To test:
Ideally tested on a working ldap server with bind by auth and no
anonymous bind
1 - Define an LDAP config with bind by auth
2 - Don't define user/pass
3 - Define anonymous_bind = 0
4 - Attempt bind by auth
5 - Error is something like:
LDAP search failed to return object : XXXXXXXXX: LdapErr: XXXX-XXXXXX,
comment: In order to perform this operation a successful bind must
be completed on the connection., data 0, v2580 at
/usr/share/koha/lib/C4/Auth_with_ldap.pm line 102.
6 - Define user/pass
7 - Now bind by auth should work
8 - remove user/pass
9 - Apply patch
10 - Attempt again
11 - Bind by auth shoudl succeed
prove -v t/db_dependent/Auth_with_ldap.t
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: John Doe <you@example.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
* Any extended patron attributes will cause the update to fail as those attributes don't exist in the 'borrowers' table
* The update of the extended patron attributes is already dealt with in checkpw_ldap()
* Ergo: just skip those attributes here
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
I did not test this patch but code looks good
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
I removed several lines of code in the checkpw_ldap subroutine where
LDAP authentication takes place, in the "else" part of the conditional
that checks for the auth_by_bind config parameter. I added several lines
to check whether the user can log in to LDAP using their DN and the
password supplied in the login form. If they are able to bind, login
contiues as normal and the LDAP attributes can be harvested as normal if
the update options are turned on. The routine that was in place was
failing because it was trying to check against a non-existent LDAP entry
attribute called 'userpassword'. Instead of checking against a
'userpassword' attribute, the routine really should be checking to make
sure the user can actually bind to LDAP. That's what I set up, and it is
a safer way to test authentication against LDAP.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch fixes internal server error:
Undefined subroutine &C4::Auth_with_ldap::AddMember called at /srv/koha_ffzg/C4/Auth_with_ldap.pm line 213.
It occurs only under plack, and it's strange since C4::Members
does EXPORT AddMember and we are importing it into Auth_with_ldap.pm
(and it does work under CGI).
Signed-off-by: Liz Rea <liz@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
I did not test but trust author and signoffer. The change cannot hurt.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Oliver Bock <oliver.bock@aei.mpg.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch moves the code from C4::Members::changepassword to
Koha::Patron->update_password
Test plan:
Change your password at the OPAC and the staff interface
This should work as before
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
I rebased this on top of 16849 because they were conflicting.
Tests pass, code looks good (as usual) and I checked both OPAC
and staff password change work as expected.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To test
1/ Apply both patches
2/ This patch lets you easily configure mappings for categorycode values.
These mapping will be used when updating the user's account after a successful LDAP login.
Here is an example configuration :
<config>
<ldapserver id="ldapserver>
<mapping>
<categorycode is="usertype">STU</categorycode>
...
</mapping>
<categorycode_mapping>
<categorycode value="STU">STUDENT</categorycode>
<categorycode value="EMP">EMPLOYEE</categorycode>
</categorycode_mapping>
</ldapserver>
</config>
3/ With this configuration, LDAP users with the usertype value "EMP" on the LDAP server should have the "EMPLOYEE" categorycode in Koha.
Signed-off-by: Chris <chris@bigballofwax.co.nz>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
To test
1/ Apply both patches
2/ This patch lets you easily configure mappings for categorycode values.
These mapping will be used when updating the user's account after a successful LDAP login.
Here is an example configuration :
<config>
<ldapserver id="ldapserver>
<mapping>
<categorycode is="usertype">STU</categorycode>
...
</mapping>
<categorycode_mapping>
<categorycode value="STU">STUDENT</categorycode>
<categorycode value="EMP">EMPLOYEE</categorycode>
</categorycode_mapping>
</ldapserver>
</config>
3/ With this configuration, LDAP users with the usertype value "EMP" on the LDAP server should have the "EMPLOYEE" categorycode in Koha.
Signed-off-by: Chris <chris@bigballofwax.co.nz>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Test plan:
- Update your configuration file to use LDAP authentication and enable update
(<update>1</update>) option,
- login with an existing user with extended attrbitutes that are not in
LDAP mapping,
- check that all attributes are still here.
