I am using vbulletin for a long time now and before there was the plugin system introduces i hacked every single version of vb to enable ldap authentication. with the introduction of the plugin system i have written a little plugin that works in every version since VBulletin 3.5. This Plugin is the buyable VBulletin Ligh Authentication from http://www.sartori.at. now its FREE.

Since its working and i will not enhance this small plugin anymore, i will make it public. If there are any enhancements, i can put it into my versioning system and update this plugin.

In contrast to the ldap authentication from zemic my board can authenticate against every - already deployed - ldap directory without changeing the encryption type.

If the ldap user is not added in the VBulletin database, the user is automatically added the first time he authenticates against the ldap. if the user already exists then nothing is changed, except the authentication against the directory.

in the admin or moderator panel no user is authenticated against the directory.

Requirements

php with ldap support


Installation Notes:

copy ldapAuth directory to your vb forum installation directory
change the path to controller.php directory in ldap-plugin.xml
copy the hooks_ldap.xml to FORUM_ROOT/inclucdes/xml directory
in login.php search for:
if ($vbulletin->GPC['vb_login_username'] == '')
{
eval(standard_error(fetch_error('badlogin', $vbulletin->options['bburl'], ....
}

insert below:
($hook = vBulletinHook::fetch_hook('ldap_login_hook')) ? eval($hook) : false;

activate plugin system (if not done already) in admincp
in admin cp import the product at "Download / Upload" Plugins
in global.php search for:
$show['nopasswordempty']
and change:
defined('DISABLE_PASSWORD_CLEARING') ? 1 : 0;
to:
defined('DISABLE_PASSWORD_CLEARING') ? 0 : 1;
configure the ldap settings in: ldapconfig.inc.php
test the product



Additional Notes:
If you are running a Microsoft Active Directory as Ldap server you have to change some settings to allow anonymous queries. This is described at
Novell (http://www.novell.com/coolsolutions/appnote/15120.html) and Microsoft (http://support.microsoft.com/kb/320528)


I would be happy if you support my modification in any way. Install or nominate it or donate some cents at paypal. :)

if anyone interested in working and extending this plugin take a look at http://overlord.fh-salzburg.ac.at/vblight/. I have installed a Wiki with SCM there. write me a message, and lets extend this baby.

How would you describe what this does so normal people can understand?

How would you describe what this does so normal people can understand?

Interesting how there is 2 LDAP authentification mods released so close to each other. Not sure how the 2 compare but there is a complete explaination of what LDAP is and how it works here> https://vborg.vbsupport.ru/showthread.php?t=145188

More or less if you don't need it/use it already for other network related work there is no need for you to install it.

How would you describe what this does so normal people can understand?

with my mod you can authenticate against a LDAP directory and not against the vbulletin user database.

Interesting how there is 2 LDAP authentification mods released so close to each other. Not sure how the 2 compare but there is a complete explaination of what LDAP is and how it works here> https://vborg.vbsupport.ru/showthread.php?t=145188

More or less if you don't need it/use it already for other network related work there is no need for you to install it.

i didnt want to release it some time ago. but since i do not have that much time anymore and alot of please want that stuff i release it now. when i have seen the lrease of zemic?s ldap authentication i thought "great" no need for mine anymore. but his plugin cannot authenticate against any ldap, so here is mine.

Though this is not something I can use at the moment it would be great if the 2 of you could come to terms and merge both into 1 product. The problem with VB.org is there tends to be 2, 3 or more sometimes of the same modification.

nice hack, but I'm not much of a file editor.. I like to just leave file edits out, especially when upgrades come out for vB. Nice hack though :D

i changed the name of the mod to: "vBulletin Ldap Authentication Plugin"

-malc

I still have no idea what this mod does

LDAP Authentication is basically used for people to have a server (Microsoft or Novell) many schools, colleges, university's, company's, LDAP stores the user's account details i.e. username, full name, password, address, folders etc

Basically LDAP Authentication Plugins will allow you to use your users details on your Microsoft or Novell Server for user authentication insted of your MySQL (etc) database. Would manly ideal for schools, colleges, unis, or companys who want to run a forum, but use the user's computer logon details to logon to the forum

Does a user still need to register? Or do they automatically get ability to login from existing LDAP credentials?

a user can authenticate with the existing ldap user data. no need for registering with vbulletin.

-fhs

includes/ldapAuth/controller.php line 104 shows:
verify_authentication($vbulletin->GPC['vb_login_username'], $vbulletin->GPC['cookieuser'], true);
includes/functions_login.php shows, line 134:
function verify_authentication($username, $password, $md5password, $md5password_utf, $cookieuser, $send_cookies)

This is giving us an error:

Warning: Missing argument 4 for verify_authentication(), called in /var/www/includes/ldapAuth/controller.php on line 94 and defined in /includes/functions_login.php on line 134

Warning: Missing argument 5 for verify_authentication(), called in /var/www/includes/ldapAuth/controller.php on line 94 and defined in /includes/functions_login.php on line 134

Warning: Missing argument 6 for verify_authentication(), called in /var/www/includes/ldapAuth/controller.php on line 94 and defined in /includes/functions_login.php on line 134


Any recommendations?

