Dear Katrin,
Thanks for your info about the mentioned reported bug, will try to implement this feature soon to support multiple ldap connections with different mappings. For sure will try to push it to others. Regards [cid:image002.png@01D327F4.25E9A910] Mohamad Barham System Engineer | Information Technology Department Birzeit University P.O.Box. 14, Birzeit, Palestine Tel: + 970 22982012 | Mob: +970 597 861929 | Ext: 5616 mbar...@birzeit.edu | www.birzeit.edu<http://www.birzeit.edu/> ________________________________ From: Koha <koha-boun...@lists.katipo.co.nz> on behalf of Coehoorn, Joel <jcoeho...@york.edu> Sent: Wednesday, February 19, 2020 12:04 AM To: Katrin Fischer <katrin.fischer...@web.de>; koha <koha@lists.katipo.co.nz> Subject: Re: [Koha] adding second ldap server If that ldap server happens to be Active Directory, you can take advantage of features inside of AD to accomplish your goal here in a way that's invisible to Koha. But before I get into that, there is an issue coming for Active Directory sites that I haven't seen pushed out to this list yet: *BEGINNING IN MARCH, MICROSOFT WILL NO LONGER ALLOW UNSECURED LDAP CONNECTIONS TO ACTIVE DIRECTORY.* That is, after applying Windows Updates next month, if you have Koha configured to authenticate users against Active Directory via a normal LDAP connection over port 389, your connection will be broken! https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows To avoid a broken system, or fix this afterwards, you *MUST *set up the connection to use LDAP+TLS over port 636. I manage two Koha servers which authenticate via Active Directory. I'm not impacted by this personally: one already uses LDAP+S and will retire soon, the other uses SAML SSO. But I may start a separate thread just to get more attention in the community... I feel like a *lot* of people will get caught by this and end up broken next month unless it's publicized a lot more, and least it would nice to have an existing list thread dedicated to resolving the issue. That out of the way, let's move on to the question at hand. There are two scenarios here. First, if you want the second ldap connection only for redundancy. I don't have the docs in front of me, but you basically add a special DNS record for your domain with a low TTL. If one domain controller is the record will automatically point to the alternate, even for ldap connections. This assumes Active Directory is also running your DNS (which is best practice for AD sites). Again, this is for redundancy, not for separate sources. If you want separate ldap sources, where different ldap connections would have different sets of users, you can set up a trust relationship to link the two servers into a single Active Directory forest, and then point the single ldap connection at the forrest instead of either individual server. In both cases, Koha just sees the single ldap connection, but you get the intended results. Joel Coehoorn Director of Information Technology 402.363.5603 *jcoeho...@york.edu <jcoeho...@york.edu>* *Please contact helpd...@york.edu <helpd...@york.edu> for technical assistance.* The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society On Tue, Feb 18, 2020 at 3:40 PM Katrin Fischer <katrin.fischer...@web.de> wrote: > Hi, > > to my understanding it's currently not possible to connect more than one > LDAP server to Koha. I found an open bug for adding this feature: > > *Bug 20735* > <https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20735> - > Multiple LDAP servers > > Katrin > > On 18.02.20 13:36, Mohamad F Barham wrote: > > Dears, > > > > I am trying to add a second ldap server but fails, is there a > restriction for only one server? how to solve that? > > > > notice: > > koha 19.11 > > debian 9 > > first ldap server work correctly, we have two ldap servers, one for > students and one for staff, both have different mapping > > > > <ldapserver id="ldapserver"> > > <hostname>ldaps://172.16.2.101</hostname> > > <base>DC=STBZU,DC=EDU</base> > > <user>CN=Mohamad F. Barham,OU=CCsupport,DC=STBZU,DC=EDU</user> <!-- DN, > if not anonymous --> > > <pass>PASSWORD</pass> <!-- password, if not anonymous --> > > <replicate>0</replicate> <!-- add new users from LDAP to Koha database > --> > > <update>0</update> <!-- update existing users in Koha database , dont > update to dont override koha edits ex category type--> > > <anonymous_bind>0</anonymous_bind> > > <auth_by_bind>1</auth_by_bind> <!-- set to 1 to authenticate by binding > instead ofpassword comparison, e.g., to use Active Directory --> > > <principal_name>%s...@stbzu.edu</principal_name> <!-- optional, for > auth_by_bind: a printf format to make userPrincipalName from koha userid --> > > <mapping> <!-- match koha SQL field names to your LDAP record field > names --> > > <firstname is="givenname"></firstname> > > <surname is="sn"></surname> > > <userid is="samaccountname"></userid> > > <email is="mail"></email> > > <othernames is ="cn"></othernames> > > <branchcode is="">MAIN</branchcode> > > <categorycode is="">ST</categorycode> > > </mapping> > > </ldapserver> > > > > > > > > > > > > [cid:image002.png@01D327F4.25E9A910] > > > > > > Mohamad Barham > > > > System Engineer | Information Technology Department > > > > Birzeit University > > > > P.O.Box. 14, Birzeit, Palestine > > > > Tel: + 970 22982012 | Mob: +970 597 861929 | Ext: 5616 > > > > mbar...@birzeit.edu | www.birzeit.edu<http://www.birzeit.edu/> > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~ > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally privileged > information. If you are not the intended recipient you are hereby notified > that any disclosure, copying, distribution or taking any action in reliance > on the contents of this information is strictly prohibited and may be > unlawful. If you have received this communication in error, please notify > us immediately by responding to this email and then delete it from your > system. The University is neither liable for the proper and complete > transmission of the information contained in this communication nor for any > delay in its receipt. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~ > > _______________________________________________ > > Koha mailing list http://koha-community.org > > Koha@lists.katipo.co.nz > > https://lists.katipo.co.nz/mailman/listinfo/koha > _______________________________________________ > Koha mailing list http://koha-community.org > Koha@lists.katipo.co.nz > https://lists.katipo.co.nz/mailman/listinfo/koha > _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha ~~~~~~~~~~~~~~~~~~~~~~~~~~ The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. The University is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. ~~~~~~~~~~~~~~~~~~~~~~~~~~ _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
