I've been using Vbulletin for a few years, and have had some great modifications from this community, so having had to recently integrate Vbulletin with LDAP for my University discussion boards I decided to release this as a modification. This is my present to the community :).

Description:

LDAP authentication for Vbulletin.

How it works:

This does not modify Vbulletin files or Vbulletin login code in anyway. We simple stick some script infront of the login process so we can validate against LDAP. Below is a breakdown of what this thing does:

First looks to see if login form has been submitted
Checks if it should look up "this" user in LDAP (defined in ldapconfig)
Queries LDAP for the username
If user is returned check if VB MD5 password matches LDAP MD5 password
If it does, check the VB user table to see if the user is already in the table. If yes, update VB user table password with LDAP password by encrypting MD5 password with the users 'salt' key
If not, create a new user in database using VB classes/functions.
If user/pass do not match in LDAP then check if user is in VB user table.

If they are, change the password to something random so they cannot login with an old password

If a user is not returned from LDAP, assume the user has registered on the boards in the normal way and dont do anything to the VB user table.Requirements:

The requirements are based on the system we use. It may / may not work with other Vbulletin versions:

PHP 4.3+
LDAP System
uid (username), mail (email address), and a field containing MD5 passwordInstallation:

Download and unzip the file
Edit "ldapconfig.php" and then upload into your "includes" folder
Login to Admin CP and Add / Import the product (xml file)Extra Info / Future Plans / Help:

This LDAP integration script currently requires you to have an LDAP field with the users password stored as MD5. From my understanding, CRYPT is the default password storage for LDAP so some of you may not have an MD5 field in LDAP with the users password encrypted as MD5.

It would be possible to modify the script to check against CRYPT, but it would also require a template edit as the login form converts the password field "onSubmit" to MD5. I did not do this because we already have the MD5 in LDAP as we use it on a number of different system already, and I did not want to change VB templates.

Also, I was unable to find documentation on doing a script / releasing a modification, so in future if someone could explain to me or change the script slightly to allow editing of LDAP configuration file within ADMIN CP interface, that would be great. This would also mean not having to upload a file into the includes folder.

I'm sure there will be something I havent thought of, or will make it easier if this script had this and that, so feel free to post your ideas, and suggestions on improving this modification.

Important Info:
Hack is provided free of charge (but if you really want to get rid of money PM me ;) ). I make no guarantee it will work on your system, but it does on mine with 15,000 users :).

Version:

1.1 - You can now specify the field to authenticate against in ldapconfig.php (19/05/2007)
1.0.1 - Corrected 'mysql_num_rows' query to use VB DB class call (19/04/2007)
1.0 - First release (18/04/2007)Hope its useful for some of you :):up:

This has been requested for ages, you may find yourself crowned as a king for this. =p

Cheers!

/me clicks install

maybe usefull to explain what LDAP means?

Maybe I will install it, when I know what it is :D

maybe usefull to explain what LDAP means?
Maybe I will install it, when I know what it is :D

If you don't know what it is, 100% chances you don't need it... search for LDAP on google for more details...

Nice work. Although I have no use for it. I've seen much call for it in the past.

maybe usefull to explain what LDAP means?
Lightweight Directory Access Protocol

From Wikipedia, the free encyclopedia

(Redirected from LDAP (http://en.wikipedia.org/w/index.php?title=LDAP&redirect=no))
Jump to: navigation (http://en.wikipedia.org/wiki/LDAP#column-one), search (http://en.wikipedia.org/wiki/LDAP#searchInput)
The Lightweight Directory Access Protocol, or LDAP (IPA (http://en.wikipedia.org/wiki/International_Phonetic_Alphabet): [ˈɛl d?p]), is an application protocol for querying and modifying directory services (http://en.wikipedia.org/wiki/Directory_service) running over TCP/IP (http://en.wikipedia.org/wiki/Internet_protocol_suite).
A directory is a set of information with similar attributes organized in a logical and hierarchical manner. The most common example is the telephone directory, which consists of a series of names (either of a person or organization) organized alphabetically, with an address and phone number attached.
An LDAP directory often reflects various political, geographic, and/or organizational boundaries, depending on the model chosen. LDAP deployments today tend to use Domain Name System (http://en.wikipedia.org/wiki/Domain_Name_System) (DNS) names for structuring the topmost levels of the hierarchy. Deeper inside the directory might appear entries representing people, organizational units, printers, documents, groups of people or anything else which represents a given tree entry (or multiple entries).
Its current version is LDAPv3. LDAPv3 is specified in a series of IETF (http://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) Standard Track RFCs (http://en.wikipedia.org/wiki/Request_for_Comments) as detailed in RFC 4510 (http://tools.ietf.org/html/rfc4510).


