Michael, this mod resolved the AD/LDAP problem for me. Thank you very
much. Devs, somehow incorporate this to 3.2?
On Thu, Oct 23, 2008 at 10:41 AM, Michael Hafen <[EMAIL PROTECTED]>wrote:
> Reply below.
>
> On Wed, 2008-10-22 at 14:45 -0500, Library Guy wrote:
> > On Fri, Sep 26, 2008 at 09:17:13AM -0600, Michael Hafen wrote:
> > > that Active Directory does not have the attribute
> auth_with_ldap.pm is
> >
> >
> > > looking for to compare to the user entered password.
> >
> > this can be set with xpath /ldapserver/mapping/password at is but
> it will
> >
> > fail because you can't compare a clear text with an AD encrypted
> passwd!
> >
> >
> > > problem is that auth_with_ldap.pm expects an attribute with
> password
> > > stored in the plain,
> >
> > i don't think so! can you imagine a password stored in plain in a
> modern
> >
> >
> > and secure system? i think that the current code expect that the
> plain
> > text used for comparaison will be encrypted by the server.
> >
> > > $db->unbind;
> > > $db->disconnect();
> > > $db = Net::LDAP->new( [$prefhost] );
> >
> >
> >
> > why unbind ? you'll loose the benefit of mod_ldap cached data.
> >
> > $dbuser = Net::LDAP->new( [$prefhost] );
> >
> > > $res = $db->bind( $userldapentry, password = $password );
> >
> > password = $password will fail as perl vars begins with $ sigil!
> >
> >
> >
> > $res = $db->bind( $userldapentry, password => $password );
> >
> > works better
> >
> >
> > regards
> >
> > marc
> >
> > so what would the suggested final mod look like if the current auth
> > section of Auth_with_ldap.pm is:
> >
> > sub checkpw_ldap {
> > my ($dbh, $userid, $password) = @_;
> > my $db = Net::LDAP->new([$prefhost]);
> > #$debug and $db->debug(5);
> > my $uid_field = $mapping{userid}->{is} or die
> > ldapserver_error("mapping for 'userid'");
> > my $filter = Net::LDAP::Filter->new("$uid_field=$userid") or
> > die "Failed to create new Net::LDAP::Filter";
> > my $res = ($config{anonymous}) ? $db->bind : $db->bind($ldapname,
> > password=>$ldappassword);
> > if ($res->code) { # connection refused
> > warn "LDAP bind failed as $ldapname: " . description($res);
> > return 0;
> > }
> >
>
> That bit would stay the same. The bit of code that needs to change is
> further down:
> my $cmpmesg = $db->compare( $userldapentry,
> attr=>'userpassword', value => $password );
> if ($cmpmesg->code != 6) {
> warn "LDAP Auth rejected : invalid password for user
> '$userid'. " . description($cmpmesg);
> return 0;
> }
>
> Would become more like:
> my $user_ldapname = $userldapentry->dn();
> my $user_db = Net::LDAP->new( [$prefhost] );
> $res = $user_db->bind( $user_ldapname, password => $password );
> if ( $res->code ) {
> $debug and warn "Bind as user failed". description( $res );
> return 0;
> }
>
>
>
_______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha.org
http://lists.koha.org/mailman/listinfo/koha-devel
