1. LDAP
Joe Atzberger, LibLime
KohaCon 2009: Plano, TX

2. Need LDAP Tools?
• Apache Directory Server & Studio (client)
http://directory.apache.org/
• Open Source (Apache license)
• Newer than openldap and more stable.
• Runs on OSX, Win32 and linux.
“We strive to increase LDAP awareness, comfort and adoption to bring
Modern LDAP Renaissance.”
forth what we call the

3. Need LDAP Tools?
• OpenLDAP - http://www.openldap.org/
• includes command line tools:
ldapsearch, ldapadd, etc.
• Net::LDAP - CPAN perl module

4. LDAP Timing
• Koha LDAP does not go grab all your users
as a “dump”. That is what IMPORT is for.
Instead it updates when they try to login.
• Implications: lightweight, happening in
realtime. Somewhat literal, no XSL or
other conditional processing.

5. <ldapserver> bind
<hostname>ldap://auth.example.com:389</hostname>
<base>dc=example,dc=com</base>
<user>cn=Admin,dc=example,dc=com</user> <!-- DN, if not anonymous -->
<pass>s3cur1T</pass> <!-- password, if not anonymous -->
• So you can anonymous bind (not recommended)
• Otherwise, specify user for bind
• bind-as-auth: others have hacked Koha to do it, but not
cleanly enough to get into HEAD. So I’m not presenting it.

6. <ldapserver> options

7. <ldapserver> options
<replicate>1</replicate><!-- add new users from LDAP to Koha database -->
<update>1</update> <!-- update existing users in Koha database -->

8. <ldapserver> options
<replicate>1</replicate><!-- add new users from LDAP to Koha database -->
<update>1</update> <!-- update existing users in Koha database -->
Default is ON for both.

9. Know your own Schema
• For example,
version: 1
dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
inetOrgPerson, objectClass: inetOrgPerson
cn: Barbara Jensen
cn: Babs Jensen
RFC#2798: displayName: Babs Jensen
sn: Jensen
givenName: Barbara
http://www.ietf.org/rfc/rfc2798.txt initials: BJJ
title: manager, product development
uid: bjensen
mail: bjensen@siroe.com
telephoneNumber: +1 408 555 1862
facsimileTelephoneNumber: +1 408 555 1992
mobile: +1 408 555 1941
roomNumber: 0209
carLicense: 6ABC246
o: Siroe
ou: Product Development
departmentNumber: 2604
employeeNumber: 42
employeeType: full time
preferredLanguage: fr, en-gb;q=0.8, en;q=0.7
labeledURI: http://www.siroe.com/users/bjensen My Home Page

10. version: 1
dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Barbara Jensen
cn: Babs Jensen
displayName: Babs Jensen
sn: Jensen
givenName: Barbara
initials: BJJ
title: manager, product development
uid: bjensen
mail: bjensen@siroe.com
telephoneNumber: +1 408 555 1862
facsimileTelephoneNumber: +1 408 555 1992
mobile: +1 408 555 1941
roomNumber: 0209
carLicense: 6ABC246
o: Siroe
ou: Product Development
departmentNumber: 2604
employeeNumber: 42
employeeType: full time
preferredLanguage: fr, en-gb;q=0.8, en;q=0.7
labeledURI: http://www.siroe.com/users/bjensen My Home Page

11. version: 1
dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Barbara Jensen
cn: Babs Jensen
displayName: Babs Jensen
sn: Jensen
givenName: Barbara
initials: BJJ
title: manager, product development
uid: bjensen
mail: bjensen@siroe.com
telephoneNumber: +1 408 555 1862
facsimileTelephoneNumber: +1 408 555 1992
mobile: +1 408 555 1941
roomNumber: 0209
carLicense: 6ABC246
o: Siroe
ou: Product Development
departmentNumber: 2604
employeeNumber: 42
employeeType: full time
preferredLanguage: fr, en-gb;q=0.8, en;q=0.7
labeledURI: http://www.siroe.com/users/bjensen My Home Page