Maybe I will install it, when I know what it is :D

It is one of those things that if you don't know what it does, you don't need it.

Just for my own satisfaction

can you give an example or two as to what this would be used for please?

Just for my own satisfaction

can you give an example or two as to what this would be used for please?

As said above... It is one of those things that if you don't know what it does, you don't need it.

As said above... It is one of those things that if you don't know what it does, you don't need it.

I agree I dont need it but regardless I would like to LEARN more about it. And the question was directed to the author thank you.

Its one of them things, if you dont use it you dont need it as said above but....

Best example I can give is of my work..... we use LDAP to authenticate users accross different services we offer on campus - logging into computers, access programs, databases, and web sites. On the web for example our CMS, Blackboard, Campus Pipeline, Intranet and now VBulletin all authenticate against LDAP. This allows us to give out 1 username and password to every staff and student to access any service we offer; we can restrict access via LDAP as well.

There's a bit more to it than that. You've got to have someone to populate LDAP, or some program to automatically insert / update records i.e. our finance department enter a new staff member onto the pay roll system, and in an overnight job LDAP is synchronised with it, creating new usernames if neccessary or expire accounts if someone has left.

Its our "yellow pages" of staff and students. Benefit to us is 1 username and password to access all our services. Less maintenance. Also in time it will allow us to roll out "single sign on". Sign into a computer on the network, and then you are automatically logged into our web sites or Vbulletin when you go to that site. No need for cookies.

You may have heard of Active Directory which is similar.

Does that make sense? :s :)

Actually that makes PERFECT sense as to the definition of the acronym. thank you very much for answering. Now you will get ALLOT less questions

I notice that you are using mysql_num_rows() - you should update that to the equivelent vb database class call. :)

True!! Fixed , thanks for pointing that out :D

(attachment updated)

Wow this is great news man. I was thinking of using vb at my work for our IT department for internal knowledgebase but refrained due to the whole seperate login issues but now that LDAP is supported this is very cool.

Thanks

thanks m8 will have a look at this :)

Let me know how you get on. ..... :)

I've updated the attachment so the download is now a product, not just a plugin. Did this so people can do version checking. Not edited any code.

Is there any possibility of attaching some screenshots?

Thanks

Is there any possibility of attaching some screenshots?

Thanks

Nope, there's nothing to take a screen shot of. You login with the usual Vbulletin form. Script talks to the LDAP server in the background, then continues with the Vbulletin login code.

Hi, Zemic:

Brilliant bit, thanks (for those of us desperately trying to integrate VB with a CMS)...may I ask what Directory Server you are using? Red Hat, or Sun, or...? I note you mentioned Active Directory as something you are clearly NOT using. Did you write your own directory server?

Second, do I take it from your explanation that your hack authenticates but does not populate the directory?

Thanks,

Iceboxer

Hi, Zemic:

Brilliant bit, thanks (for those of us desperately trying to integrate VB with a CMS)...may I ask what Directory Server you are using? Red Hat, or Sun, or...? I note you mentioned Active Directory as something you are clearly NOT using. Did you write your own directory server?

Second, do I take it from your explanation that your hack authenticates but does not populate the directory?

Thanks,

Iceboxer

Thanks ! :)

You could integrate the code with pretty much anything i.e. a CMS. Just change the bit of code that speaks to VB to talk to your CMS. Making a connection to LDAP, authenticating etc. is standard PHP/LDAP code, nothing fancy. Read through the plugin code. I've commented on every bit of the login process.

We are on SUN systems, with the look of bringing in Active Directory during this year (not my idea! those upstairs ;) ). I didnt write the directory server and im not responsible for any part of the LDAP system. Leave the headache of that to the system admins :), but I know we have extra fields over a standard "installation" of LDAP i.e. MD5.