Do you have LDAP support in php?

Do you have LDAP support in php?
Yes, LDAP is showing in PHPINFO(). That took a bit of learning too, but the restart of the apache enabled the LDAP in PHP after doing the apt-get on php5-ldap module.

The problem as documented about is that the verify_authentication function is expecting 6 variables , and we are only sending 3 in the controller.php. Should we just send dummy values for the password varibles?

Not that I'm any expert on the subject but password is more than likely required.

In step 5, when I am trying to activate the plugin from admin control panel, what do I enter in the field "Plugin PHP Code" ?

Turn on the hooks system in the admincp, it should be on if you've imported any other plugins or products.

if I goto Admincp >> Plugins & products >> Add new plugin:

I specify:

Product: vBulletin
Hook location: ldap_login_hook
Title:Ldap plugin
Execution Order: 5
Plugin PHP Code: <<I dont know what ?>>
Plugin is Active: Yes

I see this to be the only way of activating the plugin, but since I dont have the Plugin PHP Code, it says "Please Complete All Required Fields"

Thanks for the help !

You need to add this to the product manager.

When I tried importing it from Product Manager, it gives following error message:
"This file appears to be a Plugin, not a Product. Please use the Plugin Manager to add this file."

So, I imported ./ldapAuth/ldap-plugin.xml and now it shows as plugin.........let me update you later.

Thanks :)

Hi,

i'm really new with this LDAP stuff but the LDAP server at my work does not support anonymous binds. Is that why this plugin is not working for me? I thought that when you put in your LDAP user name and password that you would be authenticating yourself that way.

Hi,

i'm really new with this LDAP stuff but the LDAP server at my work does not support anonymous binds. Is that why this plugin is not working for me? I thought that when you put in your LDAP user name and password that you would be authenticating yourself that way.
Additional Notes:
If you are running a Microsoft Active Directory as Ldap server you have to change some settings to allow anonymous queries. This is described at
Novell (http://www.novell.com/coolsolutions/appnote/15120.html) and Microsoft (http://support.microsoft.com/kb/320528)

Maybe ;)

I'm running Vbulletin on Fedora 7 :)

It shows as a plugin, within the "Plugin System". But, when I try to login to vBulletin with any credientials (correct or incorrect), it just keeps on waiting for the page to load.

I've made sure that all the settings in ldapconfig.inc.php are correct. Please let me know, what additional changes I should be making !

just looking for a little further info as to how this works with vBulletin? What I mean by this how does the security rights within vBulletin work with LDAP? Does LDAP just authenticate the password and then all other security is handled in vB with regards to forum access etc? If that is the case then is it an all or nothing? Just wondering what happens when a user is in LDAP but not setup on the board re access? or setup on the board but not in LDAP? ...hope that makes sense?

I installed everything as directed except when I try to log in on a blank page appears. This is occuring on the admincp panel as well. My company does not allow anonymous queries so I was given a username/pass for this specific project. Where would I use this information?

I've been trying to get this mod to work.

I've had to slightly alter it a bit to get it to work without needing anonymous queries. Now I've got it working to the point where it tries to create the user in vBulletin. When it get to this part of the controller.php file vBulletin gives me an error message saying Database error, the database has encountered a problem.

It happens when it tries to run the "$newuserid = $newuser->save();" command. Any ideas as to what the problem might be?

Downgrading for MySQL 5 to 4.1 fixed my problem.

Return from LONG vacation. Problems still exist. Here is current status.

a) Yes, LDAP is enabled per PHPInfo().

b) After hacking the calls to verify_authentication in includes/ldapAuth/controller.php the behaviour changes and we have varied success but new users cannot join.
Here are the changes applied:
$ grep -n verify_authentication controller.php
94: verify_authentication($vbulletin->GPC['vb_login_username'], dummy, dummy, dummy, $vbulletin->GPC['cookieuser'], true);
104: verify_authentication($vbulletin->GPC['vb_login_username'], dummy, dummy, dummy, $vbulletin->GPC['cookieuser'], true);
The "dummy" variables were added to correct the function call.

Current Problem:
LDAP now works for one user (previously registered) and fails for another (never registered).
user kthompso is able to be deleted (via admincp or MySQL data row delete). User kthompso can then use LDAP to register and shows as logged in.

Another user (never having logged in before) is able to login with LDAP and it gives a success screen, but then returns to the NON-logged in screen. The user is NOT added to the vb_users table.

Why is ldapAuth/controller.php calling the variable with three parameters when 6 are required by includes/function_login.php

This LDAP integration is critical to our design. Any help is appreciated.

I'm currently having some problems getting this plugin to work as well - after logging in I only get to see an empty screen (...login.php?do=login)

If anyone has some advice or if anyone experienced this problem as well, please let me know...

Thanks in advance!

Anyone had any success modifying this to use ldap_bind instead? Then you would not have to use anonymous bind for Microsoft as an example. I've been playing around trying to change the ldap_connect to bind but not too much success unfortunately.

