0
LDAP
 Joe Atzberger, LibLime




KohaCon 2009: Plano, TX
Need LDAP Tools?
• Apache Directory Server & Studio (client)
  http://directory.apache.org/
• Open Source (Apache license)...
Need LDAP Tools?

• OpenLDAP - http://www.openldap.org/
 • includes command line tools:
    ldapsearch, ldapadd, etc.
• Ne...
LDAP Timing
• Koha LDAP does not go grab all your users
  as a “dump”. That is what IMPORT is for.
  Instead it updates wh...
<ldapserver> bind
<hostname>ldap://auth.example.com:389</hostname>
<base>dc=example,dc=com</base>
<user>cn=Admin,dc=exampl...
<ldapserver> options
<ldapserver> options

<replicate>1</replicate><!-- add new users from LDAP to Koha database -->
<update>1</update>      <!...
<ldapserver> options

<replicate>1</replicate><!-- add new users from LDAP to Koha database -->
<update>1</update>      <!...
Know your own Schema
• For example,
                                        version: 1
                                   ...
version: 1
dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com
objectClass: top
objectClass: person
objectClass: ...
version: 1
dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com
objectClass: top
objectClass: person
objectClass: ...
version: 1
dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com
objectClass: top
objectClass: person
objectClass: ...
version: 1
dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com
objectClass: top
objectClass: person
objectClass: ...
version: 1
dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com
objectClass: top
objectClass: person
objectClass: ...
version: 1
dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com
objectClass: top
objectClass: person
objectClass: ...
Pick data Koha cares about
sn: Jensen
givenName: Barbara
initials: BJJ
uid: bjensen
mail: bjensen@siroe.com
telephoneNumbe...
Pick data Koha cares about
sn: Jensen
givenName: Barbara
initials: BJJ
uid: bjensen
mail: bjensen@siroe.com
telephoneNumbe...
Data Koha Cares About
• You define it with <ldapserver> <mapping>
  element in koha-conf.xml

• But some fields are required...
The <mapping>
<mapping>
  <firstname      is=quot;givennamequot;      ></firstname>
  <surname        is=quot;snquot;     ...
The <mapping>
<mapping>
  <firstname      is=quot;givennamequot;      ></firstname>
  <surname        is=quot;snquot;     ...
The <mapping>
<mapping>
  <firstname      is=quot;givennamequot;      ></firstname>
  <surname        is=quot;snquot;     ...
The <mapping>
<mapping>
  <firstname      is=quot;givennamequot;      ></firstname>
  <surname        is=quot;snquot;     ...
The <mapping>
    <mapping>
      <firstname      is=quot;givennamequot;      ></firstname>
      <surname        is=quot;...
The <mapping>
    <mapping>
      <firstname      is=quot;givennamequot;      ></firstname>
      <surname        is=quot;...
The <mapping>
    <mapping>
      <firstname      is=quot;givennamequot;      ></firstname>
      <surname        is=quot;...
The <mapping>
    <mapping>
      <firstname      is=quot;givennamequot;      ></firstname>
      <surname        is=quot;...
The <mapping>
   <mapping>
     <firstname      is=quot;givennamequot;      ></firstname>
     <surname        is=quot;snq...
The <mapping>
   <mapping>
     <firstname      is=quot;givennamequot;      ></firstname>
     <surname        is=quot;snq...
The <mapping>
   <mapping>
     <firstname      is=quot;givennamequot;      ></firstname>
     <surname        is=quot;snq...
Required Data: 3 Kinds
Required Data: 3 Kinds

• Required by database
Required Data: 3 Kinds

• Required by database
• Required for login
Required Data: 3 Kinds

• Required by database
• Required for login
• Required by you
Required by database
    mysql> show full columns from borrowers;
          -- field req`d where Null=NO

Easy:
• surname
...
Required by database
    mysql> show full columns from borrowers;
          -- field req`d where Null=NO

Easy:           ...
Required by database
    mysql> show full columns from borrowers;
          -- field req`d where Null=NO