As mentioned earlier.......Ideally this script would authenticate against CRYPT, but without changing Vb code it wont. *I THINK* most establishments that use ldap will have the password stored in MD5 as well as crypt anyway, so this is probably not as big of an issue as I think it is, but I point it out incase someone scratches their heads for hours trying to figure out why this script might not work with their system. I can post some extra CRYPT instructions if neccessary.

My hack does not change anything in LDAP. I assume that LDAP is always correct. We have other tools to change password in LDAP so this was not needed. If you want to though, you could add a bit of code so that when the user changes his/her password in Vbulletin it would update LDAP, but here, I've removed the link to "Change Password" from USER CP in Vbulletin just incase the users get confused; we have another website/tool for users to manage their computer account.

Zemic:

Thanks again. I'm struggling to "get" the LDAP concept - not so much in straight-up validation, LDIF, etc., but in populating the Directory db in an automatic fashion and in figuring out how to make this work regardless of which (VB, my CMS, etc.) program is used for user registration - which from your earlier posts, isn't a problem with which you've had to concern yourself. :-)

I'm slogging through some tutorials on LDAP now, and hopefully I can figure this out. :erm: However, that being said, it's a GREAT help to those of us out here trying to create fully integrated sites to have this Add-on from you, and I just wanted to express my gratitude...it's made my day to see this here.

Thx,

Iceboxer

No problem, if its useful for someone other than me then thats made my day :D. I've not populated LDAP myself before so dont think I could be of any help. We have other (mainly payroll) type software / system to do that automatically, as well as perl scripts which can be run on a server - code written "in-house" by other people so cannot share im afraid.

Let me know how you get on. :up:

i am sorry to say, but as long as i have to use md5 in ldap so the hashes match, this thing is not really useful. most of the time, people want to use an existing ldap directory, where 99% of the time another password mechanism is used (crypt, sha1). i stick with the plugin from www.sartori.at

Like I said in a previous post, this could be modified to work with CRYPT. All that is required is changing the VBulletin login form (template) so it doesnt MD5 the password as soon as you hit enter ( I would need to look into possibility of this breaking something else) or leave the MD5 thing, and pass plain text password, or crypt the password on submit. A simple template edit would do this.

Give me a couple of days to fit this in around work and I'll do it.

Cant see what that script at the above URL does any different to mine. If you've got the code to share, or could give me a hint, I'm sure I could add something into mine to do the same. Could save people 100euro's :)

yes i do have the code, because i bought this plugin. but to be honest, i will not share the code. it would not be fair towards the developer. selling php code is always pain in the ass and a developer who sells his piece of code trusts his customers.

Fair enough :).

If anyone has feature requests, just reply to the topic or PM me.

Zemic,
You have no idea what this means for me at this moment.. If I can get this to function I'll be a happy, happy man.

I'm getting this... when I attempt to login with a known user in our LDAP system.
Fatal error: Call to undefined function: ldap_connect() in D:\Intranet\links\forum\global.php(356) : eval()'d code on line 25

Idea? And... I cannot even log into the forum under my admin to reverse the process.

Hello !

To me, that looks like your running PHP in a Windows environment, and it doesnt support LDAP. I've just downloaded my code again from here just incase I'd done a little mistake in the code after a recent update, but deffo havent.

To remove the Product / Plugin you'll need to edit your config.php file to disable plugins. I'll have a search on the forums for the variable to put into your config.php now, because I cant remember off the top of my head....

Here it is. Stick this in your config.php


define('DISABLE_HOOKS', true);


Instructions here:
http://www.vbulletin.com/docs/html/disable_plugins


p.s.
I'm still working on the a slight tweak for this modification to work with CRYPT as I said I would do a couple of weeks ago. I should get time to complete it this week.:)

Fantastic... thank you sir. I'm back in.

malcolmx gives out his ldap authentication now for free. it has this feature.

malcolmx gives out his ldap authentication now for free. it has this feature.

Forgive me... Malcolmx? Do you have a link to his website, or is it here?

<a href="https://vborg.vbsupport.ru/showthread.php?p=1258715" target="_blank">https://vborg.vbsupport.ru/showthread.php?p=1258715</a>

I'm modifying this code to authenticate against something different, but I was looking through the code for this plugin and found a possible error.

In the section where it tries to update the VB database's user password, it seems to MD5 a password that's already MD5'd:


//MD5 the password with SALT key
$passwordsalt = md5($_POST[vb_login_md5password] . $salt[0]);

(BTW, line 89 in the XML file)

It may be my lack of understanding as to how VB holds passwords, but wouldn't you MD5 the plain text password, not something that's already been hashed? If so, would $vbulletin->GPC['vb_login_password'] still be available to do this?

