I've only recently started using vBulletin, and this is my first mod so if you use this, please click Installed!

This mod (which builds on the fine work from malcomx (https://vborg.vbsupport.ru/showthread.php?t=148573&highlight=ldap+auth) and zemic (https://vborg.vbsupport.ru/showthread.php?t=145188&highlight=ldap)) is intended to lower the barriers to using and LDAP directory as an external authentication source for your board. The idea is simple; capture a login attempt before authentication and test it against LDAP first, if that succeeds, see if there is already a matching user in vBulletin. If there is not, create one, using data from the LDAP to fill in the required fields, if there is already a matching user (Determined by comparing email addresses) then update the user.

You might be asking why this mod is better than the two mods I've mentioned above? Well firstly the only additional file is the XML file for the new hooks (See below), and no changes to vBulletin code so installation is simple, and upgrades to vBulletin don't get over complicated by re-applying changes. Secondly, all the settings are controlled from the admincp rather than an external config file. Thirdly (as if two wasn't enough) I've added some hook points so this mod can be extended, for example to get additional data from the LDAP and put it in user profile fields.

One important similarity with the two earlier mods is that in the admincp and modcp no LDAP authentication is performed, this is a safety feature, so even if the mod or an extending to it, breaks your board, you shouldn't ever get locked out of the admincp so you'll be able to turn if off quickly.

Additional Hooks

The mod is essentially a single plugin (plus options and help) which runs at global_complete which is before most other things have happened, but just after all the global setup has occurred.

To enable the additional hooks, you need to upload the file hooks_ldap_auth.xml to /includes/xml under your forum.

The following new hooks are created by this mod:

ldap_auth_start - After the list of attributes to fetch has been created, this list is in $ldapAttrs. You can simply add your own attributes to this array here.
ldap_auth_all_user - After a new user has been added to vBulletin or existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData. This happens before ldap_auth_new_user or ldap_auth_existing_user.
ldap_auth_new_user - After a new user has been added to vBulletin, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.
ldap_auth_existing_user - After an existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.


By requesting new attributes at ldap_auth_start and then applying them at either ldap_auth_all_user, ldap_auth_new_user or ldap_auth_existing_user you can setup your users easily without having to write all the LDAP code yourself!

AdminCP Settings

This mod creates a new options group called LDAP Authentication between email options and user registration options where you set the host name and port number of the LDAP server, the initial authentication type (Anonymous or authenticated), optionally the BindDN and Password for the LDAP server. You also set which attribute matches the vBulletin username (The default is cn which works well for inetOrgPerson based entries). You can set additional attributes to retrieve (If you want to quickly knock up a simple plugin which uses them at one of the hook points above). There is also the facility to disable (or rather make unavailable) accounts which exist in vBulletin but not in LDAP. Given that your initial admin may fall into this group, there is also a list of userids who should be allowed to log in anyway.

Requirements


PHP 4.3+ with LDAP support.


I'll try to provide support to users of my mod, but please bear in mind I fairly new to all this, so I may not be able to solve all problems immediately. Support will only be provided via this thread (Don't PM or email me unless I ask you to). Priority will be given to users who have clicked Installed.

Release Notes


1.0 - Initial release
1.1 - Corrected SQL queries to use TABLE_PREFIX
1.2 - Corrected a bug which prevented the settings page from being created correctly
1.3 - Corrected where the existing, new and all user hooks are called (Before, not after the user profile fields are set) to support dependant plugins
1.4 - Added the ability to set a search base for directories which do not permit searching from the root
1.5 - Fixed reported bug where hooks were called in the wrong order


Installation


Add the command define('DISABLE_PASSWORD_CLEARING', 1); to your includes/config.php - This will NOT be overwritten by upgrades, so only needs doing once.
Upload the file hooks_ldap_auth.xml to includes/xml under your forum.
Install the latest product file (below) using the Add/Import Product link on the Manage Products page under Plugins & Products in your AdminCP.


Haqa...

Ok, so how do you use the hooks to make a mod which can use and extend ldap_auth?

Roughly like this:


Set a plugin on hook ldap_auth_start which adds the additional LDAP attributes you'll be using to the array $ldapAttrs.
Choose when you want to use the attributes:
If you want to use them every time a user logs in, plug in at hook ldap_auth_all_user
If you only want to use them if the user has never logged in before choose ldap_auth_new_user
If you want to use them only if the user HAS logged in before, choose ldap_auth_existing_user

Whichever hook (or hooks) you choose the process is the same:
If you want to add data to the user, you'll find the users datamanager object in the variable $newuser
If you want to set a value into the users profile fields, then you just need to set that value into the array $userFields with the key being the field name



There are, of course, many other things you could choose to do in your plugin, for example if you call the standard_error function, you'll display a nice error message page (For example if the user has a flag denoting the account is disabled) HOWEVER you need to call process_logout() first as the user will be partly logged in (If their account already exists in vBulletin).

Examples of this can be found in the LDAP Authentication plugin in this mod, or in the Full Name Support for LDAP Auth and Location Support for LDAP Auth mods (Coming soon).

Hope this helps

Haqa...

---

Absolutly Great Timepoint where you post it, because I need it for my exam !

Thanks !

Well be careful, I don't claim that the code is perfect, only that it works for me - There may well be hidden bugs, or aspects of vBulletin that I don't understand properly yet.

Good luck with your exam!

H.

---

You should use TABLE_PREFIX for vbulletin :-)

Great to see this addon and I have one single question as of now: What if I use this with an empty directory? Does this addon automatically inserts the users to the LDAP?

You should use TABLE_PREFIX for vbulletin :-)

You are right, I should (And I though I did...). I'll fix this and release an update.

Great to see this addon and I have one single question as of now: What if I use this with an empty directory? Does this addon automatically inserts the users to the LDAP?

