request completes and
the

attribute value given is not in the entry specified


Login failed, resetting anonymous session... at

/usr/share/koha/lib/C4/Auth.pm line 1107, <DATA> line 595.

Configuration in koha-conf.xml, see below. Our ldap-server uses
SSHA as
password sheme. Could this be the problem?

How can I solve it? Can't find much usefull when searching
internet
for
the problem.

Thanks and best wishes
Uwe


<useldapserver>1</useldapserver> <!-- see C4::Auth_with_ldap
for

extra configs you must add if you want to turn this on -->


<!-- LDAP SERVER (optional) -->

<ldapserver id="ldapserver"  listenref="ldapserver">
        <hostname>MY_LDAP_SERVER</hostname>
          <base>ou=id,dc=MY_ORG,dc=org</base>
          <user>cn=biblio,ou=daemons,dc=MY_ORG,dc=org</user>
<!--
DN,

if not anonymous -->

          <pass>MY_SECRET_PASSWORD</pass>  <!-- password, if
not

anonymous -->

         <replicate>0</replicate> <!-- add new users from LDAP
to
Koha

database -->

          <update>0</update>  <!-- update existing users in
Koha

database -->

          <anonymous_bind>0</anonymous_bind>
          <auth_by_bind>0</auth_by_bind> <!-- set to 1 to
authenticate

by binding instead of password comparison, e.g., to use Active
Directory -->

         <!--<principal_name>%s@MY_ORG.org</principal_name>-->
          <mapping> <!-- match koha SQL field names to your
LDAP
record

field names -->

                  <!--<firstname is="firstname"></firstname>
                  <surname is="surname"></surname>
                  <address is="postaladdress">hier</address>
                  <city is="l">Berlin</city>
                  <zipcode is="postalcode">1000</zipcode>
                  <branchcode
is="businesscategory"></branchcode>
-->
                  <userid is="uid"></userid>
                  <!--<password is="USER_PASSWORD"></password>
                  <email is="mail"></email>
                  <categorycode
is="employeetype">PT</categorycode>
                  <phone is="telephonenumber">11111</phone>
                  <flags is="flags">2</flags> -->
          </mapping>
</ldapserver>



(hint: some private data is anonymized with large letters)


_______________________________________________
Koha mailing list  http://koha-community.org
Koha@lists.katipo.co.nz
https://lists.katipo.co.nz/mailman/listinfo/koha

_______________________________________________
Koha mailing list  http://koha-community.org
Koha@lists.katipo.co.nz
https://lists.katipo.co.nz/mailman/listinfo/koha

--
Q:      What is green and lives in the ocean?
A:      Moby Pickle.


_______________________________________________
Koha mailing list  http://koha-community.org
Koha@lists.katipo.co.nz
https://lists.katipo.co.nz/mailman/listinfo/koha


_______________________________________________
Koha mailing list  http://koha-community.org
Koha@lists.katipo.co.nz
https://lists.katipo.co.nz/mailman/listinfo/koha


_______________________________________________
Koha mailing list  http://koha-community.org
Koha@lists.katipo.co.nz
https://lists.katipo.co.nz/mailman/listinfo/koha






















					Reply via email to