Cheers!

Nice hack, works like a charm. Except...

I set up vBulletin with the usual "Admin" account. After adding the hack, I logged in as myself with my LDAP ID - which automagically created my user ID in the user database. Then I logged on as Admin again gave my user ID administrative permissions. (I'll be wanting to give a couple of other users subsets of admin privledges as well).

Well, what happens is that I can not log into the Admin CP with my LDAP ID.
* I can log into the forums with my LDAP ID just fine.
* And I can log into the Admin CP with 'Admin' just fine.
* But I can't log into the Admin CP with my LDAP ID.
* And I can't log into the forums with 'Admin'.
My theory here is that there is a different log-in process for the Admin CP and it is trying to verify my password against the vBulletin database.

Familiar with this problem? Am I just missing something?

Nevermind! Missed the comment in the description that says LDAP is not used for the admin or moderation control panels. That's not going to work for me. I need it to check the LDAP directory and the database in all cases. I will settle for just checking LDAP, but would rather it check both.

Sounds like I need to do some digging.

Thought I'd throw this out there for everyone's consideration. We're looking at using vBulletin for our intranet, so LDAP became very important. What also became important is that we remove any hint of anonymity. My LDAP ID, for instance, is A000657 - which says nothing about who I am. It would be far better if my full name appeared in my profile somewhere.

So here's what I did. I added a bit of code to controller.php that would retrieve my full name, location, and title from LDAP and stick them in the additional user profile fields. Then I went into the Admin CP and made sure the user can not modify these fields. Here's what the code looks like. The attributes "l", "title", and "fullName" may be different in your configuration.

// get the email address from ldap
$ldapConnection = ldap_connect($ldapServer, $ldapPort);
if($ldapConnection)
{
$searchEmail=ldap_search($ldapConnection, $ldapBase, $ldapFilter, $ldapEmailAttr);
$userEmail=ldap_get_entries($ldapConnection,$searc hEmail);
if(sizeof($userEmail) < 2)
{
$newuser->set('email', $noEmailExists);
}
else
{
$newuser->set('email', $userEmail[0]['mail'][0]);
}
// ---- Modified by Mark Tomlinson - 10/15/2007 ----
// get user attributes from ldap
$searchField = ldap_search($ldapConnection, $ldapBase, $ldapFilter);
$userAttributes = ldap_get_entries($ldapConnection, $searchField);

// set fields
$vbulletin->GPC['userfield']['field2'] = $userAttributes[0]['l'][0];
$vbulletin->GPC['userfield']['field4'] = $userAttributes[0]['title'][0];
$vbulletin->GPC['userfield']['field5'] = $userAttributes[0]['fullname'][0];
$newuser->set_userfields($vbulletin->GPC['userfield'], true, 'admin');
// ---- End Modifications ----
}
ldap_close($ldapConnection);

Next up - plugging the full name and title in the signiture field.

I'm currently having some problems getting this plugin to work as well - after logging in I only get to see an empty screen (...login.php?do=login)

If anyone has some advice or if anyone experienced this problem as well, please let me know...

Thanks in advance!

A blank page usually indicates a PHP error. You will want to double check your work and look in the Apache error_log for a clue.

If you are absolutly sure that all the code is correct, then the problem might be that you don't have the LDAP extension in PHP. Check your php.ini file for "extension=php_ldap.dll". If it's not there, you may need to reinstall PHP and include the LDAP extension.

Gabbs - did you solve it? I am having the same problem and I dont have a clue.

he< guys, i am sorry i did not help anyone of you. was a really busy early/mid/end summer. i move to my new house, had wedding, was on honeymoon, at the university the winter semesters started, but now i do have more time again.

so anything i can help with, or any patch i should look at? any feature request?

thanks to those like, zachery, who helped others out of their problems. i read that one of you added that problem with displaying the "real" name. i solved that in another version of the plugin, probably ill add that stuff later on to this realease. (small database change and template change).

so then,

let the postin begin :)

-malc

I'm currently having some problems getting this plugin to work as well - after logging in I only get to see an empty screen (...login.php?do=login)

If anyone has some advice or if anyone experienced this problem as well, please let me know...

Thanks in advance!

you are runnign linux or windows? can you please post the error message from the httpd error log?

-malc

Does php have LDAP support compiled into it?

Hi
I tried this plugin and followed the instructions but I get the following error:

Warning: ldap_search() [function.ldap-search]: Search: No such object in /ldapAuth/controller.php on line 37

Warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in /ldapAuth/controller.php on line 38


I'm not technical at all - but line 37 in the code is this:

36: // search for the username and get the DN
37: $searchDn=ldap_search($ldapConnection,$ldapBase,$l dapFilter);
38: $searchResult=ldap_get_entries($ldapConnection,$se archDn);

Can any one offer some help as to how I can fix this. I would really like to get this working. We want touse VB within our intranet and LDAP is used extensively.