No, the way it works is it takes users from the directory and creates them in vBulletin as they log in. It doesn't work the other way round.

There are a number of good tools for LDAP management, I use yala (http://yala.sourceforge.net/), though this does open a potential security hole unless you are VERY careful (It exposes your LDAP to the internet via the web).

H.

No, the way it works is it takes users from the directory and creates them in vBulletin as they log in. It doesn't work the other way round.

There are a number of good tools for LDAP management, I use yala (http://yala.sourceforge.net/), though this does open a potential security hole unless you are VERY careful (It exposes your LDAP to the internet via the web).

I don't know if this is achievable, but it would be great if there would be an tool for synchronize the user databases, especially if you try to connect your forum to an backend with LDAP as the authentification service.

Nice hack, planning on using this in the future to have only one userdatabase :)

You should use TABLE_PREFIX for vbulletin :-)

Thanks for the pointer, this is fixed. Also I noticed I'd forgotten the hook definition file, this is now available above...

H.

---

Is it possible to make a SingleSignOn ??? When someone logIn into Windows he is also logIn in forum ????

In theory, yes that should be possible, but it would require so pretty extensive changes to the VB login pages, which would pretty much break upgradability. The problem is that windows login sso works using a version of HTTP Digest auth (AFAIK) which is normally only supported by IIS - This would need to be faked by the login system, and is probably beyond my current level of experience with VB.

The other point is that I'm trying to make my mods so that they don't break upgradability of VB (or any other products).

Anyone else know of a simpler way to do Windows SSO?

H.

Is it possible to make a SingleSignOn ??? When someone logIn into Windows he is also logIn in forum ????

I've been doing some reasearch, and if you have control over your webserver (and the modules installed) you could try playing with mod_auth_vas (http://rc.quest.com/topics/mod_auth_vas/) which implements SPNEGO - The basis for windows domain login support for IIS/IE.

You'd still need some fairly significant mods to vB, (or perhaps a plug somewhere near global_start???) to tell it to use and trust the external username supplied by SPNEGO.

H.

Very nice mod - installed with no fuss.

I though had the problem that my LDAP server was containing a new user where the username was not used in vB, but the email was already taken by another username in vB.

This means that your plugin tries to create the new user when a correct username/password is issued (seen from the LDAP server). But due to that the email already exists i vB with another username then the creation of the new user fails. This is properly okay, as two different users can not have the same email. But the error messages indicates that a wrong password/username is issued.

My suggestion for improvement is to give better response to this case.

Best regards
Tom

Very nice mod - installed with no fuss.

I though had the problem that my LDAP server was containing a new user where the username was not used in vB, but the email was already taken by another username in vB.

This means that your plugin tries to create the new user when a correct username/password is issued (seen from the LDAP server). But due to that the email already exists i vB with another username then the creation of the new user fails. This is properly okay, as two different users can not have the same email. But the error messages indicates that a wrong password/username is issued.

My suggestion for improvement is to give better response to this case.

Best regards
Tom

Thanks :)

I'll have to look into this bug, that's NOT what's meant to happen - It's supposed to rename the user to match the LDAP...

I can see what you mean though, the error message is unhelpful in this instance, but in keeping with normal login failure message procedure, I've tried not to allow a potential brute-force attacker know what he/she got wrong (username/password etc). A more "helpful" error message might give away the fact that users are being created on the fly from an external database, and that might give an opportunity to inject a user into the system. (Sorry if I seem paranoid, but it's my job, I work with system security all day).

H.

The plugin is populating vB's db properly when an exisiting LDAP user tries to login to the forums but doesn't exist in vB; however, it won't log them in -- stating they have entered an incorrect password. The samething happens for existing vB users.

The passwords are stored as an MD5 hash in LDAP, and I also made sure define('DISABLE_PASSWORD_CLEARING', 1); was in includes/config.php. The stange thing is, if I disable the plugin both exisiting and newly created users (from LDAP) can successfully login.

Any ideas on what might be causing this?

I have installed this plugin, but cant get it to work. Has anyone gotten this plugin to work in an active directory environment. thank for your help.

I have installed this plugin, but cant get it to work. Has anyone gotten this plugin to work in an active directory environment. thank for your help.
I was just going to ask if this worked with Active Directory.

didn't you mix up your hooks in product-ldap_auth-1.4.xml? your ldap_auth_existing_user is called when you're creating a fresh user, while ldap_auth_new_user is called when the user has been found in forum... am i confused??

Hy

I installed the plugin, but i get several errors or strange behaviours:

1) I can't login with an admin account
2) I get always following error at the login with an other user:


Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'xxx'@'localhost' (using password: NO) in /var/www/virtual/xxx/htdocs/_forum/includes/functions.php(5721) : eval()'d code on line 106

the new user is cerated, and after i gi back to the mein site he is logged in, but befor i get this message....

Anyone an idea?

thanks in advance

The plugin is populating vB's db properly when an exisiting LDAP user tries to login to the forums but doesn't exist in vB; however, it won't log them in -- stating they have entered an incorrect password. The samething happens for existing vB users.

The passwords are stored as an MD5 hash in LDAP, and I also made sure define('DISABLE_PASSWORD_CLEARING', 1); was in includes/config.php. The stange thing is, if I disable the plugin both exisiting and newly created users (from LDAP) can successfully login.

Any ideas on what might be causing this?

I'll have to investigate this, I have it working so it sounds like I missed something from the instructions. If I did, sorry, I'll fix it as soon as I find it.

I have installed this plugin, but cant get it to work. Has anyone gotten this plugin to work in an active directory environment. thank for your help.

I was just going to ask if this worked with Active Directory.

I have made this work with AD, but it requires a little fiddling. At work we have AD replicated into a real LDAP server so that normal access can be used. I'll post some instructions shortly.

didn't you mix up your hooks in product-ldap_auth-1.4.xml? your ldap_auth_existing_user is called when you're creating a fresh user, while ldap_auth_new_user is called when the user has been found in forum... am i confused??

