When importing users from LDAP, Auth_with_ldap.pm doesn't check if value for
categorycode is present in categories table in Koha resulting in referential
integrity error instead of using default value from koha-conf.xml
Test scenario:
1. enable LDAP in koha-conf.xml using <useldapserver>1</useldapserver>
and add <ldapserver> configuration with
<categorycode is="SomeLDAPField">DefaultCategoryCode</categorycode>
2. select/create LDAP user with category in SomeLDAPField which isn't in
Koha
3. try logging in and ensure that assigned category to new user is
DefaultCategoryCode
Signed-off-by: Marijana Glavica <mglavica@ffzg.hr>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
* correctly indenting with tab the debarrcomment field
* setdebar.pl is called without status parameter, thus it is not working anymore. It's fixed & some dead code has been removed. To test : debar someone, then go to patron detail page and click "lift debarment"
* the test function had not been updated. The fix define a debarment date of 2099-12-31 (no limit)
* fixed documentation in C4/Auth_with_ldap.pm
* updated ILSDI/Utility.pm to work with debarred being a date
* updated Members.pm/patronflags to work with debarred being a date (copy/paste of BibLibre code that had not been backported)
* fixed opac-reserve to check correctly for debarred status
I also have removed a duplicate line on circulation.pl when the patron was restricted = the information was displayed twice
In the case of LDAP, checkpw was returning the cardnumber of there user, but it was being treated as the
userid. This patch updates checkpw_ldap to return the cardnumber AND the userid, and updates checkpw to
uniformly return cardnumber and userid in all instances, so that whoever is authenticating can use the
desired value in the right way.
This requires us to specify all LDAP mappings in koha-conf.xml in lowercase,
instead of original case used withing LDAP.
Compare readability of
<userid is="hrEduPersonUniqueID" ></userid>
(which doesn't work) with required (and non-intuitive)
<userid is="hredupersonuniqueid" ></userid>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com>
When using
<replicate>0</replicate> <!-- add new users from LDAP to Koha database -->
<update>0</update> <!-- update existing users in Koha database ->
<auth_by_bind>1</auth_by_bind> <!-- set to 1 to authenticate by
binding instead of password comparison, e.g., to use Active Directory -->
Auth_with_ldap attempts to lookup the userid in the LDAP directory to
fill $userldapentry despite it being unneeded in this case. The information
retrieved will be thrown away, thus there is no need to retrieve it.
This can cause authentication to fail overall even if the initial bind with the
user's credentials succeeded
Signed-off-by: Joe Atzberger <ohiocore@gmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
When using auth_by_bind, search was always done as anonymous user.
This is a problem if we want to fetch LDAP values which have ACL
permissions only for users.
This change moves bind from search_method back into checkpw_ldap,
making code cleaner and easier to understand
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Patch compiled from diffs created by Dobrica Pavlinušić <dpavlin@rot13.org> to:
* enable patron replication when using LDAP with auth_by_bind
* not scribble over extended patron attributes
* fix failure logging in to OPAC if patron has no extended attributes
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Allow replicate and update to be zero.
Break out logic into separate subs.
Do only one bind attempt depending on setting, instead of
necessarily failing first before trying auth_by_bind.
POD added for active directory and to document permutations of
behavior given different conditions. Fixed mistaken debug lines
that called "print STDERR printf ...", i.e. printed the line to output
and "1" to the error log. Added principal_name feature for generating
bind user from Koha userid.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
This changes the checkpw code in Auth_with_ldap. Along with comparing
the user entered password against the directory attibute userPassword
you can try to bind with the users dn and password.
This is controlled by the option auth_by_bind, which, if set, causes
this code to try binding instead of comparing.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
This doesn't insert the large and typically unused <ldapserver> block,
just the switch with a comment pointing to C4::Auth_with_ldap. This otherwise
was undocumented requirement, making LDAP config a bit of a shot in the dark.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
The section in KOHA_CONF was moved inside <config> and renamed
<ldapserver>. Perldoc updated to correspond. Tested with local
LDAP and existing test (t/db_dependent/Auth_with_ldap.t).
Patch can be applied with confidence based on comparison of 2 dumps:
perl -e 'use C4::Context; use Data::Dumper; my $context=C4::Context->new("./old_config.xml"); print Dumper ($context->{server}->{ldapserver}),"\n";'
and
perl -e 'use C4::Context; use Data::Dumper; my $context=C4::Context->new("./new_config.xml"); print Dumper (C4::Context->config("ldapserver")),"\n";'
These dumps reflect the way Auth_with_ldap accesses configuration info before and after.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
Seems not to break too many things, but i'm probably wrong here.
at least, new features/bugfixes from 2.2.5 are here (tested on some features on my head local copy)
- removing useless directories (koha-html and koha-plucene)