Commit graph

51 commits

Author SHA1 Message Date
Robin Sheat
c61d2d7011 Bug 10908: restore docs on principal_name LDAP option
Signed-off-by: Ulrich Kleiber <ulrich.kleiber@bsz-bw.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-21 15:28:11 +00:00
Robin Sheat
5bd8df784e Bug 10908: restore non-anonymous auth_by_bind LDAP options
Recent changes to LDAP broke auth_by_bind in many situations. This bug
resets the behaviour to what it used to be, however also allows the new
behaviour by adding the 'anonymous_bind' parameter to the LDAP config.

Testing:
    1) Find an LDAP configuration that was broken recently that uses
       auth_by_bind
    2) Apply this patch
    3) See if it works again.
Additionally, testing the original path in the case of 'anonymous_bind'
being set should probably be done too, but I have no idea about the LDAP
server config for that.

Signed-off-by: Ulrich Kleiber <ulrich.kleiber@bsz-bw.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-21 15:27:21 +00:00
Galen Charlton
547c6d2949 Bug 9611: (follow-up) move new password hashing routines to separate module
The move avoids a problem where many modules would gain
a dependency on C4::Auth just because C4::Members needs access
to hash_password().

This patch also adds a couple unit tests for the new password
hashing code.

To test:

[1] Verify that there are no regressions on the test plan for bug
    9611.
[2] Verify that t/AuthUtils.t and t/db_dependent/Auth.t pass.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-09 03:29:22 +00:00
Srdjan
328a285575 bug 9611: use hash_password() and checkpw_* for LDAP logins instead of md5 hash
Test:

* LDAP:
- Turn on LDAP auth in koha-config.xml. Set "update" in your server config to 1
- Change user's password on LDAP
- Login to Koha using LDAP - Koha password should be updated, to check
- Turn off LDAP auth in koha-config.xml
- You should be ble to log in with the new password

I do not have a LDAP facility, so I cheated. I ran
perl -e 'use C4::Auth_with_ldap; C4::Auth_with_ldap::_do_changepassword("srdjan", 1000022259, "srdjan");'
and was able to change the password.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Work as described.

Test
1) change <useldapserver> to 1
2) copy/paste sample <ldapserver> config from perldoc C4/Auth_with_ldap
3) using sample script was able to change password,
use (userid, borrowernumber, newpass) as arguments
4) checked with OPAC and in database

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-03 23:01:46 +00:00
Jonathan Druart
561107bb5b Bug 10925: fix LDAP auth failing if DEBUG is enabled
To reproduce:
1/ Edit your apache virtual host and set the DEBUG environment variable
(SetEnv DEBUG 1).
2/ Try to login with an ldap user
3/ You will be redirected to the 500 error page.
The Koha logs contains:
malformed header from script. Bad header=------------------------------: mainpage.pl

The hashdump routine directly prints to STDOUT (!) and breaks the
headers.
It appears Net::LDAP::?->dump does the same thing.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Maybe we can kill C4::Utils after getting rid of this

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-02 14:26:03 +00:00
Srdjan
4d75243e27 Bug 9299: fix LDAP login breakage when ExtendedPatronAttributes is on
To test:
- Configure an LDAP server and $KOHA_CONF, etc.
- Make sure ExtendedPatronAttributes is defined and that
  there is no attribute defined that is specified to be
  a unique ID.
- Try to log in using an account originating from the
  LDAP directory.
- You will got a software error:
  Can't use an undefined value as an ARRAY reference at
  /home/koha/src/C4/Auth_with_ldap.pm line 183.
- Apply the patch.
- Try to log in again; this time it should work.

Signed-off-by: Nuño López Ansótegui <nunyo@masmedios.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-09-27 16:19:56 +00:00
Fridolyn SOMERS
96ac578960 Bug 10384: fall back to normal authentication if LDAP server is not available
This fixes a bug where, assuming LDAP authentication is enabled, if a user
tries to log in while the LDAP server is down, the following fatal error
is displayed:

Can't call method "bind" on an undefined value at C4/Auth_with_ldap.pm line 134, <DATA> line 558.

This patch catches this error to allow normal authentication when LDAP connexion fails.

