Upload
ohiocore
View
4.836
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Do you want to keep your certain user information (like passwords!) automatically in sync with an external authentication server? LDAP is the answer here. - Joe Atzberger
Citation preview
LDAPJoe Atzberger, LibLime
KohaCon 2009: Plano, TX
Need LDAP Tools?• Apache Directory Server & Studio (client)
http://directory.apache.org/
• Open Source (Apache license)
• Newer than openldap and more stable.
• Runs on OSX, Win32 and linux.“We strive to increase LDAP awareness, comfort and adoption to bring
forth what we call the Modern LDAP Renaissance.”
Need LDAP Tools?
• OpenLDAP - http://www.openldap.org/
• includes command line tools: ldapsearch, ldapadd, etc.
• Net::LDAP - CPAN perl module
LDAP Timing
• Koha LDAP does not go grab all your users as a “dump”. That is what IMPORT is for. Instead it updates when they try to login.
• Implications: lightweight, happening in realtime. Somewhat literal, no XSL or other conditional processing.
<ldapserver> bind<hostname>ldap://auth.example.com:389</hostname><base>dc=example,dc=com</base><user>cn=Admin,dc=example,dc=com</user> <!-- DN, if not anonymous --><pass>s3cur1T</pass> <!-- password, if not anonymous -->
• So you can anonymous bind (not recommended)• Otherwise, specify user for bind• bind-as-auth: others have hacked Koha to do it, but not cleanly enough to get into HEAD. So I’m not presenting it.
<ldapserver> options
<ldapserver> options
<replicate>1</replicate><!-- add new users from LDAP to Koha database --><update>1</update> <!-- update existing users in Koha database -->
<ldapserver> options
<replicate>1</replicate><!-- add new users from LDAP to Koha database --><update>1</update> <!-- update existing users in Koha database -->
Default is ON for both.
Know your own Schema• For example,
inetOrgPerson, RFC#2798:http://www.ietf.org/rfc/rfc2798.txt
version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: [email protected] telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page
version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: [email protected] telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page
version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: [email protected] telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page
version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: [email protected] telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page
version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: [email protected] telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page
version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: [email protected] telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page
Pick data Koha cares about
version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: [email protected] telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page
Pick data Koha cares about
sn: Jensen givenName: Barbara initials: BJJ uid: bjensen mail: [email protected] telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 o: Siroe departmentNumber: 2604 employeeNumber: 42 employeeType: full time
Pick data Koha cares about
sn: Jensen givenName: Barbara initials: BJJ uid: bjensen mail: [email protected] telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 o: Siroe departmentNumber: 2604 employeeNumber: 42 employeeType: full time
Pick data Koha cares about
Data Koha Cares About
• You define it with <ldapserver> <mapping> element in koha-conf.xml
• But some fields are required.
• And some of those are *really* required.
• See perldoc C4::Auth_with_ldap
The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>
The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>
<mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>
The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>
<mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>
The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>
The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>
Koha fieldsin borrowers.*
The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>
Koha fieldsin borrowers.*
The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>
Koha fieldsin borrowers.*
The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>
Koha fieldsin borrowers.*
LDAP fieldsin Schema
The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>
Koha fieldsin borrowers.*
==>LDAP fieldsin Schema
The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>
Koha fieldsin borrowers.*
==>LDAP fieldsin Schema
The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>
Koha fieldsin borrowers.*
==>LDAP fieldsin Schema
Default Values
Required Data: 3 Kinds
Required Data: 3 Kinds
• Required by database
Required Data: 3 Kinds
• Required by database
• Required for login
Required Data: 3 Kinds
• Required by database
• Required for login
• Required by you
Required by database
Easy:
• surname
• address
• city
mysql> show full columns from borrowers;-- field req`d where Null=NO
Required by database
Easy:
• surname
• address
• city
Tricky:
• branchcode
• categorycode
mysql> show full columns from borrowers;-- field req`d where Null=NO
Required by database
Easy:
• surname
• address
• city
Tricky:
• branchcode
• categorycode
mysql> show full columns from borrowers;-- field req`d where Null=NO
MUST MATCH VALIDKOHA VALUES
Required by login
userid:
• can come fromfrom anything
• but it better beunique
Required by login
userid:
• can come fromfrom anything
• but it better beunique
password:
• branchcode
• categorycode
LDAPJoe Atzberger, LibLime
KohaCon 2009: Plano, TX
The End