Oops, Did I? I'll check, but I don't think I did. If I did, sorry, I'll fix the download shortly.

Hy

I installed the plugin, but i get several errors or strange behaviours:

1) I can't login with an admin account
2) I get always following error at the login with an other user:



the new user is cerated, and after i gi back to the mein site he is logged in, but befor i get this message....

Anyone an idea?

thanks in advance

That sounds like your database access is at fault, but I don't understand why that would be the case if the rest of your site is working. As I stated above, I'm relatively new to VB and don't have all the answers. Perhaps someone here might know how a VB can work but sometimes throw a MySQL login failure?

Certainly though, failing to log into MySQL would prevent anyone logging in... Is the site sending you database error emails?

H.

Hi, does this work with vB 3.8.x and/or 3.7.5?

Thanks
A

Hi,

I have installed the plugin on a vB 3.7.5 following the above instruction.
I then created a new user usingthe forum registration and that user was not added in LDAP. what did i do wrong?

is it possible to get users added on ldap upon registration from the forum?

Thanks
Antonio

I am not using this plugin, however I developed a different product to help me use a different login source than ldap, and I used this as a base. I noticed that the hook global_complete is called AFTER login logic takes place, this seems to be counter to how the hook is designed. This might be causing some of the issues people are seeing. I modified my plugin to use global_setup_complete instead. Note, using this approach requires a bit more setup logic to be used.

Hi, does this work with vB 3.8.x and/or 3.7.5?

Thanks
A

Still testing with 3.8, though it looks promising.

Hi,

I have installed the plugin on a vB 3.7.5 following the above instruction.
I then created a new user usingthe forum registration and that user was not added in LDAP. what did i do wrong?

is it possible to get users added on ldap upon registration from the forum?

Thanks
Antonio

I think you may have the purpose of the plugin backwards. This allows people in your LDAP to login to your VB even if they've never registered. You appear to be trying to get VB users put into your LDAP, which this plugin is not intended to do, sorry ;)

I am not using this plugin, however I developed a different product to help me use a different login source than ldap, and I used this as a base. I noticed that the hook global_complete is called AFTER login logic takes place, this seems to be counter to how the hook is designed. This might be causing some of the issues people are seeing. I modified my plugin to use global_setup_complete instead. Note, using this approach requires a bit more setup logic to be used.

I can see your point, as I've said this is my first mod. I'll go back to the code and see what refactoring would be needed to switch. However I am using this mod at work and it's working well (Or seems to be). I have many users who have all signed in without using the signup logic (Which I've disabled) and then have returned, re-logging in etc...

I'll have to revisit the code.

H.

didn't you mix up your hooks in product-ldap_auth-1.4.xml? your ldap_auth_existing_user is called when you're creating a fresh user, while ldap_auth_new_user is called when the user has been found in forum... am i confused??

You are quite right. I'll try to get a revised version up ASAP. It shouldn't prevent anything else working, unless you've written your own plugins triggered from my hooks, in which case they will get called at the wrong times.

Sorry.

H.

Haqa,

I've been trying to get the plugin running with vb 3.8.1. I noticed that the gobal_complete hook isn't called on a login. I'm just learning the hooks but do I need to change that the plugin to fire on global_setup_complete?

Thanks,
Anthony

Haqa,

I've been trying to get the plugin running with vb 3.8.1. I noticed that the gobal_complete hook isn't called on a login. I'm just learning the hooks but do I need to change that the plugin to fire on global_setup_complete?

Thanks,
Anthony

I've just upgraded my dev system to 3.8.1 so it shouldn't be long before I've got a version which does support 3.8.x

H.

I've just upgraded my dev system to 3.8.1 so it shouldn't be long before I've got a version which does support 3.8.x

H.

I just got the plug-in working w/ 3.8.1. I had to add my own hook in login.php so I'm interested to see what you come up with so that no vb code is altered.

Also, I had a problem with DISABLE_PASSWORD_CLEARING. I traced it back to line 598 of global.php. I had to switched the 1 and 0 on that line so $show['nopasswordempty'] would get the right value.

-Anthony

any updates on how to get this working with Active Directory? Additionally I would like to use it without anonymous query access...for other apps that authenticate with Active Directory I have a specific user for that...

any updates on how to get this working with Active Directory? Additionally I would like to use it without anonymous query access...for other apps that authenticate with Active Directory I have a specific user for that...

Unfortunately my AD server had an accident (Well it corrupted its boot disk) so I can test AD at the moment, but the Bind DN and Bind Password are what you need for the user and password for non-anonymous access - But remember you'll need to be running in mixed (compatible) mode or the AD will require kerberos which PHP doesn't support out of the box (Or at all as far I can tell).

You should find the it will work, but you need to set the correct Naming Attribute, can't remember what it needs to be of the top of my head, but and LDAP browser should be able to connect and you should see which entry you want.

H.

Hi Haqa,

I'm using your LDAP add-on (version 1.5) on my vBulletin 3.8.1 Patch Level 1.
I'm a new to LDAP, I tried a lot of times, but still could not get the parameters right.
Attachment is my configuration, would you please teach me what's wrong with my parameters? Thank you!

Hi Haqa,

I'm using your LDAP add-on (version 1.5) on my vBulletin 3.8.1 Patch Level 1.
I'm a new to LDAP, I tried a lot of times, but still could not get the parameters right.
Attachment is my configuration, would you please teach me what's wrong with my parameters? Thank you!

I'd say you're pretty much spot on with the parameters. (For those looking for the attribute names for AD, these are they!!) however there appears to be an issue with 3.8.x where the hook I was using no longer occurs in the correct place.

