This adds a new syspref: AllowPKIAuth. It can have one of three states:
* None
* Common Name
* emailAddress
If a) this is set to something that's not "None", and b) the webserver
is passing SSL client cert details on to Koha, then the relevant field
in the user's certificate will be matched up against the field in the
database and they will be automatically logged in. This is used as a
secure form of single sign-on in some organisations.
The "Common Name" field is matched up against the userid, while
"emailAddress" is matched against the primary email.
This is an example of what might go in the Apache configuration for the
virtual host:
#SSLVerifyClient require # only allow PKI authentication
SSLVerifyClient optional
SSLVerifyDepth 2
SSLCACertificateFile /etc/apache2/ssl/test/ca.crt
SSLOptions +StdEnvVars
The last line ensures that the required details are
passed to Koha.
To test the PKI authentication, use the following curl command:
curl -k --cert client.crt --key client.key https://URL/
(look through the output to find the "Welcome," line to indicate that a user
has been authenticated or the "Log in to Your Account" to indicate that a
user has not been authenticated)
To create the certificates needed for the above command, the following series
of commands will work:
# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# This is the ca.crt file that the Apache config needs to know about,
# so put the file at /etc/apache2/ssl/test/ca.crt
# Create the Server Key, CSR, and Certificate
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
# We're self signing our own server cert here. This is a no-no in
# production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key \
-set_serial 01 -out server.crt
# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr
# Sign the client certificate with our CA cert. Unlike signing our own
# server cert, this is what we want to do.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key \
-set_serial 02 -out client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
# In theory we can install this client.p12 file in Firefox or Chrome, but
# the exact steps for doing so are unclear, and outside the scope of this
# patch
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Tested with Common Name and E-mail authentication, as well as with PKI
authentication disabled. Regular logins continue to work in all cases when
SSL authentication is set to optional on the server.
Signed-off-by: Ian Walls <koha.sekjal@gmail.com>
QA comment: synchronized updatedatabase.pl version of syspref with sysprefs.sql
version, to avoid divergent databases between new and upgrading users.
New revision updates for current master and cleans up new
instances introduced by recent commits.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
2 problems found, fixing those in follo up patches:
- late orders don't allow more than 1 order to be selected
- basketgroups: 'Edit vendor' does the same as 'Manage orders'
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Tested by recieving multiple items with the AcqCreateItem
preference set to 'placing and order' and 'receiving an item'
In both cases the pricing and vendor is brought over to the
item record so I'm signing off.
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
It has to be reintroduced, as some (most in France) libraries don't create
items on recieve, but after "equipment" step.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
+ i've added 'intranet' to reach intranet error page, not OPAC one (which is the default when no type specified)
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
Introduced C4::Items module to separate items API
from biblio API. Details on changes will be
put in later commit messages.
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
had been losing datereceived and replacementprice on modorder.
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
All subs have be cleaned :
- removed useless
- merged some
- reordering Biblio.pm completly
- using only naming conventions
Seems to have broken nothing, but it still has to be heavily tested.
Note that Biblio.pm is now much more efficient than previously & probably more reliable as well.
== Biblio.pm cleaning (useless) ==
* some sub declaration dropped
* removed modbiblio sub
* removed moditem sub
* removed newitems. It was used only in finishrecieve. Replaced by a Koha2Marc+AddItem, that is better.
* removed MARCkoha2marcItem
* removed MARCdelsubfield declaration
* removed MARCkoha2marcBiblio
== Biblio.pm cleaning (naming conventions) ==
* MARCgettagslib renamed to GetMarcStructure
* MARCgetitems renamed to GetMarcItem
* MARCfind_frameworkcode renamed to GetFrameworkCode
* MARCmarc2koha renamed to TransformMarcToKoha
* MARChtml2marc renamed to TransformHtmlToMarc
* MARChtml2xml renamed to TranformeHtmlToXml
* zebraop renamed to ModZebra
== MARC=OFF ==
* removing MARC=OFF related scripts (in cataloguing directory)
* removed checkitems (function related to MARC=off feature, that is completly broken in head. If someone want to reintroduce it, hard work coming...)
* removed getitemsbybiblioitem (used only by MARC=OFF scripts, that is removed as well)
call to receiveorder() now takes $bookfund as arg.
Mason's ACQ fixes from HLT-DEV , work in progress
Added regex to convert & to %26 before redirect to receive.pl.
Now has error alert for blank barcode field, and little tidyup.
finishreceive.pl now updates aqorder table's order record with lastest added biblioitem for that order, so ordersearch() now returns the acq-orders most recently created bibitem info, instead of the initally created biblitem info.
Now redirects back to acquire.pl if barcode exists or newitems() fails.
Now allows user to create a new biblioitem/item using a checkbox.
Adding option so magazines make new biblioitems as well as items - in testing stage
adding in the update for the replacement cost on the item table when editing a received order via
adding a bit to allow hlt to edit received order bit and not fail on duplicate barcode
added elsif to handle dup barcode error.
Fix to handle dup barcodes for newitem(), displays error the goes back to acquire.pl.
Now checks to see if newly created item is currently reserved.
Fix for the receive periodicals bit
Catching any errors when making items
More bugfixing this time a bug not saving volume info
Fix for bug 3529, allow freight to be distributed among the items
Now saves modified fields.
A few minor bugfixes too in perl code.
NOTE TO ENGLISH "TEMPLATORS" : you should look at this commits, as some ideas are really nice. Thanks to Carole, Wesford School, new Koha user in France :-)
NOTES to 1.2 managers : the 1.2 seems to have problems too :
* when finishrecieve is called, the booksellerid is lost, and you arrive to the "recieve.pl" again, it's with the 1st bookseller from the DB.
* under certain circunstances, the invoice # is lost, and ALL lines from the bookseller are shown. this strange behaviour is fixed too in this commit
* finishing templating acquisition
* first step to acquisition/cataloguing merging.
show no errors, but seems a little buggy (order counter wrong, problem at end of acquisition process...)
Not related to MARC :
* removed HLT- empty link when no basket for a supplier (should be useful to copy this into rel-1-2 i think)
* fixed some "use of uninitialized value"
related to MARC
* changed use Acquisition to use Catalogue, new package for MARC management
For instance, nothing is done to MARC DB, but structure is modified (see Biblio.pm for details), and everything seems to work : it's still possible to use acqui, and it fills old-DB pretty good.
WARNING : if you work on main trunk, please note Acquisition.pm is NO MORE USED in /acqui/ system. Every sub in Acquisition.pm has been moved to Biblio.pm or Catalogue.pm.