Easy:           ...
Required by login
userid:
• can come from
   from anything
• but it better be
   unique
Required by login
                     password:
userid:
                     • branchcode
• can come from
   from anythin...
The End

    LDAP
 Joe Atzberger, LibLime




KohaCon 2009: Plano, TX
Upcoming SlideShare
Loading in...5
×

Koha Integration: LDAP

4,940

Published on

Do you want to keep your certain user information (like passwords!) automatically in sync with an external authentication server? LDAP is the answer here. - Joe Atzberger

Published in: Technology
1 Comment
6 Likes
Statistics
Notes
  • jejeje
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
4,940
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
179
Comments
1
Likes
6
Embeds 0
No embeds

No notes for slide

Transcript of "Koha Integration: LDAP"

  1. 1. LDAP Joe Atzberger, LibLime KohaCon 2009: Plano, TX
  2. 2. Need LDAP Tools? • Apache Directory Server & Studio (client) http://directory.apache.org/ • Open Source (Apache license) • Newer than openldap and more stable. • Runs on OSX, Win32 and linux. “We strive to increase LDAP awareness, comfort and adoption to bring Modern LDAP Renaissance.” forth what we call the
  3. 3. Need LDAP Tools? • OpenLDAP - http://www.openldap.org/ • includes command line tools: ldapsearch, ldapadd, etc. • Net::LDAP - CPAN perl module
  4. 4. LDAP Timing • Koha LDAP does not go grab all your users as a “dump”. That is what IMPORT is for. Instead it updates when they try to login. • Implications: lightweight, happening in realtime. Somewhat literal, no XSL or other conditional processing.
  5. 5. <ldapserver> bind <hostname>ldap://auth.example.com:389</hostname> <base>dc=example,dc=com</base> <user>cn=Admin,dc=example,dc=com</user> <!-- DN, if not anonymous --> <pass>s3cur1T</pass> <!-- password, if not anonymous --> • So you can anonymous bind (not recommended) • Otherwise, specify user for bind • bind-as-auth: others have hacked Koha to do it, but not cleanly enough to get into HEAD. So I’m not presenting it.
  6. 6. <ldapserver> options
  7. 7. <ldapserver> options <replicate>1</replicate><!-- add new users from LDAP to Koha database --> <update>1</update> <!-- update existing users in Koha database -->
  8. 8. <ldapserver> options <replicate>1</replicate><!-- add new users from LDAP to Koha database --> <update>1</update> <!-- update existing users in Koha database --> Default is ON for both.
  9. 9. Know your own Schema • For example, version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson inetOrgPerson, objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen RFC#2798: displayName: Babs Jensen sn: Jensen givenName: Barbara http://www.ietf.org/rfc/rfc2798.txt initials: BJJ title: manager, product development uid: bjensen mail: bjensen@siroe.com telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page
  10. 10. version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: bjensen@siroe.com telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page
  11. 11. version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: bjensen@siroe.com telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page
  12. 12. version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: bjensen@siroe.com telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page
  13. 13. version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: bjensen@siroe.com telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page
  14. 14. version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson Pick data Koha cares about cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: bjensen@siroe.com telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page
  15. 15. version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson Pick data Koha cares about cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: bjensen@siroe.com telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page
