KOHA: ldap

LDAP

Dobrica Pavlinušić — Fri, 26 Feb 2010 17:30:20 -0000

Creator: Marijana Glavica

Tags: for:dpavlin, korisnici, ldap

Kako podesiti Kohu da radi s LDAP bazom?

Video prezentacije o Virtual LDAP-u: http://html5tv.rot13.org/HULK-Virtual_LDAP.html

Prezentacija: hulk-Virtual-LDAP.odp

Contents: [KOHA]

Što nam omogućava Koha?

otvaranje novih korisnika koji postoje u LDAP-u (replicate, uključeno)
sinhronizacija podataka između LDAP-a i kohe kod svakog logiranja korisnika (update, isključeno)

Time dobivamo nove korisnike prvi puta kada se ulogiraju.

Kako vidjeti strukturu LDAP baze?

ldapvi --host _hostname_:389 -d
ldapvi --host _hostname_:389 -d uid=_username_

Logiranje korisnika sa login@ffzg.hr

Greška:

[Tue Jan 13 23:58:36 2009] opac-user.pl: LDAP Auth rejected : invalid password for user 'mglavica@ffzg.hr'. LDAP error #50: LDAP_INSUFFICIENT_ACCESS
[Tue Jan 13 23:58:36 2009] opac-user.pl: # The client does not have sufficient access to perform the requested
[Tue Jan 13 23:58:36 2009] opac-user.pl: operation

Koha LDAP konfiguracija

Koha LDAP config

Provjeriti verziju

dpavlin@koha-dev:/srv/koha$ grep VERSION /srv/koha/C4/Auth_with_ldap.pm 
use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug);
        $VERSION = 3.10;        # set the version for version checking

/etc/koha/koha-conf.xml



 ldap://localhost:1389
 dc=ffzg,dc=hr

 1  
 0        

 1
 %s 

             
    
    
    

    
    

    FFZG
    
    
    
    IMP

Koristi LDAP rewrite

Da bi sve radilo potrebno je ugasiti ExtendedPatronAttributes na https://10.60.0.252:8443/cgi-bin/koha/admin/preferences.pl?tab=patrons

auth as user promjene (prvi pokušaj)

Koha konfiguracija skoro radi, osim što je LDAP DN login@ffzg.hr umjesto uid=login,dc=ffzg,dc=hr

Ali, kako se spajamo na pravi ldap.ffzg.hr preko naše proxy skripte koja obogaćuje zapis podacima,
na tom mjestu rewritamo i DN u ispravan oblik

i konfiguracijom u /etc/koha/koha-conf.xml


 ldaps://ldap.ffzg.hr
 dc=ffzg,dc=hr

 1  
 1        
             
        
        
        

        
        

        FFZG
        
        
        
        IMP

Sva imena polja iz LDAP-a moraju biti napisana malim slovima (hredupersonid umjesto hrEduPersonUniqueID)
#355: LDAP: hrEduPersonUniqueID -> userid

ldaps na upstream LDAP

ldaps zahtjeva instalaciju IO::Socket::SSL sa

sudo apt-get install libio-socket-ssl-perl

cardnumber ne dolazi iz ldap-a

Osim kod prvog ulogiravanja korisnika kada mu se postavlja isti kao mail

izbaciti sve promjene izvan Kohe (TRENUTNO RJEŠENJE)

Da bi nam upgrade na novije verzije Kohe bio što jednostavniji, odlučili smo sve LDAP promjene na kraju izbaciti iz Kohe u LDAP rewrite.

Koje podatke imamo u LDAP bazi?

ovo spada pod osnovne podatke:

  * uid - identifikator, korisnicko ime
  * hrEduPersonUniqueID - identifikator, uid@ffzg.hr
  * cn - ime i prezime
  * sn - prezime
  * givenName - ime
  * mail
  * hrEduPersonUniqueNumber - JMBG, JMBAG, LOCAL_NO, PASSPORT_NO i slicni identifikatori..
  * hrEduPersonAffiliation - povezanost s ustanovom, moze biti vise povezanosti
  * hrEduPersonPrimaryAffiliation - temeljna povezanost
  * hrEduPersonExpireDate - datum istek temeljne povezanosti, odnosno korisnockog racuna

"Kada cu produzivati korisnicke racune, ja cu svim studentima
kojima mogu, upisati JMBAG. Kasnije bi to bilo dobro prebaciti
u OIB, koji se vec i spominje u raspravama :)" (Došen)

Linkovi

Koha virtual LDAP, LDAP rewrite

Attachments: hulk-Virtual-LDAP.odp, koha-ldap-bind-as-user.diff, koha-ldap-keep-cardnumber.diff