12. version: 1
dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Barbara Jensen
cn: Babs Jensen
displayName: Babs Jensen
sn: Jensen
givenName: Barbara
initials: BJJ
title: manager, product development
uid: bjensen
mail: bjensen@siroe.com
telephoneNumber: +1 408 555 1862
facsimileTelephoneNumber: +1 408 555 1992
mobile: +1 408 555 1941
roomNumber: 0209
carLicense: 6ABC246
o: Siroe
ou: Product Development
departmentNumber: 2604
employeeNumber: 42
employeeType: full time
preferredLanguage: fr, en-gb;q=0.8, en;q=0.7
labeledURI: http://www.siroe.com/users/bjensen My Home Page

13. version: 1
dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Barbara Jensen
cn: Babs Jensen
displayName: Babs Jensen
sn: Jensen
givenName: Barbara
initials: BJJ
title: manager, product development
uid: bjensen
mail: bjensen@siroe.com
telephoneNumber: +1 408 555 1862
facsimileTelephoneNumber: +1 408 555 1992
mobile: +1 408 555 1941
roomNumber: 0209
carLicense: 6ABC246
o: Siroe
ou: Product Development
departmentNumber: 2604
employeeNumber: 42
employeeType: full time
preferredLanguage: fr, en-gb;q=0.8, en;q=0.7
labeledURI: http://www.siroe.com/users/bjensen My Home Page

14. version: 1
dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
Pick data Koha cares about
cn: Barbara Jensen
cn: Babs Jensen
displayName: Babs Jensen
sn: Jensen
givenName: Barbara
initials: BJJ
title: manager, product development
uid: bjensen
mail: bjensen@siroe.com
telephoneNumber: +1 408 555 1862
facsimileTelephoneNumber: +1 408 555 1992
mobile: +1 408 555 1941
roomNumber: 0209
carLicense: 6ABC246
o: Siroe
ou: Product Development
departmentNumber: 2604
employeeNumber: 42
employeeType: full time
preferredLanguage: fr, en-gb;q=0.8, en;q=0.7
labeledURI: http://www.siroe.com/users/bjensen My Home Page

15. version: 1
dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
Pick data Koha cares about
cn: Barbara Jensen
cn: Babs Jensen
displayName: Babs Jensen
sn: Jensen
givenName: Barbara
initials: BJJ
title: manager, product development
uid: bjensen
mail: bjensen@siroe.com
telephoneNumber: +1 408 555 1862
facsimileTelephoneNumber: +1 408 555 1992
mobile: +1 408 555 1941
roomNumber: 0209
carLicense: 6ABC246
o: Siroe
ou: Product Development
departmentNumber: 2604
employeeNumber: 42
employeeType: full time
preferredLanguage: fr, en-gb;q=0.8, en;q=0.7
labeledURI: http://www.siroe.com/users/bjensen My Home Page

16. Pick data Koha cares about
sn: Jensen
givenName: Barbara
initials: BJJ
uid: bjensen
mail: bjensen@siroe.com
telephoneNumber: +1 408 555 1862
facsimileTelephoneNumber: +1 408 555 1992
mobile: +1 408 555 1941
roomNumber: 0209
o: Siroe
departmentNumber: 2604
employeeNumber: 42
employeeType: full time

17. Pick data Koha cares about
sn: Jensen
givenName: Barbara
initials: BJJ
uid: bjensen
mail: bjensen@siroe.com
telephoneNumber: +1 408 555 1862
facsimileTelephoneNumber: +1 408 555 1992
mobile: +1 408 555 1941
roomNumber: 0209
o: Siroe
departmentNumber: 2604
employeeNumber: 42
employeeType: full time

18. Data Koha Cares About
• You define it with <ldapserver> <mapping>
element in koha-conf.xml
• But some fields are required.
• And some of those are *really* required.
• See perldoc C4::Auth_with_ldap

19. The <mapping>
<mapping>
<firstname is=quot;givennamequot; ></firstname>
<surname is=quot;snquot; ></surname>
<address is=quot;postaladdressquot; ></address>
<city is=quot;lquot; >Athens, OH</city>
<zipcode is=quot;postalcodequot; ></zipcode>
<branchcode is=quot;branchquot; >MAIN</branchcode>
<userid is=quot;uidquot; ></userid>
<password is=quot;userpasswordquot; ></password>
<email is=quot;mailquot; ></email>
<categorycode is=quot;employeetypequot; >PT</categorycode>
<phone is=quot;telephonenumberquot;></phone>
</mapping>