I'm working on a new, 3.8 compatible version (Which therefore will probably NOT work on 3.7) but due to work commitments it's not going as quickly as I would like.

H.

I'd say you're pretty much spot on with the parameters. (For those looking for the attribute names for AD, these are they!!) however there appears to be an issue with 3.8.x where the hook I was using no longer occurs in the correct place.

I'm working on a new, 3.8 compatible version (Which therefore will probably NOT work on 3.7) but due to work commitments it's not going as quickly as I would like.

H.

Hi Haqa,

Thank you for your generous reply, I just get the vBulletin 3.7.6 and tried again, no matter I configured as the picture you posted, or as the picture I posted, it still doesn't work. Can you explain me the exact meaning of the fields "Naming Attribute", "Search Base DN" and "LDAP Attributes"? And can these fields be blank? Thank you!

Hi Haqa,

Thank you for your generous reply, I just get the vBulletin 3.7.6 and tried again, no matter I configured as the picture you posted, or as the picture I posted, it still doesn't work. Can you explain me the exact meaning of the fields "Naming Attribute", "Search Base DN" and "LDAP Attributes"? And can these fields be blank? Thank you!

Ahh.. hmm.. Yes, to use this product you need to know a little about how LDAP works. I don't claim to be a total expert but I'll try to help.

Firstly LDAP is a hierarchical database, that is it is structured like a file system with branches (Think directory) and leaves (Think file). Each node, either branch or leaf has a Distingushed Name (DN) which is made up of the Naming Attribute followed by the DN of the node in which it sits so if you have a branch of your tree called:-

dc=example,dc=com

And the naming attribute for an inetOrgPerson class is CN then an inetOrgPerson with CN=fred would have the DN of:-

cn=fred,dc=example,dc=com

The search base is the point in the tree to start searching from. Think of it like this, if on a windows machine you are searching for a document, you don't want to search the entire hard disk, you might start searching in "C:\Documents and Settings" to limit the time taken to find the file. This is what the search base does, so in my example above, to find fred I might set the search base to:-

dc=example,dc=com

The Additional LDAP Attributes setting is to support my add-on products, like Location Support and Fullname Support. For them to work you need to put the attribute name here so that the LDAP Authentication module pulls out the data needed by the add-on modules. If you are not using any modules which extend LDAP Authentication then you don't need to put anything there.

While I'm at it, don't forget that some AD servers don't support what's known as Simple Bind (Which is all that standard PHP can do) but instead need a different sort of login called Kerberos. If your Windows Server is configured to only support Native authentication then there is a good chance that PHP won't be able to bind (Login) and my module just won't work at all. I'm afraid there is nothing I can do about that, it's simply not possible with the standard version of PHP.

I hope this makes a rather complex and confusing subject a little clearer.

H.

Haqa I'm having a heck of a time getting this to work with 3.8.2.

I know you don't have it certified to work with it yet but I've seen a few others mention that they got it working with their AD setups.

The information in the screen shot is a copy and paste from a working LDAP tie in from a PHP/Tomcat application as well the PHPBB forums which I had running BEFORE I purchased VBulletin to switch over.

When I activate the plug-in

Cannot log in with the admin account (after the fact on another browser)
Cannot log in with a normal account


I don't need to add users to the database, all I really need is VB to reach out, see that the user is there, see that their password is correct and then let them in. We're an educational institution with our own Active Directory structure and we just want to unify as much as possible around one account system.

Side Note:
If anyone has any information on where I can turn on advanced logging to see if there's additional information I can get out of the VB that would be awesome.

Hi Haqa, with your so detailed explanation, I think I get a little understand LDAP.
But still, I could not get the authentication passed.

I tried four times with different parameter groups, these parameters are not changed through my test:

"LDAP Server" is set "172.29.128.29" (IP address of my AD server),
"LDAP Port" is "389" (Default value),
"Naming Attribute" is set "cn",
"Search Base DN" is set "dc=test,dc=com" (My domain is test.com),
"LDAP Attributes" is always blank,
"Allow Built-in Accounts" is always set "1".

The other fields in the four test groups are:

1. "Anonymous Bind" is set "Yes",
"Bind DN" and "Bind Password" are set blank,
"Disable vBulletin Users" is set "Yes"

When I login with my domain account, it shows "You have entered an invalid username or password. ..."

2. "Anonymous Bind" is set "Yes",
"Bind DN" and "Bind Password" are set blank,
"Disable vBulletin Users" is set "No"

When I login with my domain account, it shows "You have entered an invalid username or password. ..."

3. "Anonymous Bind" is set "No",
"Bind DN" is set "Administrator"
"Bind Password" is set password for account "Administrator" in domain "test.com",
"Disable vBulletin Users" is set "Yes"

When I login with my domain account, it shows "Failed to bind to LDAP directory (Initial bind)"

4. "Anonymous Bind" is set "No",
"Bind DN" is set "Administrator"
"Bind Password" is set password for account "Administrator" in domain "test.com",
"Disable vBulletin Users" is set "No"

When I login with my domain account, it shows "You have entered an invalid username or password. ..."

Could you please tell me that did I get anything wrong for your program? Thank you!

I think I figured my problem out.

Haqa,

In your instructions you say to place the line below in to config.php

//LDAP Access Control
define('DISABLE_PASSWORD_CLEARING', 1);

Did you mean to say global.php?

Once I added it to global.php I was able to authenticate most of my users. I do believe there's a problem with users that have very long passwords. They're not able to log in.

I got some PMs asking how I got Haqa's plugin working in 3.8.1 so here's what I did...

Start off by creating a hook in login.php and registering it by following the directions here:
https://vborg.vbsupport.ru/showthread.php?t=148573

Do the edit to global.php mentioned in the directions above. I verified that the 1 and 0 for DISABLE_PASSWORD_CLEARING in global.php were swapped in 3.8.1. If you don't do that edit, vb will encrypt the user's password in an md5 hash onsubmit of the login form. Unless your AD passwords are stored in an md5 hash, the password check will fail.

