KOHA
LDAP: Revision 28
hulk-Virtual-LDAP.odp

Kako podesiti Kohu da radi s LDAP bazom?



Što nam omogućava Koha?

  • otvaranje novih korisnika koji postoje u LDAP-u (replicate, uključeno)
  • sinhronizacija podataka između LDAP-a i kohe kod svakog logiranja korisnika (update, isključeno)

Time dobivamo nove korisnike prvi puta kada se ulogiraju.

Kako vidjeti strukturu LDAP baze?

ldapvi --host _hostname_:389 -d
ldapvi --host _hostname_:389 -d uid=_username_

Logiranje korisnika sa login@ffzg.hr

Greška:

[Tue Jan 13 23:58:36 2009] opac-user.pl: LDAP Auth rejected : invalid password for user 'mglavica@ffzg.hr'. LDAP error #50: LDAP_INSUFFICIENT_ACCESS
[Tue Jan 13 23:58:36 2009] opac-user.pl: # The client does not have sufficient access to perform the requested
[Tue Jan 13 23:58:36 2009] opac-user.pl: operation

Koha LDAP konfiguracija

Provjeriti verziju

dpavlin@koha-dev:/srv/koha$ grep VERSION /srv/koha/C4/Auth_with_ldap.pm 
use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug);
        $VERSION = 3.10;        # set the version for version checking

/etc/koha/koha-conf.xml

<ldapserver id="ldapserver" listenref="ldapserver">
<!--
 <hostname>ldaps://ldap.ffzg.hr</hostname>
-->
 <hostname>ldap://localhost:1389</hostname>
 <base>dc=ffzg,dc=hr</base>

 <replicate>1</replicate>  <!-- add new users from LDAP to Koha database -->
 <update>0</update>        <!-- update existing users in Koha database -->

 <auth_by_bind>1</auth_by_bind>
 <principal_name>%s</principal_name> <!-- optional, for auth_by_bind: a printf format to make userPrincipalName from koha userid -->

 <mapping>            <!-- match koha SQL field names to your LDAP record field names -->
    <firstname   is="givenname"     ></firstname>
    <surname     is="sn"            ></surname>
    <address     is="ffzg-ml_postanska_adresa_0" ></address>
<!--
    <city        is="ffzg-prebivaliste_mjesto" ></city>
-->
    <city        is="ffzg-ml_postanska_adresa_1" ></city>
    <zipcode     is="ffzg-prebivaliste_postanski_broj"></zipcode>

    <branchcode  is="local-branch"        >FFZG</branchcode>
    <userid      is="hredupersonuniqueid"  ></userid>
    <password    is="userpassword"  ></password>
    <email       is="mail"          ></email>
    <categorycode is="local-categorycode"  >IMP</categorycode>

    <dateofbirth is="ffzg-datum_rodjenja" ></dateofbirth>
    <sex is="ffzg-spol" ></sex>
    <phone is="ffzg-ml_telefoni_fixed"></phone>
    <mobile is="ffzg-ml_telefoni_mobile"></mobile>

 </mapping>
</ldapserver>

Koristi LDAP rewrite

Da bi sve radilo potrebno je ugasiti ExtendedPatronAttributes na https://10.60.0.252:8443/cgi-bin/koha/admin/preferences.pl?tab=patrons



auth as user promjene (prvi pokušaj)

Koha konfiguracija skoro radi, osim što je LDAP DN login@ffzg.hr umjesto uid=login,dc=ffzg,dc=hr

Ali, kako se spajamo na pravi ldap.ffzg.hr preko naše proxy skripte koja obogaćuje zapis podacima,
na tom mjestu rewritamo i DN u ispravan oblik

i konfiguracijom u /etc/koha/koha-conf.xml

<ldapserver id="ldapserver" listenref="ldapserver">
 <hostname>ldaps://ldap.ffzg.hr</hostname>
 <base>dc=ffzg,dc=hr</base>

 <replicate>1</replicate>  <!-- add new users from LDAP to Koha database -->
 <update>1</update>        <!-- update existing users in Koha database -->
 <mapping>            <!-- match koha SQL field names to your LDAP record field names -->
        <firstname   is="givenname"     ></firstname>
        <surname     is="sn"            ></surname>
        <address     is="ffzg-ml_postanska_adresa_0" ></address>
<!--
        <city        is="ffzg-prebivaliste_mjesto" ></city>
-->
        <city        is="ffzg-ml_postanska_adresa_1" ></city>
        <zipcode     is="ffzg-prebivaliste_postanski_broj"></zipcode>

        <branchcode  is="local-branch"        >FFZG</branchcode>
        <userid      is="hredupersonuniqueid"  ></userid>
        <password    is="userpassword"  ></password>
        <email       is="mail"          ></email>
        <categorycode is="local-categorycode"  >IMP</categorycode>

        <dateofbirth is="ffzg-datum_rodjenja" ></dateofbirth>
        <sex is="ffzg-spol" ></sex>
        <phone is="ffzg-ml_telefoni_fixed"></phone>
        <mobile is="ffzg-ml_telefoni_mobile"></mobile>

 </mapping>
</ldapserver>

ldaps na upstream LDAP

ldaps zahtjeva instalaciju IO::Socket::SSL sa

sudo apt-get install libio-socket-ssl-perl

cardnumber ne dolazi iz ldap-a

Osim kod prvog ulogiravanja korisnika kada mu se postavlja isti kao mail

izbaciti sve promjene izvan Kohe (TRENUTNO RJEŠENJE)

Da bi nam upgrade na novije verzije Kohe bio što jednostavniji, odlučili smo sve LDAP promjene na kraju izbaciti iz Kohe u LDAP rewrite.

Koje podatke imamo u LDAP bazi?

ovo spada pod osnovne podatke:

  * uid - identifikator, korisnicko ime
  * hrEduPersonUniqueID - identifikator, uid@ffzg.hr
  * cn - ime i prezime
  * sn - prezime
  * givenName - ime
  * mail
  * hrEduPersonUniqueNumber - JMBG, JMBAG, LOCAL_NO, PASSPORT_NO i slicni identifikatori..
  * hrEduPersonAffiliation - povezanost s ustanovom, moze biti vise povezanosti
  * hrEduPersonPrimaryAffiliation - temeljna povezanost
  * hrEduPersonExpireDate - datum istek temeljne povezanosti, odnosno korisnockog racuna

"Kada cu produzivati korisnicke racune, ja cu svim studentima
kojima mogu, upisati JMBAG. Kasnije bi to bilo dobro prebaciti
u OIB, koji se vec i spominje u raspravama :)" (Došen)

Linkovi

Koha virtual LDAP, LDAP rewrite