  16. 16. Pick data Koha cares about sn: Jensen givenName: Barbara initials: BJJ uid: bjensen mail: bjensen@siroe.com telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 o: Siroe departmentNumber: 2604 employeeNumber: 42 employeeType: full time
  17. 17. Pick data Koha cares about sn: Jensen givenName: Barbara initials: BJJ uid: bjensen mail: bjensen@siroe.com telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 o: Siroe departmentNumber: 2604 employeeNumber: 42 employeeType: full time
  18. 18. Data Koha Cares About • You define it with <ldapserver> <mapping> element in koha-conf.xml • But some fields are required. • And some of those are *really* required. • See perldoc C4::Auth_with_ldap
  19. 19. The <mapping> <mapping> <firstname is=quot;givennamequot; ></firstname> <surname is=quot;snquot; ></surname> <address is=quot;postaladdressquot; ></address> <city is=quot;lquot; >Athens, OH</city> <zipcode is=quot;postalcodequot; ></zipcode> <branchcode is=quot;branchquot; >MAIN</branchcode> <userid is=quot;uidquot; ></userid> <password is=quot;userpasswordquot; ></password> <email is=quot;mailquot; ></email> <categorycode is=quot;employeetypequot; >PT</categorycode> <phone is=quot;telephonenumberquot;></phone> </mapping>
  20. 20. The <mapping> <mapping> <firstname is=quot;givennamequot; ></firstname> <surname is=quot;snquot; ></surname> <address is=quot;postaladdressquot; ></address> <city is=quot;lquot; >Athens, OH</city> <zipcode is=quot;postalcodequot; ></zipcode> <branchcode is=quot;branchquot; >MAIN</branchcode> <userid is=quot;uidquot; ></userid> <password is=quot;userpasswordquot; ></password> <email is=quot;mailquot; ></email> <categorycode is=quot;employeetypequot; >PT</categorycode> <phone is=quot;telephonenumberquot;></phone> </mapping>
  21. 21. The <mapping> <mapping> <firstname is=quot;givennamequot; ></firstname> <surname is=quot;snquot; ></surname> <address is=quot;postaladdressquot; ></address> <city is=quot;lquot; >Athens, OH</city> <zipcode is=quot;postalcodequot; ></zipcode> <branchcode is=quot;branchquot; >MAIN</branchcode> <userid is=quot;uidquot; ></userid> <password is=quot;userpasswordquot; ></password> <email is=quot;mailquot; ></email> <categorycode is=quot;employeetypequot; >PT</categorycode> <phone is=quot;telephonenumberquot;></phone> </mapping>
  22. 22. The <mapping> <mapping> <firstname is=quot;givennamequot; ></firstname> <surname is=quot;snquot; ></surname> <address is=quot;postaladdressquot; ></address> <city is=quot;lquot; >Athens, OH</city> <zipcode is=quot;postalcodequot; ></zipcode> <branchcode is=quot;branchquot; >MAIN</branchcode> <userid is=quot;uidquot; ></userid> <password is=quot;userpasswordquot; ></password> <email is=quot;mailquot; ></email> <categorycode is=quot;employeetypequot; >PT</categorycode> <phone is=quot;telephonenumberquot;></phone> </mapping>
  23. 23. The <mapping> <mapping> <firstname is=quot;givennamequot; ></firstname> <surname is=quot;snquot; ></surname> <address is=quot;postaladdressquot; ></address> <city is=quot;lquot; >Athens, OH</city> <zipcode is=quot;postalcodequot; ></zipcode> <branchcode is=quot;branchquot; >MAIN</branchcode> <userid is=quot;uidquot; ></userid> <password is=quot;userpasswordquot; ></password> <email is=quot;mailquot; ></email> <categorycode is=quot;employeetypequot; >PT</categorycode> <phone is=quot;telephonenumberquot;></phone> </mapping> Koha fields in borrowers.*
  24. 24. The <mapping> <mapping> <firstname is=quot;givennamequot; ></firstname> <surname is=quot;snquot; ></surname> <address is=quot;postaladdressquot; ></address> <city is=quot;lquot; >Athens, OH</city> <zipcode is=quot;postalcodequot; ></zipcode> <branchcode is=quot;branchquot; >MAIN</branchcode> <userid is=quot;uidquot; ></userid> <password is=quot;userpasswordquot; ></password> <email is=quot;mailquot; ></email> <categorycode is=quot;employeetypequot; >PT</categorycode> <phone is=quot;telephonenumberquot;></phone> </mapping> Koha fields in borrowers.*
