Ldap testing

You can test LDAP functionality using: https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/

Enter into your koha-conf.xml:

<useldapserver>1</useldapserver>
<ldapserver id="ldapserver">
  <hostname>ldap://ldap.forumsys.com</hostname>
  <base>dc=example,dc=com</base>
  <replicate>1</replicate>
  <update>1</update>
  <user>cn=read-only-admin,dc=example,dc=com</user>
  <pass>password</pass>
  <auth_by_bind>0</auth_by_bind>
  <anonymous_bind>0</anonymous_bind>
  <principal_name>uid=%s</principal_name>
  <mapping>
      <cardnumber is="potato"></cardnumber>
      <branchcode is="">CPL</branchcode>
      <categorycode is="">PT</categorycode>
      <surname is="uid"></surname>
      <userid is="uid"></userid>
   </mapping>
 </ldapserver>

Additional remarks concerning this example.

Instead of using ldap you better use ldaps. We are using replicate = 0 cause we do not want to add users automatically to Koha, when they could successfully connect via LDAP auth. Then I suppose you also don't need the mapping. And of course we use update = 0 cause we do not want to change anything within Koha, when LDAP properties are changing. You can adjust the mappings - cardnumber was mapped to potato to ensure no value was received

On the Bywater page [1] you can find this hint concerning the usage of LDAP auth in combination with allowing local Koha user accounts:

"If an LDAP user is found we then search for a corresponding Koha user and log them in if found. If the ldap lookup fails, or the credentials don't match, the username and password are then checked against the Koha database directly and the user is signed in if the credentials are valid"

The point is, that it makes a difference, if a user can be found in LDAP or if the LDAP auth fails. So take care on this and check if there are no users in your LDAP active directory having the same Koha username as a local Koha user has.