Koha LDAP config

Dobrica Pavlinušić — Wed, 17 Feb 2010 12:37:32 -0000

Creator: Dobrica Pavlinušić

Tags: for:dpavlin, ldap

Provjeriti verziju

dpavlin@koha-dev:/srv/koha$ grep VERSION /srv/koha/C4/Auth_with_ldap.pm 
use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug);
        $VERSION = 3.10;        # set the version for version checking

/etc/koha/koha-conf.xml



 ldap://localhost:1389
 dc=ffzg,dc=hr

 1  
 0        

 1
 %s 

             
    
    
    

    
    

    FFZG
    
    
    
    IMP

Koristi LDAP rewrite

Da bi sve radilo potrebno je ugasiti ExtendedPatronAttributes na https://10.60.0.252:8443/cgi-bin/koha/admin/preferences.pl?tab=patrons

Koha virtual LDAP

Dobrica Pavlinušić — Fri, 08 Jan 2010 19:08:08 -0000

Creator: Dobrica Pavlinušić

Tags: for:dpavlin, ldap, sysadmin

Za detalje pogledajte LDAP

Virtualni LDAP omogućava Kohi da isporučuje podatke preko LDAP-a drugim sustavima, u našem slučaju, kopirkama, vidi SafeQ integration.

Drugi dio sustava je LDAP rewrite koji omogućava korištenje login@ffzg.hr bez modifikacija kohe.

Contents: [KOHA]

upgrade

Upgrade na r61 koji ima podršku za novu koha konfiguraciju i logine bez modifikacije kohe:

# tunnel
dpavlin@llin:~$ ssh -R 8022:localhost:22 10.60.0.252

dpavlin@koha-2010-01-06:~$ cd /srv/virtual-ldap/
dpavlin@koha-2010-01-06:/srv/virtual-ldap$ svn update
A    sql
A    sql/organizationalunit.sql
A    sql/group.sql
A    sql/hreduperson.sql
U    lib/LDAP/Virtual.pm
U    lib/LDAP/Koha.pm
U    bin/ldap-rewrite.pl
Updated to revision 61.

start server process

dpavlin@koha-upgrade:~$ screen -S virtual-ldap

Pokrenuti server (inače to radi monit, ali on je deinstaliran da ne gnjavi)

dpavlin@koha-upgrade:~$ cd /srv/virtual-ldap/
dpavlin@koha-upgrade:/srv/virtual-ldap$ ./bin/virtual-ldap.pl 
LDAP server listening on port 1389

Čudan depdendency koji ne bi trebao postojati (kako radi na produkciji?)

dpavlin@koha-upgrade:/srv/virtual-ldap$ ./bin/virtual-ldap.pl 
Can't locate Net/LDAP/Server.pm in @INC (@INC contains: lib /etc/perl /usr/local/lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at lib/LDAP/Virtual.pm line 12,  line 96.
BEGIN failed--compilation aborted at lib/LDAP/Virtual.pm line 12,  line 96.
Compilation failed in require at ./bin/virtual-ldap.pl line 7,  line 96.
BEGIN failed--compilation aborted at ./bin/virtual-ldap.pl line 7,  line 96.


dpavlin@koha-upgrade:/srv/virtual-ldap$ sudo apt-get install libnet-ldap-server-perl

LDAP rewrite

Dobrica Pavlinušić — Sun, 13 Dec 2009 17:15:13 -0000

Creator: Dobrica Pavlinušić

Tags: for:dpavlin, ldap

Dio Koha virtual ldap repozitorja:

http://svn.rot13.org/index.cgi/virtual-ldap/log/bin/ldap-rewrite.pl

Contents: [KOHA]

features

rewrite LDAP bind request cn: username@domain.com -> uid=username,dc=domain,dc=com
rewrite search responses:

expand key:value pairs from hrEduPersonUniqueNumber into hrEduPersonUniqueNumber_key
augment response with yaml/dn.yaml data (for external data import)

start

dpavlin@koha-upgrade:/srv/virtual-ldap$ ./bin/ldap-rewrite.pl 
# config = {
  "listen"       => "localhost:1389",
  log_file       => "log",
  overlay_prefix => "ffzg-",
  upstream_ldap  => "ldap.ffzg.hr",
  upstream_ssl   => 1,
  yaml_dir       => "./yaml/",
} at ./bin/ldap-rewrite.pl line 59.

changes

fetchrss: http://svn.rot13.org/index.cgi/virtual-ldap/rss/bin/ldap-rewrite.pl

There was an error: 404 Not Found

SafeQ integration

Dobrica Pavlinušić — Wed, 02 Sep 2009 17:21:16 -0000

Creator: Dobrica Pavlinušić

Tags: for:dpavlin, fotokopirke, ldap, SafeQ

Contents: [KOHA]

KOHA (Possible bugs in SafeQ)

Integration of SafeQ and Koha

We are trying to integrate users in SafeQ and our users in Koha. Koha is library system which stores it's users into relational database. To allow SafeQ system access to users we decided to implement LDAP protocol on top of our data scheme in Koha.