20. The <mapping>
<mapping>
<firstname is=quot;givennamequot; ></firstname>
<surname is=quot;snquot; ></surname>
<address is=quot;postaladdressquot; ></address>
<city is=quot;lquot; >Athens, OH</city>
<zipcode is=quot;postalcodequot; ></zipcode>
<branchcode is=quot;branchquot; >MAIN</branchcode>
<userid is=quot;uidquot; ></userid>
<password is=quot;userpasswordquot; ></password>
<email is=quot;mailquot; ></email>
<categorycode is=quot;employeetypequot; >PT</categorycode>
<phone is=quot;telephonenumberquot;></phone>
</mapping>

21. The <mapping>
<mapping>
<firstname is=quot;givennamequot; ></firstname>
<surname is=quot;snquot; ></surname>
<address is=quot;postaladdressquot; ></address>
<city is=quot;lquot; >Athens, OH</city>
<zipcode is=quot;postalcodequot; ></zipcode>
<branchcode is=quot;branchquot; >MAIN</branchcode>
<userid is=quot;uidquot; ></userid>
<password is=quot;userpasswordquot; ></password>
<email is=quot;mailquot; ></email>
<categorycode is=quot;employeetypequot; >PT</categorycode>
<phone is=quot;telephonenumberquot;></phone>
</mapping>

22. The <mapping>
<mapping>
<firstname is=quot;givennamequot; ></firstname>
<surname is=quot;snquot; ></surname>
<address is=quot;postaladdressquot; ></address>
<city is=quot;lquot; >Athens, OH</city>
<zipcode is=quot;postalcodequot; ></zipcode>
<branchcode is=quot;branchquot; >MAIN</branchcode>
<userid is=quot;uidquot; ></userid>
<password is=quot;userpasswordquot; ></password>
<email is=quot;mailquot; ></email>
<categorycode is=quot;employeetypequot; >PT</categorycode>
<phone is=quot;telephonenumberquot;></phone>
</mapping>

23. The <mapping>
<mapping>
<firstname is=quot;givennamequot; ></firstname>
<surname is=quot;snquot; ></surname>
<address is=quot;postaladdressquot; ></address>
<city is=quot;lquot; >Athens, OH</city>
<zipcode is=quot;postalcodequot; ></zipcode>
<branchcode is=quot;branchquot; >MAIN</branchcode>
<userid is=quot;uidquot; ></userid>
<password is=quot;userpasswordquot; ></password>
<email is=quot;mailquot; ></email>
<categorycode is=quot;employeetypequot; >PT</categorycode>
<phone is=quot;telephonenumberquot;></phone>
</mapping>
Koha fields
in borrowers.*

24. The <mapping>
<mapping>
<firstname is=quot;givennamequot; ></firstname>
<surname is=quot;snquot; ></surname>
<address is=quot;postaladdressquot; ></address>
<city is=quot;lquot; >Athens, OH</city>
<zipcode is=quot;postalcodequot; ></zipcode>
<branchcode is=quot;branchquot; >MAIN</branchcode>
<userid is=quot;uidquot; ></userid>
<password is=quot;userpasswordquot; ></password>
<email is=quot;mailquot; ></email>
<categorycode is=quot;employeetypequot; >PT</categorycode>
<phone is=quot;telephonenumberquot;></phone>
</mapping>
Koha fields
in borrowers.*

25. The <mapping>
<mapping>
<firstname is=quot;givennamequot; ></firstname>
<surname is=quot;snquot; ></surname>
<address is=quot;postaladdressquot; ></address>
<city is=quot;lquot; >Athens, OH</city>
<zipcode is=quot;postalcodequot; ></zipcode>
<branchcode is=quot;branchquot; >MAIN</branchcode>
<userid is=quot;uidquot; ></userid>
<password is=quot;userpasswordquot; ></password>
<email is=quot;mailquot; ></email>
<categorycode is=quot;employeetypequot; >PT</categorycode>
<phone is=quot;telephonenumberquot;></phone>
</mapping>
Koha fields
in borrowers.*