Signed-off-by: Chris <chrisc@catalyst.net.nz>
Signed-off-by: Philippe Blouin <philippe.blouin@inlibro.com>
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
Mainly a
perl -p -i -e 's/^.*3.07.00.049.*\n//' **/*.pm
Then some adjustements
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
perl -p -i -e 's/^(use vars .*)\$VERSION\s?(.*)/$1$2/' **/*.pm
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
The patron attributes displayed on editing a patron are not displayed if
limited to another library.
C4::Members::Attributes::SetBorrowerAttributes will now only delete attributes
the librarian is editing.
SetBorrowerAttributes takes a new $no_branch_limit parameter. If set,
the branch limitations have not effect and all attributes are deleted
(same behavior as before this patch).
Test plan:
1/ Create 2 patron attributes, without branch limitations.
2/ Edit a patron and set a value for these attributes
3/ Limit a patron attributes to a library (one you are not logged in
with).
4/ Edit again the patron.
=> You should not see the limited attributes
5/ Edit the patron attributes and remove the branch limitation
=> Without this patch, it has been removed from the database and is not
displayed anymore.
=> With this patch, you should see it.
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
http://bugs.koha-community.org/show_bug.cgi?id=9987
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Minor code tidy to clean up qa script warning.
http://bugs.koha-community.org/show_bug.cgi?id=9165
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
A small enhancement to clear existing synced passowrd should this
config option be enbled. This followup is related to bug 12831
http://bugs.koha-community.org/show_bug.cgi?id=9165
Signed-off-by: Robin Sheat <robin@catalyst.net.nz>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This adds a configuration option to LDAP that prevents it from storing
user's passwords in the local database. This is useful when users of
hosted Koha wish to prevent any form of offsite password storage for
security reasons.
Notes:
* if the option is not included in the koha-conf.xml file, then the
current default behaviour of saving the password locally is retained.
* this has no impact on passwords that are already in the database.
They will not be erased.
To use:
* edit the koha-conf.xml for a system that uses LDAP for
authentication.
* in the <ldapserver> configuration, add:
<update_password>0</update_password>
* feel a greater sense of security.
To test:
1) have a Koha system that authenticates using LDAP.
2) note that when a user logs in, their password is saved (hashed) in
the database.
2.5) it is important to note that, for whatever reason, a user's
password is not stored on a login where their account is created,
only when they log in after being created. Thus perhaps log in and
log out a couple of times to be sure.
3) add the <update_password>0</update_password> option to the
<ldapserver> section of koha-conf.xml.
4) login with a new user (or erase the password from the database for
an existing user) and note that the password field is not populated.
5) log out and log back in just to be sure, check the password field
again.
Sponsored-By: National Institute of Water and Atmospheric Research (NIWA)
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Local only logins should continue to function when LDAP is enabled.
This was not the case after bug 8148 [LDAP Auth should FAIL when ldap
contains a NEW password]. For this case, we need to diferentiate
between local accounts and ldap accounts. This is somewhat challenging
and thus this patch is only part of the story.
The other half can be achieved with bug 9165
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch covers LDAP auth_by_bind configuration so that wrong
LDAP password will return -1 to C4::Auth so we can abort local auth
and prevent users logging in with stale database passwords.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
http://bugs.koha-community.org/show_bug.cgi?id=8148
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
http://bugs.koha-community.org/show_bug.cgi?id=8148
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
LDAP auto-provisioning should set default messaging preferences upon
creation of a user.
Signed-off-by: Ulrich Kleiber <ulrich.kleiber@bsz-bw.de>
Manually applied to 3.12.9 and it works beautifully in test and production.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Recent changes to LDAP broke auth_by_bind in many situations. This bug
resets the behaviour to what it used to be, however also allows the new
behaviour by adding the 'anonymous_bind' parameter to the LDAP config.
Testing:
1) Find an LDAP configuration that was broken recently that uses
auth_by_bind
2) Apply this patch
3) See if it works again.
Additionally, testing the original path in the case of 'anonymous_bind'
being set should probably be done too, but I have no idea about the LDAP
server config for that.