Install Haqa's plugin and go into the plugin manager and set it to fire on the new hook you created. I setup some logging in the plugin code so I could see what was going on. If you get this far, it's all configuration from there.


I extracted the logging code from the plugin linked above to help me debug and added it to Haqa's plugin code:

define('LDDEBUG', true);
function wrlog($text)
{
global $fp;
if($fp){fputs($fp, date("d/m/y : H:i:s", time()) ." >> " . $text . "\n");}
}

if(defined('LDDEBUG')) { $fp=fopen('C:\inetpub\wwwroot\forums\logs\ldap.deb ug', "a+"); }
if(defined('LDDEBUG')) { wrlog("++ -------- begin ldap log -------- ++"); }



The only downside of this approach is that I had to edit vb source. This is only a temporary solution I hope. I just upgraded to 3.8.2 and saw that global.php and login.php were both overwritten... Hopefully Haqa comes up with a way do to all this without altering any vb source.

Something else for people that are having trouble... vb uses your email as a primary key for users. Initially, my vb admin account was setup to use my email. When I went to test the plugin by using my username from AD to log in, the plugin code tried to create me a new account but failed because my email was already in use by the admin account.

anthonym16 thanks for the post. Ive managed to make a lot of progress so far due to your information. I've gotten to an interesting sticking point though. When I have a user log in with their username and password, it fails the first time, when they try again right away it succeeds and adds them as a user. Any thoughts?

Edit:
It's adding the user on the first failed attempt allowing them to log in successfully on the second attempt.

anthonym16 thanks for the post. Ive managed to make a lot of progress so far due to your information. I've gotten to an interesting sticking point though. When I have a user log in with their username and password, it fails the first time, when they try again right away it succeeds and adds them as a user. Any thoughts?

Edit:
It's adding the user on the first failed attempt.

Where do you have your hook in login.php? In my 3.8.1 login.php file, it's on line 100. It seems like the the ldap plugin is firing correctly but in the wrong place? If the hook is in the right place, my next thought is maybe your cookies are not working properly.

In Haqa's code, once an email is found in AD, this line executes:
$vbulletin->GPC['cookieuser'] = $vbulletin->GPC['vb_login_username'];

Then, in login.php, after the correct hook location, GPC['cookieuser'] is passed into verify_authentication().

I'm still trying to learn the hooks system and vb myself. I only have a couple weeks of head start on you... :)

Mine's on line 100 as well


if ($vbulletin->GPC['vb_login_username'] == '')
{
eval(standard_error(fetch_error('badlogin', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl'], $strikes)));
}
($hook = vBulletinHook::fetch_hook('ldap_login_hook')) ? eval($hook) : false;

I'm extremely new to VB so I know very little about the system.

When you mentioned to follow the directions here
https://vborg.vbsupport.ru/showthread.php?t=148573
did you intend for that plugin to also be installed along side Haqa's?

I think I'm also having problems creating the hook as I've never done this before. Now that I think of it, i didn't even create a hook yet.

@anthonym16: You are a genius! Thanks. I hope you don't mind if I borrow some of that for the next release? (Credit given of course!).

@n0manarmy: The biggest problem I had with the plugin was getting it to fire at the right point in the login process. Too late and you'll get the effect you are describing with the use created correctly but the login failing first time.

H.

The only downside of this approach is that I had to edit vb source. This is only a temporary solution I hope. I just upgraded to 3.8.2 and saw that global.php and login.php were both overwritten... Hopefully Haqa comes up with a way do to all this without altering any vb source.

That's my plan - I hate having to modify the main code because it breaks every time you upgrade.

Something else for people that are having trouble... vb uses your email as a primary key for users. Initially, my vb admin account was setup to use my email. When I went to test the plugin by using my username from AD to log in, the plugin code tried to create me a new account but failed because my email was already in use by the admin account.

That's not quite would SHOULD have happened (Need to check why it didn't work as it should). What should happen is that if you login with a different account name BUT THE SAME EMAIL then the account should get renamed!

H.

I'll hang tight then and wait to see how the update goes. I can get people in to the system now, even though it takes two login attempts.

Hi Haqa,

I have went through your code, and added
// Disable LDAP referrals option
ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0);
under your code
// Enable LDAP version 3
ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);

and change your LDAP bind code like this
// Bind (authenticate or anonymous depending on settings
//if ($vbulletin->options['ldap_anon_bind']) {
// $ldap_bind = ldap_bind($ldapConnection);
//} else {
// $ldap_bind = ldap_bind($ldapConnection, $vbulletin->options['ldap_bind_dn'], $vbulletin->options['ldap_bind_password']);
//}
$ldap_bind = ldap_bind($ldapConnection, $vbulletin->GPC['vb_login_username'], $passwd);

I could ignore your "ldap_anon_bind", "ldap_bind_dn" and "ldap_bind_password" options.
Now, I can get it work with my vBulletin 3.7.6, but I got the same problem with n0manarmy , that's when a domain user login for the first time, it returns "password error" message, when login for the next time, third time, etc., it's ok.

In my poinion, the reason I got this problem is the position of the hook "global_complete", what do you think? Thanks!

Any updates on this? Not that I want to rush you or anything but I want to get VB live and active with my students and I don't want to tell them that the registration process requires one failed logon to get an account :)

I've followed all the instructions and cannot get the logon to work with 3.8.2 and 2003 active directory.. would really love an update on this one.

Is it possible to put a wait somewhere in the process so that if it's just a random time delay issue that this could circumvent that? Maybe a 3 second wait with a message saying "One moment, checking your account status."