Thanks

Graham
hey,

please show me the content of the variables

$ldapBase
$ldapFilter


thanks

-malc

the error is in your $ldapBase.

the base is just: "dc=sun,dc=com"

all the other stuff like ?sub? (objectclass=*) has nothign to do with the deafault search base (=$ldapbase).

my script is searching for a specific user ($ldapFilter in controller.php) below the $ldapBase in your ldap directory.

if you want to want to add an (objectclass=*) to your search filter you have to add that to line 29 in controller.php

$ldapFilter = "(uid=" . $vbulletin->GPC['vb_login_username'] .")";


you do not have to add ?sub? to your query, because phps ldapsearch scope defaults to SUB.

-fhs

please user controller.debug.php and change in line 17 the debug output file location (if needed)

if(defined('LDDEBUG')) { $fp=fopen('/tmp/apache.debug', "a+"); }


then show me the content of that file.

-malc

Hi Malc,

Just to confirm: Do you want me to run controller.debug.php from the browser after the login fails? or do you mean something else?

Graham

easiest you can do is:

rename controller.php to controller.php.orig
rename controller.debug.php to controller.php


:)

-malc

please do me a favour:

on the linux commandline (if available) try the following:
ldapsearch -W -D "XXXX" -x -b YYYY -h ZZZZZZ "(uid=grahamar)"

exchange:
XXXX: the FULL DN to your username (e.g. uid=grahamar,ou=bla=o=buh)
YYYY: the ldap search base
ZZZZ: the ldap server ip

1) additional questions from my side:
is the wiki doing an ldapbind or is it comparing the hash values of the password?

2) are you sure you did all changes to the vbulletin php files as written in the INSTALL file?
especially:

defined('DISABLE_PASSWORD_CLEARING') ? 1 : 0;


to check that, add in the debug controller file below line 63

// bind to the ldap server with specified credentials (dn, password)


the following piece of code:

if(defined('LDDEBUG')) {
$pass = $vbulletin->GPC['vb_login_password'];
wrlog("++ your password is:\t $pass");
}


i dont have an working vb installation at home, but that should do fine. now if you login, you should see your password in plaintext in the debug output file. if this is not your password, please check all the installation steps.

-malc

Nice hack, works like a charm. Except...

I set up vBulletin with the usual "Admin" account. After adding the hack, I logged in as myself with my LDAP ID - which automagically created my user ID in the user database. Then I logged on as Admin again gave my user ID administrative permissions. (I'll be wanting to give a couple of other users subsets of admin privledges as well).

Well, what happens is that I can not log into the Admin CP with my LDAP ID.
* I can log into the forums with my LDAP ID just fine.
* And I can log into the Admin CP with 'Admin' just fine.
* But I can't log into the Admin CP with my LDAP ID.
* And I can't log into the forums with 'Admin'.
My theory here is that there is a different log-in process for the Admin CP and it is trying to verify my password against the vBulletin database.

Familiar with this problem? Am I just missing something?

Nevermind! Missed the comment in the description that says LDAP is not used for the admin or moderation control panels. That's not going to work for me. I need it to check the LDAP directory and the database in all cases. I will settle for just checking LDAP, but would rather it check both.

Sounds like I need to do some digging.

just comment out the following code:

// if login form is admin or moderator login, dont use ldap authentication
if(($vbulletin->GPC['logintype'] == "cplogin") || ($vbulletin->GPC['logintype'] == "modcplogin"))
{
return;
}

when your password is shown correctly then you should have done the install instructions.

i have to do some brainwork now... no idea where the problem could be.

ldapsearch --help 2>&1 |grep W
-W prompt for bind password


-W is for password austhentication
-D is the full DN to your entity in the directory.

please test if this authentication works.

thanks

-malc

ps: i will be gone over the weekend. i am back on monday.

Hi Malc,

any update you can give to help proceed with this?

Thank you

Graham

Hi,

I now have LDAP working on another a Bulletin board from another Source.
I'll leave the situation of not being able to use LDap on vbulletin as it is.

Thanks for those who tried to help me.

Graham

i am sorry, but i had no time to help :( we had a cooling problem in our machine room, so i had some stressy days fixing broken and damaged machines..

if you need any help (if you give it one more try) ill help you. if it is possible for you and your company i can fix the problem for you.

-malc

I'm looking at using this mod but was wondering

#1 will it work with vB 3.6.8

#2 for users authenticated by the LDAP server but not registered in vBulletin, from what I understand a new users created? If understood correctly what user group does the new user automatically get added to?

#1 probably yes
#2 yes, new users get created. users are added to the registered group (can be changed in the script with some vbulletin documentation reading)

-fhs

First off....THIS IS A GREAT MOD!!!

One question that I do have is I've noticed that all the "User Registration Options" on the forum get by passed. i.e send welcome email, default registration options etc. which makes sense as you are creating a user directly in the db table. But is there anyway that I can set some of these user options and send an email notification to the admin, when the user is created and assigned to the registration group? Anyone able to help with this?