And if $vbulletin->GPC['vb_login_password'] is still available, you could use it to replace $_POST[vb_login_md5password]

Thx.

Chris.

Hello,

Its been a few months since I've been on here. In June I moved jobs and have gone from an institution using UNIX UNIX UNIX, to MICROSOFT MICROSOFT MICROSOFT so no LDAP server for me to play around with, and therefore havent been able to develop this any more since release. Good news MalcolmX decided to release his version for free after I spent hours figuring this thing out!! I've not tried his version but its good to give people choice :).

Anyway....

ckm, yes it is correct. Vbulletin re-hashes the MD5 with a "salt" key. Its like an extra layer of protection. Salt is just a random 3 digit character made up when a new user is created. Its then used to encrypt the password. Does that make sense?



I'll try and get LDAP up and running somewhere so I can develop this a bit further. It works as is but I could add a few extra neat touches. :)

Our LDAP tree does not include an MD5 password hash field - or at least not one that is viewable with an anonymous bind. So I simply modified the IF that does the password hash comparison with an IF that does a bind with the user's name and password.

// if($info[0]["$ldapfield"][0] == $_POST[vb_login_md5password])
if (@ldap_bind($ds, $info[0]["dn"][0], $vbulletin->GPC['vb_login_password']))


It works like a champ.

Brill :up:

I had to make another brief modification.

Many of our users do not have a 'uid', but everyone has a 'cn'. So initially I changed the code just to look for "cn=" rather than "uid=". But I realize that may not be very flexible, so I eventually added a variable to ldapconfig.php called $ldapuid which can be set to "uid", "cn", or what-have-you. A quick change to one line in ldap_authentication.php uses the variable.
//ldap search using the username entered in the login form
// ---- Modified by Mark Tomlinson - 10/19/2007 ----
// $sr=ldap_search($ds, $ldapdn, "uid=$_POST[vb_login_username]");
$sr=ldap_search($ds, $ldapdn, "$ldapuid=$_POST[vb_login_username]");
// ---- End Modifications ----

I need to make some corrections to my original posting about using the LDAP bind for authentication. Unfortunately, there were two errors in the code which was causing @ldap_bind to do an anonymous bind. If your directory does not allow anonymous, then the code would fail. If your directory does allow anonymous, then any password would work.

Here is the corrected code from ldap_authentication.php.
//... check if the username and password entered in the login form are correct (in LDAP)
//by default LDAP stores passwords in CRYPT format, but we'd need to know the plain text
//password to check against CRYPT. VB converts the password into MD5 on form submission
//and because we have the password already stored as MD5 in LDAP, we can do this!
// ---- Modified by Mark Tomlinson - 11/28/2007 ----
// if($info[0]["$ldapfield"][0] == $_POST[vb_login_md5password])
if (@ldap_bind($ds, $info[0]["dn"], $_POST[vb_login_password]))
// ---- End Modifications ----
{


Also, this code has "dn" hard-coded into it. Your directory may need to use the CN or UID attributes. Chris has suggested that we can reuse $ldapfield for that purpose.

I'm a newbie, and seem to be technically challenged today.
Have installed vBulletin v3.6.8 PL2 on Solaris, w/Apache2.2, PHP5.2.4, and MySQL4.1.22.
vBulletin is working, but now I need to have LDAP support for Single Sign On authentication.

Ok, followed the simple instructions for installing the "ldapconfig.php",
but I'm stuck at step #3, where I "Add / Import the product (xml file)"

I logged in to the Admin CP, but don't see the Add/Import.
Down the left side I see:
- vBulletin Options
- Style & Template
- Language & Phrases
- FAQ
(and the list goes on)

I have expanded each and all sections, but nothing is jumping out at me
that says "Add/Import" Where is it???

Lost and wandering aimlessly.
Stacy

OK, I figured out the installation, but now its not authenticating known users?

any clues???

Usual culprits are UID field or no MD5 field. MD5 is not a standard LDAP field but most people create it. So if you only got CRYPT to store your passwords, this script wont work without some template changes (which is not recommended).

Are there any logs to find out why a user isn't able to authenticate correctly? I'm using openldap for telnet/ssh access to the server, but I'm still trying to debug this plugin.