I've now tried the instructions using 3.7.6 and have the same issue. Doesn't even look like it's trying to access LDAP. I just get an invalid username/password. Not sure about configuring the login.php and where you set the plugin firing order? Any detailed instructions on how to configure this step-by-step would be greatly appreciated as I'm new to vBulletin. Thanks.

Hi,

I have managed to get the plug-in working with v3.7.6. However I am also facing the same issue as n0manarmy whereby a user who logs in to vB for the first time (who doesn't have an account in vB) using this LDAP plug-in will not be successful. Subsequent log-ins will then be OK. Reason is that first timer needs to have his/her account created in vB and this plug-in is used to create that account. Therefore only on 2nd and subsequent log-ins will he/she be successful. Any workaround yet?

Also I found that once this plug-in is installed, the admin cannot log-in directly from the vB mainpage (user page). The admin can only log in from the admin page. Why is that so?

Please help.

Thanks.

I have finally gotten this to work with both 3.7.6 and 3.8.2 using Windows 2003 Active Directory. The problem that I was having was the search base dn and the bind dn were causing issues. One thing to note was the bind dn requires domain\username to function correctly. The search base needed the ou that contains the user accounts in it.

The plugin creates a new user and logs them in succesfully on the first try.

I'm very sorry but due to personal reasons I'm finding I am unable to dedicate the time that a "supported" module deserves. As a result I'm removing the "supported" flag from this plugin.

This doesn't mean I'll stop helping anyone, but I'll feel a bit less bad if it takes me a week to get to it..

Once again sorry, and I hope you'll understand.

H.

I have finally gotten this to work with both 3.7.6 and 3.8.2 using Windows 2003 Active Directory. The problem that I was having was the search base dn and the bind dn were causing issues. One thing to note was the bind dn requires domain\username to function correctly. The search base needed the ou that contains the user accounts in it.

The plugin creates a new user and logs them in succesfully on the first try.


Are you still using the global_complete hook for this?

I used this plugin as an example to create a version that works on a SOAP API for our custom account system, but am running into the problem that other described of getting a failed login on first attempt with new account, but being successful upon refreshing the login page. I'd rather not add new hooks to the VB code if it can be avoided.

I use the default global_complete hook, yes. Everything seems to be working fine, except password changes in Active directory aren't transferring to vBulletin... not sure why?

I use the default global_complete hook, yes. Everything seems to be working fine, except password changes in Active directory aren't transferring to vBulletin... not sure why?

Excellent. Good to know that it's possible without modifying the vb code (login.php or global.php). I'm still completely stuck with the failed login message on new account creation.

Interestingly I was having your problem of password changes not updating from the external source. I added some debug code and found that without

define('DISABLE_PASSWORD_CLEARING', 1);

in config.php, the first test in the plugin was failing

$vbulletin->GPC['vb_login_password'] == '' was true

so the plugin was exiting. I re-added the line to config.php, and password changes work. However, I did notice that, because of the way my plugin is written, the old VB password will continue to work until the new external password is entered. This is because my plugin fails over to internal users if external auth fails.

Unforunately when the new external password for an existing user is set in VB upon login, I still get the failed login error message, even though the new password gets set, and you can log in using the new password by refreshing the page.

There's obviously something missing from my plugin that should be setting some cookies and/or session stuff correctly. Can't figure it out.

I have finally gotten this to work with both 3.7.6 and 3.8.2 using Windows 2003 Active Directory. The problem that I was having was the search base dn and the bind dn were causing issues. One thing to note was the bind dn requires domain\username to function correctly. The search base needed the ou that contains the user accounts in it.

The plugin creates a new user and logs them in succesfully on the first try.

Can you list what you did different to get the first tries to work! thanks.

Okay looks like I got lucky.. here's what I did to fix the first time login failure..

edit the product-ldap_auth-1.5.xml either in notepad and reimport or edit the plugin in admin panel->plugin manager

Find:

} else {
$newuserid = $newuser->save();
at the very end of the product xml file

Add:

verify_authentication($vbulletin->GPC['vb_login_username'], $vbulletin->GPC['vb_login_password'], $vbulletin->GPC['vb_login_md5password'], $vbulletin->GPC['vb_login_md5password_utf'], $vbulletin->GPC['cookieuser'], true);
exec_unstrike_user($vbulletin->GPC['vb_login_username']);
process_new_login($vbulletin->GPC['logintype'], $vbulletin->GPC['cookieuser'], $vbulletin->GPC['cssprefs']);
do_login_redirect();


This is basically the std login code for vb. I have just ended up re-logging the user with the login credentials provided earlier.

So here is the quick retrace of steps.
Installation
1. Add the command define('DISABLE_PASSWORD_CLEARING', 1); to your includes/config.php - This will NOT be overwritten by upgrades, so only needs doing once.
2. Upload the file hooks_ldap_auth.xml to includes/xml under your forum.
3a. Edit product-ldap_auth-1.5.xml with the changes as above
3b. Install the modified product file using the Add/Import Product link on the Manage Products page under Plugins & Products in your AdminCP.
4. Edit LDAP Authentication Options and fill in your ldap details
5. Done.

Excellent. Good to know that it's possible without modifying the vb code (login.php or global.php). I'm still completely stuck with the failed login message on new account creation.

Interestingly I was having your problem of password changes not updating from the external source. I added some debug code and found that without

define('DISABLE_PASSWORD_CLEARING', 1);

in config.php, the first test in the plugin was failing

$vbulletin->GPC['vb_login_password'] == '' was true


That is because as you hit the login button the javascript in the page encrypts your password and deletes the unencypted copy (in the field) - Ever noticed that the field goes blank as you hit login? That's why. This is a sort of security feature so no one snooping on the wire can see the plain text password, however a plugin of this sort needs the plain text password to work, so if my plugin see the field empty it just gives up early because there is nothing it can do.

