Koha Integration: LDAP

LDAPJoe Atzberger, LibLime

KohaCon 2009: Plano, TX

Need LDAP Tools?• Apache Directory Server & Studio (client)

http://directory.apache.org/

• Open Source (Apache license)

• Newer than openldap and more stable.

• Runs on OSX, Win32 and linux.“We strive to increase LDAP awareness, comfort and adoption to bring

forth what we call the Modern LDAP Renaissance.”

Need LDAP Tools?

• OpenLDAP - http://www.openldap.org/

• includes command line tools: ldapsearch, ldapadd, etc.

• Net::LDAP - CPAN perl module

LDAP Timing

• Koha LDAP does not go grab all your users as a “dump”. That is what IMPORT is for. Instead it updates when they try to login.

• Implications: lightweight, happening in realtime. Somewhat literal, no XSL or other conditional processing.

<ldapserver> bind<hostname>ldap://auth.example.com:389</hostname><base>dc=example,dc=com</base><user>cn=Admin,dc=example,dc=com</user> <!-- DN, if not anonymous --><pass>s3cur1T</pass> <!-- password, if not anonymous -->

• So you can anonymous bind (not recommended)• Otherwise, specify user for bind• bind-as-auth: others have hacked Koha to do it, but not cleanly enough to get into HEAD. So I’m not presenting it.

<ldapserver> options

<ldapserver> options

<replicate>1</replicate><!-- add new users from LDAP to Koha database --><update>1</update> <!-- update existing users in Koha database -->

<ldapserver> options

<replicate>1</replicate><!-- add new users from LDAP to Koha database --><update>1</update> <!-- update existing users in Koha database -->

Default is ON for both.

Know your own Schema• For example,

inetOrgPerson, RFC#2798:http://www.ietf.org/rfc/rfc2798.txt

version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: [email protected] telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page

version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: [email protected] telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page

version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: [email protected] telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page

version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: [email protected] telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page

version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: [email protected] telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page

version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: [email protected] telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page

Pick data Koha cares about

version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: [email protected] telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page

Pick data Koha cares about

sn: Jensen givenName: Barbara initials: BJJ uid: bjensen mail: [email protected] telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 o: Siroe departmentNumber: 2604 employeeNumber: 42 employeeType: full time

Pick data Koha cares about

sn: Jensen givenName: Barbara initials: BJJ uid: bjensen mail: [email protected] telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 o: Siroe departmentNumber: 2604 employeeNumber: 42 employeeType: full time

Pick data Koha cares about

Data Koha Cares About

• You define it with <ldapserver> <mapping> element in koha-conf.xml

• But some fields are required.

• And some of those are *really* required.

• See perldoc C4::Auth_with_ldap

The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>

The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>

<mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>

The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>

<mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>

The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>

The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>

Koha fieldsin borrowers.*

The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>

Koha fieldsin borrowers.*

The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>

Koha fieldsin borrowers.*

The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>

Koha fieldsin borrowers.*

LDAP fieldsin Schema

The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>

Koha fieldsin borrowers.*

==>LDAP fieldsin Schema

The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>

Koha fieldsin borrowers.*

==>LDAP fieldsin Schema

The <mapping> <mapping> <firstname is="givenname" ></firstname> <surname is="sn" ></surname> <address is="postaladdress" ></address> <city is="l" >Athens, OH</city> <zipcode is="postalcode" ></zipcode> <branchcode is="branch" >MAIN</branchcode> <userid is="uid" ></userid> <password is="userpassword" ></password> <email is="mail" ></email> <categorycode is="employeetype" >PT</categorycode> <phone is="telephonenumber"></phone> </mapping>

Koha fieldsin borrowers.*

==>LDAP fieldsin Schema

Default Values

Required Data: 3 Kinds

Required Data: 3 Kinds

• Required by database

Required Data: 3 Kinds

• Required by database

• Required for login

Required Data: 3 Kinds

• Required by database

• Required for login

• Required by you

Required by database

Easy:

• surname

• address

• city

mysql> show full columns from borrowers;-- field req`d where Null=NO

Required by database

Easy:

• surname

• address

• city

Tricky:

• branchcode

• categorycode

mysql> show full columns from borrowers;-- field req`d where Null=NO

Required by database

Easy:

• surname

• address

• city

Tricky:

• branchcode

• categorycode

mysql> show full columns from borrowers;-- field req`d where Null=NO

MUST MATCH VALIDKOHA VALUES

Required by login

userid:

• can come fromfrom anything

• but it better beunique

Required by login

userid:

• can come fromfrom anything

• but it better beunique

password:

• branchcode

• categorycode

LDAPJoe Atzberger, LibLime

KohaCon 2009: Plano, TX

The End