Thanks

Ok, I think I have narrowed my problem down.

I can't do an anonymous bind and refused access to the md5hash due to security reasons.

So, not I am looking to use a .htaccess mechanism, and have started to search the forum.
any recommendations???

Ok, I think I have narrowed my problem down.

I can't do an anonymous bind and refused access to the md5hash due to security reasons.

So, not I am looking to use a .htaccess mechanism, and have started to search the forum.
any recommendations???

Cafelatte,

You may want to try the method of binding using the user ID that I outline several posts above. Here is a reprise of the code.
/**********
* DO NOT execute if one of the users is in VB and LDAP (list in
config file)
***********/
// ---- Modified by Mark Tomlinson - 12/04/2007 ----
// if($_POST[vb_login_username] != "$nosearch")
if (($_POST[logintype] != 'cplogin')
AND ($_POST[logintype] != 'modcplogin')
AND ($_POST[vb_login_username] != '$nosearch'))
// ---- End Modifications ----
{


if($info['count'] == '1')
{
//... check if the username and password entered in the login form are correct (in LDAP)
//by default LDAP stores passwords in CRYPT format, but we'd need to know the plain text
//password to check against CRYPT. VB converts the password into MD5 on form submission
//and because we have the password already stored AS MD5 in LDAP, we can do this!
// ---- Modified by Mark Tomlinson - 10/17/2007 ----
// if($info[0]["$ldapfield"][0] == $_POST[vb_login_md5password])
if ($_POST[vb_login_password] AND (@ldap_bind($ds, $info[0]['dn'], $_POST[vb_login_password])))
// ---- End Modifications ----
{


Also, however, you may find that you use CN for the user name instead of UID. In that case, make the following change and set $ldapuid to "cn".

//ldap search using the username entered in the login form
// ---- Modified by Mark Tomlinson - 10/19/2007 ----
// $sr=ldap_search($ds, $ldapdn, "uid=$_POST[vb_login_username]");
$sr=ldap_search($ds, $ldapdn, "$ldapuid=$_POST[vb_login_username]");
// ---- End Modifications ----


-- addendum --
And here is something very important that I forgot to mention before. This only works if the login form passes the password. To make that happen, you have to modify global.php (if anyone knows a better way, please let me know). Add the following anywhere near the top.
// password will be passed in clear text
define('DISABLE_PASSWORD_CLEARING', 1);

What it says is exactly what it means - the password will be passed in clear text. Not good. I know. Shouldn't be too much of an issue if your forum is SSL, but most aren't. I'm trying to find another way, but this is the only way for now.

Has anyone got this to work with Active Directory? If so, mind lending some insight? :)

I have also set this module up correctly as far as I can tell, but I'm not seeing anything in the security event log on the domain controller...

Does this LDAP mod also sit on top of admincp and modcp? Currently using another mod that doesn't and it's causing some headaches..

Great work folks, I've tried the plugin with Mark's modifications to the CRYPT "problem" and it works...

Now, I see a little problem, we want to perform always the login towards the LDAP, so if the user changes his password in the userCP, this password isn't going to be valid.

You know if it's possible to deactivate some UserCP fields (in our case, the password and possibly the e-mail) ?

Thanks in advance

You know if it's possible to deactivate some UserCP fields (in our case, the password and possibly the e-mail) ?
Thanks in advance

I couldn't find anywhere in the admincp to turn this off so as a temporary fix I have commented out the link from the usercp template. The page still exists, but it's unreachable unless you know the link. I'm sure you could edit the templates elsewhere too to remove the fields from the page and display a sensible message.

I'm not using this mod yet, I am using another one for LDAP. Could you tell me oasi (as someone who has installed the mod), does this one store the password in the database? Also, does it use LDAP to authenticate for modcp and admincp?

Great work folks, I've tried the plugin with Mark's modifications to the CRYPT "problem" and it works...

Now, I see a little problem, we want to perform always the login towards the LDAP, so if the user changes his password in the userCP, this password isn't going to be valid.

You know if it's possible to deactivate some UserCP fields (in our case, the password and possibly the e-mail) ?