Sorry for the multiple post but I just ran into a small problem. My ID is setup as an administrator and when I attempt to log in the board will not take either my local vB password or my LDAP password? Any ideas? I'm able to log in directly to the admin cp which then provides rights to the forum but for some reason it doesn't by pass the LDAP for admins? Am I understanding this correctly that if you are an admin then it shouldn't use LDAP but instead use the vB id and password?

The info in my debug file is as follows:
++ ---------- START ------- ++
++ LoginType: Normal Login
++ LdafFilter (uid=myUserID)
++ LdapServer connection successful
++ ldap bind did not succeed

Does this mean that it doesn't think that my account is an admin account?

just comment out the following code:

// if login form is admin or moderator login, dont use ldap authentication
if(($vbulletin->GPC['logintype'] == "cplogin") || ($vbulletin->GPC['logintype'] == "modcplogin"))
{
return;
}


When I try this, I get an error saying that no password has been provided.. The form vairable is the same so I'm not sure what's going on. Any ideas?

When I try this, I get an error saying that no password has been provided.. The form vairable is the same so I'm not sure what's going on. Any ideas?

Got a fix for this.. Instead of going via the LDAP route for modcp and admincp I store the encrypted password in the database. I already have a set of users so have decided to put the code in the section that gets executed if the user already exists. The other advantage is that if a user's LDAP password changes, it's reflected in the database on the next time they log in. Code is as follows:


// load the user
$userdata =& datamanager_init('user', $vbulletin, ERRTYPE_STANDARD);
$userdata->set_existing($vbulletin->userinfo);
// set password
$userdata->set('password', $vbulletin->GPC['vb_login_password']);
// save the user
$userdata->save();


I'm still pretty new to vBulletin so please let me know if I've done something horribly wrong!!

Steve

Great mod, but I have another slight problem.

The 'remember me' feature isn't working on my instance and I think it may be something to do with this mod. Has anyone else had the same problem?

Does anyone know how to modify this code to bypass the LDAP log-in for specific user groups?

Fantastic mod.
Thanks malcolmx for building this.

had a little bit of trouble at the start, but I have it working now for me.
Thought I'd share my experience.

1.) all the installation steps were easy to follow. I got tripped up on the ldap_plugin.xml vs hooks_ldap.xml, but I realized my mistake pretty quickly. Maybe an update to the documentation to state which file gets uploaded?

2.) controller.debug.php was the key for me. A note to all you linux people out there, make sure the debug logfile exists first and that apache has permissions to write to it. I changed my debug file to /var/log/vbulletin_ldap.debug, logged in as root, so I did the following :

cd /var/log/
touch vbulletin_ldap.debug
chmod 666 vbulletin_ldap.debug
chown apache:apache: vbulletin_ldap.debug

after the chmod & the chown, I started seeing output in my .debug file.

Another quick observation, I didn't have openldap-clients installed, so in reading the posts in this thread, all of the instructions of running "ldapsearch" won't work unless you have openldap-clients installed. Pretty easy from fedora:

yum install openldap-clients

So after that work, I'm up and running.
In total, it took me ~1 hr to get everything running, which isn't bad.
ldap authentication for MediaWiki took me longer.

Thanks again malcolmx!
-Brian

thank you for installing my mod and sharing your experience. i do not have alot of time, thats why i could not improve the whole plugin.

but its nice to see, that its still working on newser vbulletin version :)

i have subscribed the thread, so whenever someone posts, i go here and read the post. i will help whenever its possible.

-malc

OK, I can't tell if this has been answered. Trying to get this mod working on our corporate intranet. IT will not allow anonymous LDAP queries
Has anybody gotten it to work without this and can explain it succinctly to a newb?

hello,

the whole script will work without anonymous searches, if:


all users are below the same leaf in the ldap tree (then you do not have to search for the user DN)
you bind to your ldap with a user that is allowed to do searches


if you need more information just ask, i will try to help.

-malc

Do you know if I can use Cisco ACS to handle authentication rather then pointing to Ldap using this hack/add-on ?

hello,

i dont think that this works since cicso ACS is basically a radius server which gets the userdata itself from an ldap or active directory.

-malc

Thanks for a great plugin malcolmx! Do you know if it works with vB 3.7?

/M

This mod is exactly what I need but I'm struggling to set it up, I've followed the instructions. We are trying to authenticate against a windows 2003 Active Directory and have allowed Anonymous Logon permissions as per the instructions. But everytime I try to login to vbulletin it says I've entered an invalid username/Password
I have tried the alternative controller.debug.php and it gives me the following
++ -------- START -------- ++
++ LoginType: Normal Login
++ LdapFiler: (uid=test)
++ LdapServer: connection successful
++ LdapSearch: there is no such user in the directory

The strange thing I always get the above output even if I put bogus info into ldapconfig.inc.php
ie If I don't use the Active directory port number 3268 or put a rubbish IP addresss or hostanem for $ldapserver
which makes me think that where it says its making a connection successful isn't actually the case
Anyideas
Any more debug that I can get out of the system, we are using vbulletin 3.6.8 on windows 2000 with php 5
Thanks

Hi the above problem seems to of changed slightly, now when I try to log in with ldapconfig.inc.php configure correctly it just sits at the login screen
The debug output just says
++ -------- START -------- ++
++ LoginType: Normal Login
++ LdapFiler: (uid=vbulletin)
++ LdapServer: connection successful

But doesn't get any further

I have checked and double checked settings, I have also tried authenticating against an old Windows 2000 domain but it does the same.