26. The <mapping>
<mapping>
<firstname is=quot;givennamequot; ></firstname>
<surname is=quot;snquot; ></surname>
<address is=quot;postaladdressquot; ></address>
<city is=quot;lquot; >Athens, OH</city>
<zipcode is=quot;postalcodequot; ></zipcode>
<branchcode is=quot;branchquot; >MAIN</branchcode>
<userid is=quot;uidquot; ></userid>
<password is=quot;userpasswordquot; ></password>
<email is=quot;mailquot; ></email>
<categorycode is=quot;employeetypequot; >PT</categorycode>
<phone is=quot;telephonenumberquot;></phone>
</mapping>
Koha fields LDAP fields
in borrowers.* in Schema

27. The <mapping>
<mapping>
<firstname is=quot;givennamequot; ></firstname>
<surname is=quot;snquot; ></surname>
<address is=quot;postaladdressquot; ></address>
<city is=quot;lquot; >Athens, OH</city>
<zipcode is=quot;postalcodequot; ></zipcode>
<branchcode is=quot;branchquot; >MAIN</branchcode>
<userid is=quot;uidquot; ></userid>
<password is=quot;userpasswordquot; ></password>
<email is=quot;mailquot; ></email>
<categorycode is=quot;employeetypequot; >PT</categorycode>
<phone is=quot;telephonenumberquot;></phone>
</mapping>
Koha fields LDAP fields
==>
in borrowers.* in Schema

28. The <mapping>
<mapping>
<firstname is=quot;givennamequot; ></firstname>
<surname is=quot;snquot; ></surname>
<address is=quot;postaladdressquot; ></address>
<city is=quot;lquot; >Athens, OH</city>
<zipcode is=quot;postalcodequot; ></zipcode>
<branchcode is=quot;branchquot; >MAIN</branchcode>
<userid is=quot;uidquot; ></userid>
<password is=quot;userpasswordquot; ></password>
<email is=quot;mailquot; ></email>
<categorycode is=quot;employeetypequot; >PT</categorycode>
<phone is=quot;telephonenumberquot;></phone>
</mapping>
Koha fields LDAP fields
==>
in borrowers.* in Schema

29. The <mapping>
<mapping>
<firstname is=quot;givennamequot; ></firstname>
<surname is=quot;snquot; ></surname>
<address is=quot;postaladdressquot; ></address>
<city is=quot;lquot; >Athens, OH</city>
<zipcode is=quot;postalcodequot; ></zipcode>
<branchcode is=quot;branchquot; >MAIN</branchcode>
<userid is=quot;uidquot; ></userid>
<password is=quot;userpasswordquot; ></password>
<email is=quot;mailquot; ></email>
<categorycode is=quot;employeetypequot; >PT</categorycode>
<phone is=quot;telephonenumberquot;></phone>
</mapping>
Default Values
Koha fields LDAP fields
==>
in borrowers.* in Schema

30. Required Data: 3 Kinds

31. Required Data: 3 Kinds
• Required by database

32. Required Data: 3 Kinds
• Required by database
• Required for login

33. Required Data: 3 Kinds
• Required by database
• Required for login
• Required by you

34. Required by database
mysql> show full columns from borrowers;
-- field req`d where Null=NO
Easy:
• surname
• address
• city

35. Required by database
mysql> show full columns from borrowers;
-- field req`d where Null=NO
Easy: Tricky:
• surname • branchcode
• address • categorycode
• city

36. Required by database
mysql> show full columns from borrowers;
-- field req`d where Null=NO
Easy: Tricky:
• surname • branchcode
• address • categorycode
MUST MATCH VALID
• city KOHA VALUES

37. Required by login
userid:
• can come from
from anything
• but it better be
unique

38. Required by login
password:
userid:
• branchcode
• can come from
from anything
• categorycode
• but it better be
unique

39. The End
LDAP
Joe Atzberger, LibLime
KohaCon 2009: Plano, TX