Thanks in advance
Actually, if the user changes his or her password it's irrelevant. The plug in updates the password every time the user logs into the forums, just before vBulletin checks it. If the user passes LDAP authentication, the password and salt are MD5 hashed and stuck in the database so that vBulletin's log-in process will be successful. If the user does not pass LDAP authentication, garbage is stuck in the database so that vBulletin's log-in process will fail.

Still, it's probably a good idea to not imply that the user can update his or her password through vBulletin. I can imagine the Help Desk calls now. Since my workplace also won't allow the user to change his or her e-mail address, I've made the following code changes - it may or may not work for you. I just commented out blocks of code. Note that there are already comment tags in modifyprofile and I had to replace them with x!-- and --X to make this work.

Since I'm just a lowly user of the plug-in as well, I'd love to here what other people are doing about this.

USERCP_SHELL

<!-- Commented out by Mark Tomlinson, 4/1/2008
<tr>
<td class="$navclass[password]" nowrap="nowrap"><a class="smallfont" href="profile.php?$session[sessionurl]do=editpassword">$vbphrase[edit_email_and_password]</a></td>
</tr>
-->

modifyprofile

<!-- commented out by Mark Tomlinson, 4/1/2008
<table class="tborder" cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]" border="0" width="100%" align="center">
<tr>
<td class="tcat">$vbphrase[edit_profile]<span class="normal"> $bbuserinfo[username]</span></td>
</tr>
<tr>
<td class="thead">$vbphrase[registration_required_information]</td>
</tr>
<tr>
<td class="panelsurround" align="center">
<div class="panel">
<div style="width:$stylevar[formwidth_usercp]" align="$stylevar[left]">

<fieldset class="fieldset">
<legend>$vbphrase[email_and_password]</legend>
<table cellpadding="0" cellspacing="$stylevar[formspacer]" border="0" width="100%">
<tr>
<td>$vbphrase[click_button_below_edit_email]</td>
</tr>
<tr>
<td>
x!-- don't remove --x
<input type="image" src="$vboptions[cleargifurl]" width="1" height="1" />
x!-- / don't remove --x
<input type="submit" class="button" style="font-weight:normal" value="$vbphrase[edit_email_and_password]" name="gotopassword" />
</td>
</tr>
</table>
</fieldset>

<if condition="$bbuserinfo['coppauser']">
<fieldset class="fieldset">
<legend><label for="tb_parentemail">$vbphrase[parent_guardian_email]</label></legend>
<table cellpadding="0" cellspacing="$stylevar[formspacer]" border="0" width="100%">
<tr>
<td>$vbphrase[if_under_13_provide_parent]</td>
</tr>
<tr>
<td>
$vbphrase[parent_guardian_email]<br />
<input type="text" class="bginput" name="parentemail" id="tb_parentemail" size="50" maxlength="30" value="$bbuserinfo[parentemail]" />
<input type="hidden" name="coppauser" value="1" />
</td>
</tr>
</table>
</fieldset>
</if>

<if condition="$show['birthday_required']">
$birthdaybit
</if>

$customfields[required]

</div>
</div>
</td>
</tr>
</table>

<br />
End modifications, Mark Tomlinson, 4/1/2008 -->

Has anyone got this to work with Active Directory? If so, mind lending some insight? :)

I have also set this module up correctly as far as I can tell, but I'm not seeing anything in the security event log on the domain controller...

I'll try to :)

Hi again!

I'm having a problem with the autentication, I'm trying to find what happens, but I've put some error_log sentences that doesn't seem to work...

The problem is that the users only can be authenticated if they use a valid LDAP user name and set as password the user name again.

I only see on the error log this:

[08-Apr-2008 08:42:14] PHP Parse error: syntax error, unexpected ')' in /aplicacions/vbulletin/upload/global.php(384) : eval()'d code on line 48

I'm usign vbulletin 3.7 RC2
Some idea?

Ops!
It was my fault :D

But there's an other problem...
Now my administrators/moderators can't login to the admin interface/moderation interface, because the DISABLE_PASSWORD_CLEARING thing doesn't work with these validation forms.

I tried to set this definition in admin/global.php and modcp/global.php but the passwords continue to pass MD5 codified (and empty value in the vb_login_password var).

I know that i can put these login in the ldapconfig.php field to skip the LDAP validation, but there could be other way to perform this??

Thanks

Ops!
It was my fault :D

But there's an other problem...
Now my administrators/moderators can't login to the admin interface/moderation interface, because the DISABLE_PASSWORD_CLEARING thing doesn't work with these validation forms.