Okay looks like I got lucky.. here's what I did to fix the first time login failure..

edit the product-ldap_auth-1.5.xml either in notepad and reimport or edit the plugin in admin panel->plugin manager

Find:

} else {
$newuserid = $newuser->save();
at the very end of the product xml file

Add:

verify_authentication($vbulletin->GPC['vb_login_username'], $vbulletin->GPC['vb_login_password'], $vbulletin->GPC['vb_login_md5password'], $vbulletin->GPC['vb_login_md5password_utf'], $vbulletin->GPC['cookieuser'], true);
exec_unstrike_user($vbulletin->GPC['vb_login_username']);
process_new_login($vbulletin->GPC['logintype'], $vbulletin->GPC['cookieuser'], $vbulletin->GPC['cssprefs']);
do_login_redirect();




So you are basically re-running the login logic (It's also called earlier in the plugin), and this solves the problem? Cool.

May I include your patch in the next release?

H.

I tried jaikumarms code: it works perfect, new users become no error message ! Thanks for that.

And special thanks to Haqa for this Mod !!!

Excellent. Good to know that it's possible without modifying the vb code (login.php or global.php). I'm still completely stuck with the failed login message on new account creation.

Interestingly I was having your problem of password changes not updating from the external source. I added some debug code and found that without

define('DISABLE_PASSWORD_CLEARING', 1);

in config.php, the first test in the plugin was failing

$vbulletin->GPC['vb_login_password'] == '' was true

so the plugin was exiting. I re-added the line to config.php, and password changes work. However, I did notice that, because of the way my plugin is written, the old VB password will continue to work until the new external password is entered. This is because my plugin fails over to internal users if external auth fails.

Unforunately when the new external password for an existing user is set in VB upon login, I still get the failed login error message, even though the new password gets set, and you can log in using the new password by refreshing the page.

There's obviously something missing from my plugin that should be setting some cookies and/or session stuff correctly. Can't figure it out.

I can't seem to get this working. I've got everything up and going with being able to log in and authenticating against LDAP. It immediately processes the login and the user's away and posting.

I can't get password changes working though. I tested it with an account, as soon as the password changes, they can't log in with the new password, they can only log in with the old password.

Also,

If someone changes their password through their CP, it not only breaks their old password from working, but the new one doesn't work as well.

Also Also,

It appears that by changing my password through the CP it has broken my ability to create new users....?

EDIT For follow up:

I edited the line
$show['nopasswordempty'] = defined('DISABLE_PASSWORD_CLEARING') ? 1 : 0; // this nees to be an int for the templates
To appear like above

I was able to log in again with accounts. I don't know if this was somehow reset during my monkeying or not. Everything appears to be working now, including password changes.

Ohh... hmmm
You probably want the "Disable vBulletin Users" turned on. That should (might) make it prefer the LDAP users.

What you are describing with the passwords not changing is that the user update isn't working correctly. This puzzles me because it's relatively simple code, and it's working for some people.

What kind of LDAP server are you reading from? Do you have access to the query logs to ensure that the user is validating and querying their entry correctly?

H.

So you are basically re-running the login logic (It's also called earlier in the plugin), and this solves the problem? Cool.

May I include your patch in the next release?

H.

Yes, that's was the idea, to trigger the re-login in-code, so that the user does not have to.

Sure, go ahead and include my patch. Thanks much for plugin, it has for sure saved me tons time.

J.

Thanks everyone. With the new redirect code, I can got straight in via our SOAP authentication.

I did have a problem with jaikumarm's patch code, when retaining client-side MD5 encoding. The last line "do_login_redirect()" was causing a loop and eventual PHP memory crash. This appears to be due to the global_complete hook being called in print_output in functions.php, which was looping back into the login process. In the original code, there was a line:

$vbulletin->GPC['vb_login_password'] = '';

This kept the plugin from firing when global_complete was called. Without vb_login_md5password being cleared, the plugin was firing everytime it would reach "do_login_redirect()", resulting in the loop.

I also notice that in jaikumarm's code, he is still using

$vbulletin->GPC['vb_login_password']

in his call to verify_authentication. Theoretically, as part of the original code, isn't vb_login_password empty at this point? I'm not sure how verify_authentication would work there with a blank password. Anyway, I didn't have problem with that, but I did have to clear vb_login_md5password just prior to calling do_login_redirect, since my opening logic in the plugin prevents firing if md5 password is empty.

Finally, in the original code, I noticed:

$vbulletin->GPC['cookieuser'] = $vbulletin->GPC['vb_login_username'];

As I was going through login.php, I noticed that it looks like cookieuser is supposed to be BOOL. Not sure this would cause any problems, but I just removed the line completely and everything works fine.

Thanks to Haqa for a good example, that allowed me to write exactly what I needed, and to jaikumarm for helping to complete the puzzle!

Fatal error: Call to undefined function ldap_connect() in C:\RFCUweb\vbulletin\includes\functions.php(5721) : eval()'d code on line 15

???

Ahh... You haven't installed LDAP support for PHP.


Requirements

* PHP 4.3+ with LDAP support.


It can't work without it, sorry.

H.

Yah I've enabled it now. Still doesnt work when trying to log in as a test AD user. Just keeps saying invalid username /password.

I've read every page of this thread and cannot get this to work. I've follow the instructions completely, put that DEFINE piece of code in my config.php, uploaded the XML to the includes/xml dir. NOTHING.

Running Win2k 2003 with AD

Yah I've enabled it now. Still doesnt work when trying to log in as a test AD user. Just keeps saying invalid username /password.

I've read every page of this thread and cannot get this to work. I've follow the instructions completely, put that DEFINE piece of code in my config.php, uploaded the XML to the includes/xml dir. NOTHING.

Running Win2k 2003 with AD

I'm not sure about Windows, but the Centos RPM distro of PHP does not come with ldap support built in. I needed to install the php-ldap library.