This is described in little more details at: http://blog.rot13.org/2009/03/integrating_systems_using_netldapserver_and_rdbms.html

Mapping configuration

Users

Examining UMgr-LDAP.conf configuration we came up with following mapping from our RDBMS to LDAP schema: http://svn.rot13.org/index.cgi/virtual-ldap/view/sql/hreduperson.sql

we are creating objectGUID with primary key in our database and rest of the fields should be self-explanatory.

This produce following result for LDAP search query:

dpavlin@koha-dev:/srv/virtual-ldap$ ldapsearch -h 10.60.0.13 -p 2389 -b dc=ffzg,dc=hr -x 'pager=E00401001F77965C'
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: pager=E00401001F77965C
# requesting: ALL
#

# dpavlin@ffzg.hr, SURAD, ffzg.hr
dn: uid=dpavlin@ffzg.hr,ou=SURAD,dc=ffzg,dc=hr
ou: SURAD
uid: dpavlin@ffzg.hr
objectGUID: 606
cn:: RG9icmljYSBQYXZsaW51xaFpxIc=
homeDirectory: /home/606
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: hrEduPerson
memberOf: SURAD
sn:: UGF2bGludcWhacSH
mail: dpavlin@rot13.org
pager: E00401001F77965C
givenName: Dobrica
displayName:: UGF2bGludcWhacSH

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

This works quite well, and I can see users with their's cards in SafeQ system.

Roles

Roles are mapped into groups using following mapping: http://svn.rot13.org/index.cgi/virtual-ldap/view/sql/group.sql

Which generate LDAP groups like this:

dn:cn=SURAD,ou=SURAD,dc=ffzg,dc=hr

    members: uid=vivainfo,ou=SURAD,dc=ffzg,dc=hr
             uid=dpavlin,ou=SURAD,dc=ffzg,dc=hr
         ou: SURAD
         cn: SURAD
description: Suradnici
objectClass: group

which produce groups in Role drop down:

Some more information about defining groups in ldap can be found at: http://blog.rot13.org/2009/04/ldap_haters_guide_to_groups.html

Const centre

Groups which we have defined in Koha are really only useful for reporting, so it seems that cost centres in SafeQ are the right place to import our groups.

We are trying to use following mapping: http://svn.rot13.org/index.cgi/virtual-ldap/view/sql/organizationalunit.sql

Idea is to expose same group data as organizationalUnits in SafeQ so we can get accounting by those groups. We would also like to have different prices for each group of users and ability to report using groups from Koha.

Changing configration to:

# Mapping of LDAP containers to SafeQ cost centres (departments)
# If enabled, all organisational units containers will be displayed in SafeQ as cost centres
# If disabled (no, false), attribute mapping is used - see ldap_ou
ldap_map_ou = yes

We get const centers mapped from our organizational units:

but all const centres have same number (0)

How can we supply SafeQ with correct cost center number so users can end up in correct one?

Possible bugs in SafeQ

LDAP search

I also found out something which seems like a bug in the way SafeQ search LDAP server: when you search for 'dpavlin' as login/alias I get following queries:

## filter and [

 { equalityMatch => { assertionValue => "HrEduPerson", attributeDesc => "objectclass" }, },
 { equalityMatch => { assertionValue => "dpavlin%", attributeDesc => "uid" }, },
]

objectclass is o.k., but uid looks like uid=dpavlin% which I think it should be uid=dpavlin* to be correct LDAP syntax.

This query doesn't return anything, but next one is o.k.:

## filter and [

 { equalityMatch => { assertionValue => "HrEduPerson", attributeDesc => "objectclass" }, },
 { substrings => { substrings => [{ any => "dpavlin" }], type => "uid" }, },
]

which is uid=*dpavlin* and it finds user.

Role/Cost Centere drop-down

Selecting role of const center doesn't change filtered output of users. I don't see any difference in LDAP search query when changing selected role and/or cost centar. Is that normal?

Attachments: const-center.png, group-role.png, search-uid.png, UMgr-LDAP.conf