Signed-off-by: Ulrich Kleiber <ulrich.kleiber@bsz-bw.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
The move avoids a problem where many modules would gain
a dependency on C4::Auth just because C4::Members needs access
to hash_password().
This patch also adds a couple unit tests for the new password
hashing code.
To test:
[1] Verify that there are no regressions on the test plan for bug
9611.
[2] Verify that t/AuthUtils.t and t/db_dependent/Auth.t pass.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Test:
* LDAP:
- Turn on LDAP auth in koha-config.xml. Set "update" in your server config to 1
- Change user's password on LDAP
- Login to Koha using LDAP - Koha password should be updated, to check
- Turn off LDAP auth in koha-config.xml
- You should be ble to log in with the new password
I do not have a LDAP facility, so I cheated. I ran
perl -e 'use C4::Auth_with_ldap; C4::Auth_with_ldap::_do_changepassword("srdjan", 1000022259, "srdjan");'
and was able to change the password.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Work as described.
Test
1) change <useldapserver> to 1
2) copy/paste sample <ldapserver> config from perldoc C4/Auth_with_ldap
3) using sample script was able to change password,
use (userid, borrowernumber, newpass) as arguments
4) checked with OPAC and in database
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
To reproduce:
1/ Edit your apache virtual host and set the DEBUG environment variable
(SetEnv DEBUG 1).
2/ Try to login with an ldap user
3/ You will be redirected to the 500 error page.
The Koha logs contains:
malformed header from script. Bad header=------------------------------: mainpage.pl
The hashdump routine directly prints to STDOUT (!) and breaks the
headers.
It appears Net::LDAP::?->dump does the same thing.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Maybe we can kill C4::Utils after getting rid of this
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
To test:
- Configure an LDAP server and $KOHA_CONF, etc.
- Make sure ExtendedPatronAttributes is defined and that
there is no attribute defined that is specified to be
a unique ID.
- Try to log in using an account originating from the
LDAP directory.
- You will got a software error:
Can't use an undefined value as an ARRAY reference at
/home/koha/src/C4/Auth_with_ldap.pm line 183.
- Apply the patch.
- Try to log in again; this time it should work.
Signed-off-by: Nuño López Ansótegui <nunyo@masmedios.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
This fixes a bug where, assuming LDAP authentication is enabled, if a user
tries to log in while the LDAP server is down, the following fatal error
is displayed:
Can't call method "bind" on an undefined value at C4/Auth_with_ldap.pm line 134, <DATA> line 558.
This patch catches this error to allow normal authentication when LDAP connexion fails.
Test plan :
- Configure LDAP connexion with a host not having LDAP. ie :
<useldapserver>1</useldapserver>
<ldapserver id="ldapserver">
<hostname>localhost</hostname>
<base>dc=test,dc=com</base>
<user>cn=Manager,dc=test,dc=com</user>
<pass>passwd</pass>
<replicate>0</replicate>
<update>0</update>
<auth_by_bind>0</auth_by_bind>
<mapping>
<firstname is="givenname" ></firstname>
<surname is="sn" ></surname>
<branchcode is="branch" >MAIN</branchcode>
<userid is="uid" ></userid>
<password is="userpassword" ></password>
<email is="mail" ></email>
<categorycode is="employeetype" >PT</categorycode>
</mapping>
</ldapserver>
- Try to connect with mysql user (defined in koha-conf.xml)
- Try to connect with a user defined in borrowers
You may try to connect with working LDAP connexion
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Fixes problem found by QA scripts.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
This patch aims to solve the LDAP bind authentication method. Here are
some considerations:
- This is a standalone patch, so all the previous submitted ones are
rendered obsolete;
- LDAP bind authentication is now done in 3 steps:
1 - LDAP anonymous bind;
2 - LDAP search entry for the given username;
3 - LDAP bind with the DN of the found entry + the given password.
- The process fails if none or more than 1 entries are found for the
given username;
- The <principal_name> setting in koha-conf.xml isn't used anymore;
- The patch is backwards compatible, so users already using the
previously implemented LDAP bind authentication should be able to use
it the same.
http://bugs.koha-community.org/show_bug.cgi?id=7973
Signed-off-by: Vitor Fernandes
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Passes all tests and QA script and has 2 solid sign offs.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Current code is overly complex and assumes that
C4::Members::AttributeTypes::GetAttributeTypes
returns array of attribute codes which is not true.