Test plan :
- Configure LDAP connexion with a host not having LDAP. ie :
 <useldapserver>1</useldapserver>
 <ldapserver id="ldapserver">
    <hostname>localhost</hostname>
    <base>dc=test,dc=com</base>
    <user>cn=Manager,dc=test,dc=com</user>
    <pass>passwd</pass>
    <replicate>0</replicate>
    <update>0</update>
    <auth_by_bind>0</auth_by_bind>
    <mapping>
      <firstname    is="givenname"      ></firstname>
      <surname      is="sn"             ></surname>
      <branchcode   is="branch"         >MAIN</branchcode>
      <userid       is="uid"            ></userid>
      <password     is="userpassword"   ></password>
      <email        is="mail"           ></email>
      <categorycode is="employeetype"   >PT</categorycode>
    </mapping>
 </ldapserver>
- Try to connect with mysql user (defined in koha-conf.xml)
- Try to connect with a user defined in borrowers
You may try to connect with working LDAP connexion

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-07-05 16:08:46 +00:00
Chris Cormack
961b9ef8c5 Bug 7973 : Follow up to remove an extraneous my
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Fixes problem found by QA scripts.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2013-03-22 22:01:22 -04:00
Rolando Isidoro
43e5b490e8 Bug 7973- Allow for new type of LDAP authentication
This patch aims to solve the LDAP bind authentication method. Here are
some considerations:

- This is a standalone patch, so all the previous submitted ones are
  rendered obsolete;
- LDAP bind authentication is now done in 3 steps:
  1 - LDAP anonymous bind;
  2 - LDAP search entry for the given username;
  3 - LDAP bind with the DN of the found entry + the given password.
- The process fails if none or more than 1 entries are found for the
  given username;
- The <principal_name> setting in koha-conf.xml isn't used anymore;
- The patch is backwards compatible, so users already using the
  previously implemented LDAP bind authentication should be able to use
  it the same.

http://bugs.koha-community.org/show_bug.cgi?id=7973

Signed-off-by: Vitor Fernandes
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Passes all tests and QA script and has 2 solid sign offs.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2013-03-22 22:01:22 -04:00
Dobrica Pavlinusic
24125d4be3 Bug 8919 - ExtendedPatronAttributes not populated from LDAP
Current code is overly complex and assumes that
C4::Members::AttributeTypes::GetAttributeTypes
returns array of attribute codes which is not true.

Instead it return array of hashes so none of extended attributes
will be replicated from LDAP.

This code correctly extracts extended attributes from borrower data
provides simpler code which fills same structure.

It also skips empty values (" ") which are result of mapping without
any default value. This is needed to make unique extended patron values
work. If not handled it would insert empty value for first user and
fail for all others on uniqueness constraint.

Test scenario:

1. define Patron attribute types in administration
2. define mapping from LDAP fields to attributes in koha-conf.xml
3. login as new user with LDAP fields and verify that extended
   attributes are replicated from LDAP

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Passed-QA-by: Paul Poulain <paul.poulain@biblibre.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2012-11-08 12:42:52 -05:00
562335d1c4 Bug 6679 - [SIGNED-OFF] fix 12 perlcritic violations in C4/Auth_with_ldap.pm
Subroutine prototypes used at line 73, column 1.  See page 194 of PBP.  (Severity: 5)

"return" statement with explicit "undef" at line 74, column 24.  See page 199 of PBP.  (Severity: 5)

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-09-20 11:39:08 +02:00
Chris Cormack
509d673f10 Bug 7941 : Fix version numbers in modules
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-06-11 17:29:38 +02:00
Dobrica Pavlinusic
0352a8f24a Bug 6022: Auth_with_ldap check if categorycode is valid
When importing users from LDAP, Auth_with_ldap.pm doesn't check if value for
categorycode is present in categories table in Koha resulting in referential
integrity error instead of using default value from koha-conf.xml

Test scenario:
1. enable LDAP in koha-conf.xml using <useldapserver>1</useldapserver>
   and add <ldapserver> configuration with
   <categorycode is="SomeLDAPField">DefaultCategoryCode</categorycode>
2. select/create LDAP user with category in SomeLDAPField which isn't in
   Koha
3. try logging in and ensure that assigned category to new user is
   DefaultCategoryCode

Signed-off-by: Marijana Glavica <mglavica@ffzg.hr>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2011-12-06 19:51:15 +01:00
Paul Poulain
d019b4c63a Bug 6328 Fixes for comment 35
* correctly indenting with tab the debarrcomment field
* setdebar.pl is called without status parameter, thus it is not working anymore. It's fixed & some dead code has been removed. To test : debar someone, then go to patron detail page and click "lift debarment"
* the test function had not been updated. The fix define a debarment date of 2099-12-31 (no limit)
2011-11-25 14:00:47 +01:00
Paul Poulain
41b42dbe32 Bug 6328 follow-up for QA comments
* fixed documentation in C4/Auth_with_ldap.pm
* updated ILSDI/Utility.pm to work with debarred being a date
* updated Members.pm/patronflags to work with debarred being a date (copy/paste of BibLibre code that had not been backported)
* fixed opac-reserve to check correctly for debarred status