If anyone has any ideas I would really appreciate as I would really like to use it
Thanks
John

is there a user with the uid=xxxx ?
maybe you can find your users with cn=xxx?

you can use the command line tool "ldapsearch" to search for specific attributes in your active directory.
maybe that helps you.

-malc

Thanks for a great plugin malcolmx! Do you know if it works with vB 3.7?

/M

maybe.. i have no license to check with. newest vbulletin i have is a 3.6 license. :(

123

I have managed to figure out ldp.exe and have now got anonymous searchs working against our Active Directory
However still having trouble with this mod.

I have modified the controller so
$ldapFilter = "(sAMAccountName=" . $vbulletin->GPC['vb_login_username'] .")";
using ldp.exe I can do the above search ok

Using the debug controller I can see it hangs at
$searchDn=ldap_search($ldapConnection,$ldapBase,$l dapFilter);

If I add a line before it
if(defined('LDDEBUG')) { wrlog("++ presearch /t $ldapConnection,$ldapBase,$ldapFilter"); }
I get this in my log file
++ presearch /t Resource id #15,dc=thebookpeople,dc=com,(sAMAccountName=test98 7)

ANy ideas, desperate for this to work!

Cheers
John

I get this in my log file
++ presearch /t Resource id #15,dc=thebookpeople,dc=com,(sAMAccountName=test98 7)

ANy ideas, desperate for this to work!

Cheers
John

great that you got ldap working on windows. the logfile entry shows
- $ldapBase printed (dc=thebookpeople,dc=com)
- $ldapFiler printed (sAMAccountName=test987)
- $ldapConnection is working, too

is it working when you print some text into debuglog right after $searchDn=ldap_search($ldapConnection,$ldapBase,$l dapFilter); ?

-malc

Thanks

great that you got ldap working on windows. the logfile entry shows
- $ldapBase printed (dc=thebookpeople,dc=com)
- $ldapFiler printed (sAMAccountName=test987)
- $ldapConnection is working, too

is it working when you print some text into debuglog right after $searchDn=ldap_search($ldapConnection,$ldapBase,$l dapFilter); ?

-malc

Hi Malc
Progress! I have had some partial success.

If I specify in the ldapconfig.php the actual OU that the account exists in
$ldapBase = "OU=users,OU=Haydock,DC=thebookpeople,DC=com";

and use the cn for the ldapfilter
$ldapFilter = "(cn=" . $vbulletin->GPC['vb_login_username'] .")";

then it works if I login with the actual fullname , ie for me cn=john ainsworth

What I really need is to be able to set the Base to be our top level AD DC=thebookpeople,DC=com rather than be specific
Also to be able to use their login name rather than the Active Directory Object name

I did work out that I changed ldapfilter to query the Active Directory property sAMAccountName instead of cn
and
changed the ldapbase to be
CN=John Ainsworth,OU=HayIT,OU=Haydock,DC=thebookpeople,DC= com

then it would log me in

Cheers

if you can only find your user in the "long" tree but the search does not succed with the top level AD base, then it "could" be possivle that AD has a mechanism (like any other ldap) to deny a subtreee (scope) search.

if that works (test with the ldap client command), php standard search scope is subtree (LDAP_SCOPE_SUBTREE) - http://de.php.net/manual/en/function.ldap-search.php

your other thoughts are right:
- login with samaccountname
- search for user (samaccountname=username)
- bind with the full dn (cn=....)

-malc

[QUOTE=malcolmx;1510358]if you can only find your user in the "long" tree but the search does not succed with the top level AD base, then it "could" be possivle that AD has a mechanism (like any other ldap) to deny a subtreee (scope) search.

All sorted!! If you want to query sub trees in Active Directory don't use the standard port number , use 3268 instead

Once I changed the port number I was able to change the filter to
$ldapFilter = "(sAMAccountName=" . $vbulletin->GPC['vb_login_username'] .")";

to login using the AD login name rather than the cn name

Cheers for all your help malc

thanks for using my plugin and its nice to see another one using it :)

dont forget to click on "Mark as Installed" :)

thanks for your support!

-malc

I am new to using plugins for vBulletin and the error is probaly basic.
I downloaded the plugin and followed the directions, but when I get to step 6:
I receive a message "invalid file specified".
Step 6 is in admin cp import the product at "Download / Upload" Plugins
I am using the plugin hooks_ldap.xml located in the ./includes/xml/.

Any help would be appreciated.

I got it working.

Hello there,
first: Thank you very much for this plugin. It's quite useful :)

But I've got a problem. I just wanted to authenticate the admins against the LDAP, too, and tried the hint to comment out the following part:

if(($vbulletin->GPC['logintype'] == "cplogin") || ($vbulletin->GPC['logintype'] == "modcplogin"))
{
return;
}

Now trying to login with the LDAP-credentials the user gets redirected to the 'badlogin'-Message - so no authentication against the LDAP is done.

