Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Help with Koha LDAP auth mechanism

22 views
Skip to first unread message

Kent

unread,
Dec 13, 2005, 9:42:17 PM12/13/05
to Perl LDAP
Hello,
I am trying to get a handle on how to use Perl to compare passwords
stored in LDAP that may be encrypted by different means such as MD5,
SMD5, CRYPT etc. The passwords are stored in userPassword attribute.

The application that I'm trying to adapt to multiple possible password
hashes is Koha - Integrated Library System (http://www.koha.org). As it
is now LDAP auth only works with clear text.

Here is a snip of the code from Auth.pm Koha 2.2.4:

##################################################
### LOCAL
### Change the code below to match your own LDAP server.
##################################################
# LDAP connexion parameters
my $ldapserver = '172.16.56.209';
# Infos to do an anonymous bind
my $ldapinfos = 'ou=users,dc=tow,dc=net ';
my $name = "ou=users,dc=tow,dc=net";
my $db = Net::LDAP->new( $ldapserver );

# do an anonymous bind
my $res =$db->bind();
# check connexion
if($res->code) {
# auth refused
warn "LDAP Auth impossible : server not responding";
return 0;
# search user
} else {
my $userdnsearch = $db->search(base => "$name",
filter =>"(cn=$userid)",
);
if($userdnsearch->code || ( $userdnsearch-> count eq
0 ) ) {
warn "LDAP Auth impossible : user unknown in
LDAP";
return 0;
};
# compare a-weak with $password.
# The a-weak LDAP field contains the password
my $userldapentry=$userdnsearch -> shift_entry;
my $cmpmesg = $db -> compare ( $userldapentry, attr =>
'userPassword', value => $password );
if( $cmpmesg -> code != 6 ) {
warn "LDAP Auth impossible : wrong password: ";
return 0;
};
# build LDAP hash
my %memberhash;
my $x =$userldapentry->{asn}{attributes};
my $key;
foreach my $k ( @$x) {
foreach my $k2 (keys %$k) {
if ($k2 eq 'type') {
$key = $$k{$k2};
} else {
my $a = @$k{$k2};
foreach my $k3 (@$a) {
$memberhash{$key} .=
$k3." ";
}
}
}
}
#
# BUILD %borrower to CREATE or MODIFY BORROWER
# change $memberhash{'xxx'} to fit your ldap structure.
# check twice that mandatory fields are correctly filled
#
my %borrower;
$borrower{cardnumber} = $userid;
$borrower{firstname} = $memberhash{givenName}; #
MANDATORY FIELD $borrower{surname} = $memberhash{sn}; #
MANDATORY FIELD
$borrower{initials} =
substr($borrower{firstname},0,1).substr($borrower{surname},0,1)." "; #
MANDATORY FIELD
$borrower{streetaddress} =
$memberhash{homePostalAddress}." "; # MANDATORY FIELD
$borrower{city} = $memberhash{l}." "; # MANDATORY FIELD
$borrower{phone} = $memberhash{homePhone}." "; #
MANDATORY FIELD $borrower{branchcode} =
$memberhash{businessCategory}; # MANDATORY FIELD
$borrower{emailaddress} = $memberhash{mail};
$borrower{categorycode} = $memberhash{employeeType};
##################################################
### /LOCAL

The section that compares passwords retrieved from LDAP needs to be
expanded to include other encryption methods. I am not very well versed
in Perl (better with PHP, sorry) but would appreciate some ideas on
where to proceed.

Thanks in advance.

Kent N

Justin Alcorn

unread,
Dec 13, 2005, 10:18:35 PM12/13/05
to kent, Perl LDAP

kent sent the following missive on 12/13/2005 9:42 PM:

> Hello,
> I am trying to get a handle on how to use Perl to compare passwords
> stored in LDAP that may be encrypted by different means such as MD5,
> SMD5, CRYPT etc. The passwords are stored in userPassword attribute.

Using LDAP like a database, where you compare password hashes, really
isn't the correct way to use it. As a matter of fact, in some LDAP
implementations, including Active Directory, you can't even query the
userPassword attribute.

To authenticate a user, you find out if you can bind to the LDAP server
using that username and password.

To do it in other than clear text, you use LDAP over SSL by connecting
to ldaps://

Also, there is a PHP LDAP library. It isn't as robust as perl-ldap by
any means, but for authenticating a user it works fine.

Chris Ridd

unread,
Dec 14, 2005, 1:21:32 AM12/14/05
to Perl LDAP
On 14/12/05 3:18, Justin Alcorn <jus...@jalcorn.net> wrote:

>
> kent sent the following missive on 12/13/2005 9:42 PM:
>> Hello,
>> I am trying to get a handle on how to use Perl to compare passwords
>> stored in LDAP that may be encrypted by different means such as MD5,
>> SMD5, CRYPT etc. The passwords are stored in userPassword attribute.
>
> Using LDAP like a database, where you compare password hashes, really
> isn't the correct way to use it.

You're correct. Google should be able to help you work out the various
schemes are implemented (the only surprising thing is that many are
pointlessly base64 encoded) but seriously do not bank on being able to read
them back.

> As a matter of fact, in some LDAP
> implementations, including Active Directory, you can't even query the
> userPassword attribute.

If you're doing SASL authentication, the password might not even be
something the server can return. There might not *be* a password.

> To authenticate a user, you find out if you can bind to the LDAP server
> using that username and password.

Yes, this is absolutely the very best thing to do. You might need to do a
search to convert your username value into the user's DN, but then you
should do a bind() to get the server to compare the password.

> To do it in other than clear text, you use LDAP over SSL by connecting
> to ldaps://

To make it clear - this is *not* generally required by servers.

> Also, there is a PHP LDAP library. It isn't as robust as perl-ldap by
> any means, but for authenticating a user it works fine.


Cheers,

Chris


Quanah Gibson-Mount

unread,
Dec 14, 2005, 1:36:40 AM12/14/05
to Perl LDAP

--On Wednesday, December 14, 2005 6:21 AM +0000 Chris Ridd
<chri...@mac.com> wrote:

>> To do it in other than clear text, you use LDAP over SSL by connecting
>> to ldaps://
>
> To make it clear - this is *not* generally required by servers.

And connecting over LDAPS is not the only way to encrypt the connection.
There is TLS over port 389, for example, and also some SASL mechanisms do
the encryption themselves (like SASL/GSSAPI for example).

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Chris Ridd

unread,
Dec 14, 2005, 2:10:21 AM12/14/05
to Perl LDAP
On 14/12/05 6:36, Quanah Gibson-Mount <qua...@stanford.edu> wrote:

> --On Wednesday, December 14, 2005 6:21 AM +0000 Chris Ridd
> <chri...@mac.com> wrote:
>
>>> To do it in other than clear text, you use LDAP over SSL by connecting
>>> to ldaps://
>>
>> To make it clear - this is *not* generally required by servers.
>
> And connecting over LDAPS is not the only way to encrypt the connection.
> There is TLS over port 389, for example, and also some SASL mechanisms do
> the encryption themselves (like SASL/GSSAPI for example).

Yep, that too.

Cheers,

Chris


0 new messages