I tried to set this definition in admin/global.php and modcp/global.php but the passwords continue to pass MD5 codified (and empty value in the vb_login_password var).

I know that i can put these login in the ldapconfig.php field to skip the LDAP validation, but there could be other way to perform this??

Thanks

Crap. I didn't post all of the code. I will correct post #47, above. But here is the piece I missed.
/**********
* DO NOT execute if one of the users is in VB and LDAP (list in
config file)
***********/
// ---- Modified by Mark Tomlinson - 12/04/2007 ----
// if($_POST[vb_login_username] != "$nosearch")
if (($_POST[logintype] != 'cplogin')
AND ($_POST[logintype] != 'modcplogin')
AND ($_POST[vb_login_username] != '$nosearch'))
// ---- End Modifications ----
{

What this does is avoid going through LDAP authentication for the admin and moderator control panels.

Why, you ask? What Zemic's plug-in does is put an MD5 hash of your password into the vBulletin database if you pass LDAP authentication, or garbage if you don't pass LDAP authentication. Then it returns control to vBulletin, who goes through the usual authentication process and MD5 hashes the password and compares it to the hash on file. Therefore, assuming that the moderators and admins sign into the forum first and the correct LDAP password hash is in the database, the admin and moderator sign-in pages don't have to go through this process again.

The only time this doesn't work is if the admin or moderator changes their LDAP password and then goes to the control panel without signing onto the forum. And that can happen if they check the "Remember Me" box for the forums. I haven't worked out a solution to that yet.

Suggestions welcome.

It also fails if you erase some user from your LDAP directory but not from the forums I think...

I was trying to do a mix between the zemick's solution and the one from sartori's, but I'm having a basic/weird problem.

I can't access the $vbulletin var, I do an isset and it is, but I print_r his value and is '1'.
I've seen you access it, and I think it's better than $_POST without processing, so, you know what could I be doing wrong?

Here is the code to test it in my xml file:


<phpcode><![CDATA[//if the login form has not been submitted dont execute the code
define('THIS_SCRIPT', 'functions_ldap.php');
require_once('./global.php');
if (isset($vbulletin->GPC)){error_log("->".print_r($vbulletin->GPC),0);}
if(isset($_POST[vb_login_username])) {
...


It prints '1' on my error_log, I've tried without the require for global.php, and it's the same result...

Thanks again

Hello

Does anyone run this plugin on a 3.7 Forum?
I try it since days with no effort.

No error messages, the only thing I get is user unkown if i try to login with a user saved in ldap
No way to login, neither to register in ldap.

Hello

Does anyone run this plugin on a 3.7 Forum?
I try it since days with no effort.

No error messages, the only thing I get is user unkown if i try to login with a user saved in ldap
No way to login, neither to register in ldap.
I'm running it successfully in vBulletin 3.7.2.

Hi,

I was wondering if this addon works as expected in v3.8 of vbulletin

Any feedback is appreciated!

Thanks,
a

I don't think this works in v3.8... getting an error when trying it: "Fatal error: Call to undefined function ldap_connect() in vbulletin\global.php(400) : eval()'d code on line 25"

Have you been able to implement single sign on for vBulletin or do you know if this
problem has been solved.
Looks like a plugin exists for AD authentication but I think the user still has to login.

Thanks

Dave

Best example I can give is of my work..... we use LDAP to authenticate users accross different services we offer on campus - logging into computers, access programs, databases, and web sites. On the web for example our CMS, Blackboard, Campus Pipeline, Intranet and now VBulletin all authenticate against LDAP. This allows us to give out 1 username and password to every staff and student to access any service we offer; we can restrict access via LDAP as well.

There's a bit more to it than that. You've got to have someone to populate LDAP, or some program to automatically insert / update records i.e. our finance department enter a new staff member onto the pay roll system, and in an overnight job LDAP is synchronised with it, creating new usernames if neccessary or expire accounts if someone has left.

Its our "yellow pages" of staff and students. Benefit to us is 1 username and password to access all our services. Less maintenance. Also in time it will allow us to roll out "single sign on". Sign into a computer on the network, and then you are automatically logged into our web sites or Vbulletin when you go to that site. No need for cookies.

You may have heard of Active Directory which is similar.

Does that make sense? :s :)[/QUOTE]