Patron Import and LDAP Authentication

Steve Weber, Systems Admin, Mercyhurst University

What is LDAP? Lightweight Directory Access Protocol – Software protocol that allows an application to authenticate a database of users or resources (LDAP, port 389; LDAPS, port 636)

Simplified — using your work username to log into Koha

4 requirements for LDAP

  • Network communication
  • An application (Koha’s config file)
  • A binding user (the bridge)
  • A Database of Authenticating Using (Active Directory)

Network communication

  • network ports open:
    • server firewall
    • network firewall
  • 3rd party Koha providers should be secured by IP address

Koha’s LDAP config file

  • A Koha file that supplies the mappings to fields/info in Active Directory
  • Located: /etc/koha/koha-conf-site.xml.in

The binding user (bridge)

  • The user in Active Directory that is authenticated against Koha in order to securely allow Koha to search Active Directory for users, allowing logins to be successful

Active Directory

  • A group of users that are able to log into Koha using their current usernames and passwords
    • No need for duplicate users
    • Search DN (limit which users can access Koha)

Patron import tool — add/update patrons

  • used to add and update user information
  • Tools > Patrons and Circulation > Import Patrons
  • Format of .csv

CSV File formatting for import, very specific — documentation in the Koha community in the manual for the data needed. Couple of requirements for matching: cardnumber

Record matching

  • branchcode and {patron} categorycode
  • date format must match sys pref
  • replace/overwrite option important;

Custom attributes

  • csv header must by titled by “patron_attributes”
  • Attribute is listed with CODE, followed by a colon and then the value
  • Separate attributes with a comma [Ex. CLASS:Senior, GRAD: 2015]

This and that

  • Excel and leading 0s — import, not directly open files!
  • Staff accounts — exclude users with special permissions
  • Expired — account cleanup — ByWater deletes

Question raised about multiple LDAP server configuration for a consortia. Has anyone done that? Config file speaker has seen, only lists one config file. Not sure if that’s possible or not.

Which patron attribute is being sent to LDAP for authentication? cardnumber in Mercyhurst’s configuration.

LDAP information on ByWater Solutions blog