I also have removed a duplicate line on circulation.pl when the patron was restricted = the information was displayed twice
2011-11-25 14:00:47 +01:00
Chris Cormack
a118102d4e Merge remote-tracking branch 'kc/new/bug_5995' into kcmaster 2011-10-15 12:59:34 +13:00
Ian Walls
dcb4ac77fb Bug 5995 Followup: checkpw was returning inconsistent values
In the case of LDAP, checkpw was returning the cardnumber of there user, but it was being treated as the
userid.  This patch updates checkpw_ldap to return the cardnumber AND the userid, and updates checkpw to
uniformly return cardnumber and userid in all instances, so that whoever is authenticating can use the
desired value in the right way.
2011-10-15 12:58:10 +13:00
Colin Campbell
306dc79217 Bug 5453 : Move declarations out of conditionals
Patched for C4 Modules

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-07-15 15:50:24 +12:00
Dobrica Pavlinusic
b79c4c88a9 Bug 4994 - Net::LDAP returns lowercase names
This requires us to specify all LDAP mappings in koha-conf.xml in lowercase,
instead of original case used withing LDAP.

Compare readability of

<userid      is="hrEduPersonUniqueID"  ></userid>

(which doesn't work) with required (and non-intuitive)

<userid      is="hredupersonuniqueid"  ></userid>

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com>
2011-07-14 10:36:33 +12:00
Jeremy Crabtree
7bb178e30b Bug 5094 auth_by_bind authentication can fail even if given a correct password and userid
When using

<replicate>0</replicate> <!-- add new users from LDAP to Koha database -->
<update>0</update> <!-- update existing users in Koha database ->
<auth_by_bind>1</auth_by_bind> <!-- set to 1 to authenticate by
binding instead of password comparison, e.g., to use Active Directory -->

Auth_with_ldap attempts to lookup the userid in the LDAP directory to
fill $userldapentry despite it being unneeded in this case.  The information
retrieved will be thrown away, thus there is no need to retrieve it.
This can cause authentication to fail overall even if the initial bind with the
user's credentials succeeded

Signed-off-by: Joe Atzberger <ohiocore@gmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-06-17 15:05:59 +12:00
Dobrica Pavlinusic
322a5ef481 Bug 4993 checkpw_ldap - do bind just once
When using auth_by_bind, search was always done as anonymous user.
This is a problem if we want to fetch LDAP values which have ACL
permissions only for users.

This change moves bind from search_method back into checkpw_ldap,
making code cleaner and easier to understand

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-06-17 14:32:47 +12:00
Katrin Fischer
21727e00f5 Bug 5422: Separate state field for patron's addresses
Signed-off-by: Magnus Enger <magnus@enger.priv.no>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-04-09 11:52:07 +12:00
d114ebe80a bug 4256: fix patron replication when using LDAP with auth_by_bind
Patch compiled from diffs created by Dobrica Pavlinušić <dpavlin@rot13.org> to:

* enable patron replication when using LDAP with auth_by_bind
* not scribble over extended patron attributes
* fix failure logging in to OPAC if patron has no extended attributes

Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-04-30 17:05:38 -04:00
Donovan Jones
593a7d8e6a Bug 2505 - Add commented use warnings where missing in *.pm 2010-04-21 20:28:51 +12:00
Lars Wirzenius
7279f55b60 Fix FSF address in directory C4/
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-03-16 20:17:56 -04:00
Henri-Damien LAURENT
f3868bf6fe Adding Extended Attributes management to Auth_with_LDAP 2010-01-20 22:29:10 +01:00
Joe Atzberger
7c2e7ad410 LDAP overhaul
Allow replicate and update to be zero.
Break out logic into separate subs.
Do only one bind attempt depending on setting, instead of
necessarily failing first before trying auth_by_bind.

POD added for active directory and to document permutations of
behavior given different conditions.  Fixed mistaken debug lines
that called "print STDERR printf ...", i.e. printed the line to output
and "1" to the error log.  Added principal_name feature for generating
bind user from Koha userid.

Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
2009-07-14 21:28:16 -04:00
Galen Charlton
ca0b430068 bug 2726: updated doc to explain auth_by_bind option
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
2009-05-21 14:27:27 -05:00
Michael Hafen
083ad362e1 in Auth_with_ldap.pm try binding with user password or compare
This changes the checkpw code in Auth_with_ldap.  Along with comparing
the user entered password against the directory attibute userPassword
you can try to bind with the users dn and password.

This is controlled by the option auth_by_bind, which, if set, causes
this code to try binding instead of comparing.

Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
2009-05-21 14:19:49 -05:00
Joe Atzberger
cfc3f6471f Re-insert useldapserver into koha-conf.xml
This doesn't insert the large and typically unused <ldapserver> block,
just the switch with a comment pointing to C4::Auth_with_ldap.  This otherwise
was undocumented requirement, making LDAP config a bit of a shot in the dark.

Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
2009-04-18 08:21:01 -05:00
Mason James
cd230c2a72 Resubmitting: fixes print statements with missing 'STDERR' in Auth_with_ldap.pm,
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
2009-03-11 08:37:03 -05:00
Henri-Damien LAURENT
8b9af2775e bug fix : 2805
deleting die on lack of user/password in config file.

Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
2008-11-18 16:46:32 -06:00
Joe Atzberger
ac9c6f004d Bugfix LDAP config to play nice with Zebra.
The section in KOHA_CONF was moved inside <config> and renamed
<ldapserver>.  Perldoc updated to correspond.  Tested with local
LDAP and existing test (t/db_dependent/Auth_with_ldap.t).
Patch can be applied with confidence based on comparison of 2 dumps:
perl -e 'use C4::Context; use Data::Dumper; my $context=C4::Context->new("./old_config.xml"); print Dumper ($context->{server}->{ldapserver}),"\n";'
 and
perl -e 'use C4::Context; use Data::Dumper; my $context=C4::Context->new("./new_config.xml"); print Dumper (C4::Context->config("ldapserver")),"\n";'
These dumps reflect the way Auth_with_ldap accesses configuration info before and after.

Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2008-06-16 15:37:13 -05:00
Joe Atzberger
cd980afbf3 Perldoc fixes - Auth_with_ldap.pm and Log.pm
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-12-13 19:00:35 -06:00
Joe Atzberger
37172b5148 Auth_with_ldap: support non-RFC#2798 user IDs.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-12-13 19:00:33 -06:00
Joe Atzberger
cac0e44fdb Auth_with_ldap.pm -- Silly spelling errors in perldoc
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-12-13 17:42:37 -06:00
Joe Atzberger
94c4c7c1f7 Auth_with_ldap : module and test final touches.
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-12-04 17:28:21 -06:00
Joe Atzberger
a462c8939e LDAP - further integration
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-12-04 17:28:19 -06:00
Joe Atzberger
d88ecc0751 Big LDAP changes, module test for Context.pm, still more yet to come.
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-12-04 17:27:06 -06:00
Joe Atzberger
d8237895cd Auth_with_ldap.pm - Expanded comments and field mappings.
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-11-16 13:24:41 -06:00
Joe Atzberger
bdf0bd9ecf LDAP: more of the same
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-11-16 13:24:38 -06:00
Joe Atzberger
aef91e8b05 Auth_with_ldap - further revisions, better modularity.
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-11-04 16:37:23 -06:00
Joe Atzberger
0863af97a6 Auth_with_ldap: work in progress.
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-11-04 16:21:32 -06:00
tipaul
6f276facc8 removing guessencoding, hard-coding utf-8 2007-06-05 08:53:19 +00:00
tipaul
c596d55374 HUGE COMMIT : code cleaning circulation.
some stuff to do, i'll write a mail on koha-devel NOW !
2007-04-04 16:46:22 +00:00
tipaul
2ffd5b7228 rel_3_0 moved to HEAD 2007-03-09 14:28:54 +00:00
tipaul
d5938493d7 synch'ing head and rel_2_2 (from 2.2.5, including npl templates)
Seems not to break too many things, but i'm probably wrong here.
at least, new features/bugfixes from 2.2.5 are here (tested on some features on my head local copy)

- removing useless directories (koha-html and koha-plucene)
2006-01-06 16:39:37 +00:00
tipaul
6b0ee5525b synch'ing 2.2 and head 2005-06-20 14:10:00 +00:00
tipaul
369527637b synch'ing 2.2 and head 2005-05-04 15:39:07 +00:00
doxulting
b9a8342843 New param for the template in order to show only allowed links to user (In parameters screen only right now) 2005-03-23 09:25:20 +00:00