The normal password - which worked before this change - does not work any more [what is quite logical ;) ]...

Can anyone help, please?
Thanks a lot in advance!

I'm having trouble getting logged in. This, like another user here, is critical to a program we are working on internally.

++ -------- START -------- ++
++ LoginType: Normal Login
++ LdapFiler: (cn=test)
++ LdapServer: connection successful
++ presearch /t Resource id #22,cn=test,cn=users,DC=pmac,DC=internal,(cn=test)
++ LdapSearch: there is no such user in the directory

I get that in the debug. I've also based the search base just dc=pmac,dc=internal and placed the "test" user up in the top of the domain.

The username is "test" and the cn is also test (according to ldp.exe).

I get a word that there is a connection with no problem, but that the user does not exist.

Weird. Any help is greatly appreciated.

++ presearch /t Resource id #22,cn=test,cn=users,DC=pmac,DC=internal,(cn=test)



the dn is not right. that ,(cn=test) seems really wrong. what is the full dn to your user? (maybe ldp.exe show it). please post the content of the ldap config file (from my module).

-malc

Expanding base 'CN=test,DC=pmac,DC=internal'...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=test,DC=pmac,DC=internal
4> objectClass: top; person; organizationalPerson; user;
1> cn: test;
1> description: leave me for randyc;
1> givenName: test;
1> distinguishedName: CN=test,DC=pmac,DC=internal;

There is a snippet of the ldp.exe results.

this is only a test account I'm trying this with.

Also, here is some more info:
Warning: ldap_search() [function.ldap-search]: Search: Operations error in [path]/ldapAuth/controller.php on line 49

Warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in [path]/ldapAuth/controller.php on line 50

That is the debug controller.php. I turned on PHP debugging for the server, so now it is spitting hte errors out.

bump -- anyone able to shine some light?

Is it possible to use both this and the built in database?

We want both our employees and outside users to be able to sign up and use this service.

Expanding base 'CN=test,DC=pmac,DC=internal'...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=test,DC=pmac,DC=internal
4> objectClass: top; person; organizationalPerson; user;
1> cn: test;
1> description: leave me for randyc;
1> givenName: test;
1> distinguishedName: CN=test,DC=pmac,DC=internal;

There is a snippet of the ldp.exe results.

this is only a test account I'm trying this with.

as you see, you have another DN here as in your first post:
cn=test,cn=users,DC=pmac,DC=internal,(cn=test)

please post me the ldap config as i asked some days ago.

thanks

-malc

Is it possible to use both this and the built in database?

We want both our employees and outside users to be able to sign up and use this service.

you need to modify the plugin then:
search for the ldap user (if not found) -> make internal auth

-malc

MalcomX,

Sorry to have bugged this month. After two days of constant tweaking, I've made a change to the script.

My final problems lie here:
At the end of controller.php when it calls upon function_login.php from VB, it is giving errors about missing arguments. I get these, however, I can still login no problem. Essentially, if I shut off verbose error reporting, I can use this script error free :-).

Do you want a copy of the changes I've made? For whatever reason, before ldap_search I had to ldap_bind with a username/password in order to be able to search below the base of the tree.

i assume you use active directory as ldap server?

if you want to give me the changes, please make a diff and post it here on the boards. i will look at the changes.

-malc

I'll send ya a PM with the actual file details.

It's Active Directory on Windows Server 2003.

edit: I'll put it up tomorrow -- I'm going to clean up/comment my code additions + its easier to manipulate files at work.
Laptop keyboard -- not for me.

edit: Hold off a little more, can we fix the missing arguments issue? At the end of controller.php when it calls upon function_login.php from VB, it is giving errors about missing arguments. I get these, however, I can still login no problem. Essentially, if I shut off verbose error reporting, I can use this script error free :-).

Warning: Missing argument 4 for verify_authentication(), called in [path]/ldapAuth/controller.php on line 98 and defined in [path]/includes/functions_login.php on line 135

Warning: Missing argument 5 for verify_authentication(), called in [path]/ldapAuth/controller.php on line 98 and defined in [path]/includes/functions_login.php on line 135

Warning: Missing argument 6 for verify_authentication(), called in [path]/ldapAuth/controller.php on line 98 and defined in [path]/includes/functions_login.php on line 135

look at the file forum_root/includes/functions_login.php. there you can find the function verify_authentication().

i didnt need to pass over some parameters, since thre is no need to verify.

text from my initial post:

Additional Notes:
If you are running a Microsoft Active Directory as Ldap server you have to change some settings to allow anonymous queries. This is described at
Novell and Microsoft

look at the file forum_root/includes/functions_login.php. there you can find the function verify_authentication().

i didnt need to pass over some parameters, since thre is no need to verify.

text from my initial post:

I'm eliminating the need for anonymous queries and modifying the script for authenticated binding.

thats nice.i didnt implement this, because some of my customers (when i sold the plugin) had problems with some tachnical aspects. the administrator of the company didnt even know what a DN is. so i never implemented this (in case there are more people that just know: right click, left click, right,...)