  25. 25. The <mapping> <mapping> <firstname is=quot;givennamequot; ></firstname> <surname is=quot;snquot; ></surname> <address is=quot;postaladdressquot; ></address> <city is=quot;lquot; >Athens, OH</city> <zipcode is=quot;postalcodequot; ></zipcode> <branchcode is=quot;branchquot; >MAIN</branchcode> <userid is=quot;uidquot; ></userid> <password is=quot;userpasswordquot; ></password> <email is=quot;mailquot; ></email> <categorycode is=quot;employeetypequot; >PT</categorycode> <phone is=quot;telephonenumberquot;></phone> </mapping> Koha fields in borrowers.*
  26. 26. The <mapping> <mapping> <firstname is=quot;givennamequot; ></firstname> <surname is=quot;snquot; ></surname> <address is=quot;postaladdressquot; ></address> <city is=quot;lquot; >Athens, OH</city> <zipcode is=quot;postalcodequot; ></zipcode> <branchcode is=quot;branchquot; >MAIN</branchcode> <userid is=quot;uidquot; ></userid> <password is=quot;userpasswordquot; ></password> <email is=quot;mailquot; ></email> <categorycode is=quot;employeetypequot; >PT</categorycode> <phone is=quot;telephonenumberquot;></phone> </mapping> Koha fields LDAP fields in borrowers.* in Schema
  27. 27. The <mapping> <mapping> <firstname is=quot;givennamequot; ></firstname> <surname is=quot;snquot; ></surname> <address is=quot;postaladdressquot; ></address> <city is=quot;lquot; >Athens, OH</city> <zipcode is=quot;postalcodequot; ></zipcode> <branchcode is=quot;branchquot; >MAIN</branchcode> <userid is=quot;uidquot; ></userid> <password is=quot;userpasswordquot; ></password> <email is=quot;mailquot; ></email> <categorycode is=quot;employeetypequot; >PT</categorycode> <phone is=quot;telephonenumberquot;></phone> </mapping> Koha fields LDAP fields ==> in borrowers.* in Schema
  28. 28. The <mapping> <mapping> <firstname is=quot;givennamequot; ></firstname> <surname is=quot;snquot; ></surname> <address is=quot;postaladdressquot; ></address> <city is=quot;lquot; >Athens, OH</city> <zipcode is=quot;postalcodequot; ></zipcode> <branchcode is=quot;branchquot; >MAIN</branchcode> <userid is=quot;uidquot; ></userid> <password is=quot;userpasswordquot; ></password> <email is=quot;mailquot; ></email> <categorycode is=quot;employeetypequot; >PT</categorycode> <phone is=quot;telephonenumberquot;></phone> </mapping> Koha fields LDAP fields ==> in borrowers.* in Schema
  29. 29. The <mapping> <mapping> <firstname is=quot;givennamequot; ></firstname> <surname is=quot;snquot; ></surname> <address is=quot;postaladdressquot; ></address> <city is=quot;lquot; >Athens, OH</city> <zipcode is=quot;postalcodequot; ></zipcode> <branchcode is=quot;branchquot; >MAIN</branchcode> <userid is=quot;uidquot; ></userid> <password is=quot;userpasswordquot; ></password> <email is=quot;mailquot; ></email> <categorycode is=quot;employeetypequot; >PT</categorycode> <phone is=quot;telephonenumberquot;></phone> </mapping> Default Values Koha fields LDAP fields ==> in borrowers.* in Schema
  30. 30. Required Data: 3 Kinds
  31. 31. Required Data: 3 Kinds • Required by database
  32. 32. Required Data: 3 Kinds • Required by database • Required for login
  33. 33. Required Data: 3 Kinds • Required by database • Required for login • Required by you
  34. 34. Required by database mysql> show full columns from borrowers; -- field req`d where Null=NO Easy: • surname • address • city
  35. 35. Required by database mysql> show full columns from borrowers; -- field req`d where Null=NO Easy: Tricky: • surname • branchcode • address • categorycode • city
  36. 36. Required by database mysql> show full columns from borrowers; -- field req`d where Null=NO Easy: Tricky: • surname • branchcode • address • categorycode MUST MATCH VALID • city KOHA VALUES
  37. 37. Required by login userid: • can come from from anything • but it better be unique
  38. 38. Required by login password: userid: • branchcode • can come from from anything • categorycode • but it better be unique
  39. 39. The End LDAP Joe Atzberger, LibLime KohaCon 2009: Plano, TX
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×