Instead it return array of hashes so none of extended attributes
will be replicated from LDAP.
This code correctly extracts extended attributes from borrower data
provides simpler code which fills same structure.
It also skips empty values (" ") which are result of mapping without
any default value. This is needed to make unique extended patron values
work. If not handled it would insert empty value for first user and
fail for all others on uniqueness constraint.
Test scenario:
1. define Patron attribute types in administration
2. define mapping from LDAP fields to attributes in koha-conf.xml
3. login as new user with LDAP fields and verify that extended
attributes are replicated from LDAP
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Passed-QA-by: Paul Poulain <paul.poulain@biblibre.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Subroutine prototypes used at line 73, column 1. See page 194 of PBP. (Severity: 5)
"return" statement with explicit "undef" at line 74, column 24. See page 199 of PBP. (Severity: 5)
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
When importing users from LDAP, Auth_with_ldap.pm doesn't check if value for
categorycode is present in categories table in Koha resulting in referential
integrity error instead of using default value from koha-conf.xml
Test scenario:
1. enable LDAP in koha-conf.xml using <useldapserver>1</useldapserver>
and add <ldapserver> configuration with
<categorycode is="SomeLDAPField">DefaultCategoryCode</categorycode>
2. select/create LDAP user with category in SomeLDAPField which isn't in
Koha
3. try logging in and ensure that assigned category to new user is
DefaultCategoryCode
Signed-off-by: Marijana Glavica <mglavica@ffzg.hr>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
* correctly indenting with tab the debarrcomment field
* setdebar.pl is called without status parameter, thus it is not working anymore. It's fixed & some dead code has been removed. To test : debar someone, then go to patron detail page and click "lift debarment"
* the test function had not been updated. The fix define a debarment date of 2099-12-31 (no limit)
* fixed documentation in C4/Auth_with_ldap.pm
* updated ILSDI/Utility.pm to work with debarred being a date
* updated Members.pm/patronflags to work with debarred being a date (copy/paste of BibLibre code that had not been backported)
* fixed opac-reserve to check correctly for debarred status
I also have removed a duplicate line on circulation.pl when the patron was restricted = the information was displayed twice
In the case of LDAP, checkpw was returning the cardnumber of there user, but it was being treated as the
userid. This patch updates checkpw_ldap to return the cardnumber AND the userid, and updates checkpw to
uniformly return cardnumber and userid in all instances, so that whoever is authenticating can use the
desired value in the right way.
This requires us to specify all LDAP mappings in koha-conf.xml in lowercase,
instead of original case used withing LDAP.
Compare readability of
<userid is="hrEduPersonUniqueID" ></userid>
(which doesn't work) with required (and non-intuitive)
<userid is="hredupersonuniqueid" ></userid>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com>
When using
<replicate>0</replicate> <!-- add new users from LDAP to Koha database -->
<update>0</update> <!-- update existing users in Koha database ->
<auth_by_bind>1</auth_by_bind> <!-- set to 1 to authenticate by
binding instead of password comparison, e.g., to use Active Directory -->
Auth_with_ldap attempts to lookup the userid in the LDAP directory to
fill $userldapentry despite it being unneeded in this case. The information
retrieved will be thrown away, thus there is no need to retrieve it.
This can cause authentication to fail overall even if the initial bind with the
user's credentials succeeded
Signed-off-by: Joe Atzberger <ohiocore@gmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
When using auth_by_bind, search was always done as anonymous user.
This is a problem if we want to fetch LDAP values which have ACL
permissions only for users.
This change moves bind from search_method back into checkpw_ldap,
making code cleaner and easier to understand
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Patch compiled from diffs created by Dobrica Pavlinušić <dpavlin@rot13.org> to:
* enable patron replication when using LDAP with auth_by_bind
* not scribble over extended patron attributes
* fix failure logging in to OPAC if patron has no extended attributes
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