-malc

Would allowing (or enabling) admincp/modcp logins with this script be difficult? What would I need to do to enable it?

thats easy. but before you do that, you have to give users rights to access the admin /mod cp.


if(($vbulletin->GPC['logintype'] == "cplogin") || ($vbulletin->GPC['logintype'] == "modcplogin"))
{
return;
}


try to remove this after you have set the rights. that should be the solution.

-malc

I commented this bit out and gave the proper permissions but that didn't seem to cut it... Could there be something else?

btw thanks for the fast reply, I didn't expect that :)

maybe, that was just a shot into the blue. i will try it in the next days and give you some hint.

-malc

Did you get a chance to look at this? I'm no good with vbulletin architechture so I couldn't figure this one out myself.

1. copy ldapAuth directory to your vb forum installation directory
2. change the path to controller.php directory in ldap-plugin.xml

I did no. 1, but have no idea how to do no. 2. Please help.

Jose

Hey Guys, I figured out the problem- my zip file was not extracting properly, so I never saw the config or plugin files for LDAP.

any more word on the "authenticated binding". My admin will not allow anonymous access to the active directory LDAP server.

Cannot figure out how to test if plugin is working. When i enter my credentials, they are not recognized, so it seems that vB is not querying active directory via the LDAP plugin. Please help.

malcolmx first I would like to say this is a great add-on. Exactly what we needed in order to move forward with utilizing vB on our intranet so thanks!!

Everything works correctly and I'm not having any problems but I have been asked a number of times if there is any way to add the users full name to the users vB account? My thought was that I could add two custom user fields called first name and last name but is there any easy way to pull the first and last name out of LDAP and add them to these fields?

what was the line of code to add for this functionality and to what file. if i may ask. thank you

Hi - first post, newbie alert, etc.
I've taken over running a forum which has around 5000 members. Now, we've got an online shop (which isn't quite live yet) running on OSCommerce and I'm just in the process of putting Joomla! on the site.

Now, I know LDAP from work, but there's a wondering I've got about how this works.

Firstly, if I install this mod on a clean LDAP database, how can I import the 5000 usernames from the vBulletin installation?

Would I be correct in assuming that when a user logs in to the forum, the LDAP would be checked, then report no such user. Then vB would be queried and report a success - with the LDAP then taking in the information from vB.

... or have I got this completely wrong. If so, any pointers on how to get the users in the LDAP DB?

Thanks in advance!

Would I be correct in assuming that when a user logs in to the forum, the LDAP would be checked, then report no such user. Then vB would be queried and report a success - with the LDAP then taking in the information from vB.

I think your understanding is the wrong way 'round.

The plugin will kick in after failed vB login. In other words, any users that are on vB already can login directly. For users that are not yet registered, they are checked from the LDAP. If they are on LDAP but not on vB then a new user is created.

So, LDAP does not get information from vB. vB is the one that gets information from LDAP. Your existing 5000 users will continue to use vB as before. There is no need to move them to LDAP.

In controller.php, there is an if condition that checks for errors before a new user is created:
if($newuser->errors)

How can I check what exactly the error is?

If I remove the if condition and force the new user to be created, I get the following error message:

Fatal error: Unable to proceed with save while $errors array is not empty in class vb_datamanager_user in /includes/class_dm.php on line 763

Fantastic, I had to make a few changes to the line which logs people in once they have passed authentication, other than that - perfect.

Thanks malcolmx!

Tom - www.mouselike.org

Ok I am confused now.. Which LDAP mode has better support and has anyone got it to work on vb4 yet?

i have already installed a test system with vb4 and i think a new version with vb4 support will be out in the first week of january.

malc

Thank you Malc,

since I am testing the whole ldap functionality starting with Haqa's mod,
I am realy looking forward to see yours as well since both are very interesting implementations.

plugin is ready for vbulletin version4

https://vborg.vbsupport.ru/showthread.php?t=231909

I am new to using plugins for vBulletin and the error is probaly basic.
I downloaded the plugin and followed the directions, but when I get to step 6:
I receive a message "invalid file specified".
Step 6 is in admin cp import the product at "Download / Upload" Plugins
I am using the plugin hooks_ldap.xml located in the ./includes/xml/.

Any help would be appreciated.


I'm getting this, not sure how to resolve.


Also does this work ok with OpenLDAP (linux debian), seems pretty AD heavy?

I'm getting this, not sure how to resolve.


Also does this work ok with OpenLDAP (linux debian), seems pretty AD heavy?

sure, i am running it with sun enterprise ldap server. it doesnt matter which ldap server you use.

-malc

Sweet thanks for the reply.

I'll have another crack at it today.

OU=People,dc=host,dc=co,dc=nz
uid=

Hi,

Brilliant plugin.

Has anyone had problems with cookies. Basically when I use the hook and tick the 'Remember Me' box it doesn't remember me when I close the browser and relaunch it. If I disable the hook it works. Any idea how to fix this.

Thank you.