Looks like there is a thread at http://forums.devshed.com/showthread.php?p=1173879 which covers installing PHP LDAP support for Windows, just in case.

When I get the next release of this out attached to a better hook point I think the experience will be better. Can you put a screenshot of your settings up (Or pm me your settings) so I can take a look? It sounds like you are either not querying the correct branch of the AD's LDAP or you aren't pulling the correct attributes out.

H.

Thanks for this mod Haga,

I seem to be stuck when I hit any error cases. Specifically using the vB standard_error function from within the global_complete hook causes browsers to hang when they hit this error. As a test I tried the following from the forumhome_start hook, and it was successful:

eval(standard_error( "Test error" ));

But it just wont work from global_complete...

I am running vB 3.8.2. Have you come across anything like this? Thanks

Worked for me as well.

Thanks
Kamal

Okay looks like I got lucky.. here's what I did to fix the first time login failure..

edit the product-ldap_auth-1.5.xml either in notepad and reimport or edit the plugin in admin panel->plugin manager

Find:

} else {
$newuserid = $newuser->save();
at the very end of the product xml file

Add:

verify_authentication($vbulletin->GPC['vb_login_username'], $vbulletin->GPC['vb_login_password'], $vbulletin->GPC['vb_login_md5password'], $vbulletin->GPC['vb_login_md5password_utf'], $vbulletin->GPC['cookieuser'], true);
exec_unstrike_user($vbulletin->GPC['vb_login_username']);
process_new_login($vbulletin->GPC['logintype'], $vbulletin->GPC['cookieuser'], $vbulletin->GPC['cssprefs']);
do_login_redirect();


This is basically the std login code for vb. I have just ended up re-logging the user with the login credentials provided earlier.

So here is the quick retrace of steps.
Installation
1. Add the command define('DISABLE_PASSWORD_CLEARING', 1); to your includes/config.php - This will NOT be overwritten by upgrades, so only needs doing once.
2. Upload the file hooks_ldap_auth.xml to includes/xml under your forum.
3a. Edit product-ldap_auth-1.5.xml with the changes as above
3b. Install the modified product file using the Add/Import Product link on the Manage Products page under Plugins & Products in your AdminCP.
4. Edit LDAP Authentication Options and fill in your ldap details
5. Done.
This quick fix resolved the issue related to the error around first login for the user.

The odd thing is that I am using this on a 3.8.2 without this alteration and it appears to be working properly. Odd...

As for the errors not working, I've not experienced that either. Due to a fault in the AD replica I rely on a number of users password didn't get updated last time they changed them (It's still got their previous password), so they get login errors if they forget and use their current password.

I think the best (though not necessarily the easiest) solution is to persuade Jellsoft to add a hook in the login process, as IMHO that would solve almost all the problems being reported here.

I'll ask them and see what they say.

H.

One odd behaviour I've seen with this plugin is that the Option Receive Email from Other Users under the user profile is off when the user logs in with their LDAP credentials for the first time.

As we are using LDAP, new registration is turned Off under User Registration Options but Display Email is checked under Default Registration Options.
Is there some other option that I need to turn on for Receive Email from Other Users to be ON for all users by default.

Thanks

Do you deal with password changes at all? If a user who logged in via LDAP changes their password via vBulletin what happens?

Do you deal with password changes at all? If a user who logged in via LDAP changes their password via vBulletin what happens?

The next time they log in (Not by cookies but actually enter a username and password) their password is changed back.

Unless you permit VB users (i.e. Don't turn on disable vb only users). If you allow vb only users then an LDAP user might be allowed to log in with the vb password rather than the LDAP password (if they are different). To be honest, I've never tried becuase I either use LDAP or I use vb (Without LDAP) never both.

H.

using Anthonym16's advice here (https://vborg.vbsupport.ru/showpost.php?p=1787309&postcount=40) I was able to get the plugin functioning to register new users. In 3.8.2, returning users couldn't get in, so I changed the lines,

$userid = $vbulletin->db->query_first_slave("
SELECT userid
FROM ".TABLE_PREFIX."user
WHERE LOWER(email) = LOWER('".mysql_real_escape_string($userData[0]['mail'][0])."')");

and removed the mysql_real_escape_string() function call. It works!

Removing that is not a good idea. I discovered how important it was the first time someone with a single quote (Apostrophe) in their surname registered... i.e. fred.o'flintstone@somewhere.org will never be able to log in.

I very much doubt that is stopping people logging in... Certainly I've seen it working under 3.8.2 with that code in place.

H.

Hello all...
New to the vBulletin and I'm currently using v3.8.2 and wanted to use this mod for Active Directory Authentication, using Win 2003 Server.
Reading this thread from start to finish I'm getting confused on the install??? Any thoughts of posting an updated install process that is working with v3.8.x here or maybe in the v3.8.x mod thread?

Hello all...
Reading this thread from start to finish I'm getting confused on the install??? Any thoughts of posting an updated install process that is working with v3.8.x here or maybe in the v3.8.x mod thread?

I've got it running on a Windows 2003 Server with the installation notes given in the description. Try that step by step.

Thank you Haqa for the programming. Great Work!

My situation was a bit unique, because I our websites are programmed in Cold Fusion. Some time ago I programmed a database with users that have access to a secured website. The user data is held in a mssql database.

So I added some extra code to your script to authenticate those users against my "coldfusion" database too. When success it adds the user to the vBulletin. And I have both internal users user LDAP and external users using my other database.

It also handles password changes aswell, although either LDAP oder my SQL Database is the master.

Now if there were a method where I could pass the ColdFusion login crecedentials to the vBulletin Board, so it would be single sign-on, this would be my perfect szenerio ;)

But thank you again. This is already great enough.

Regards
Charles

I want to allow some external users, but only the first one comes in. The others gets a bad username/password message. Any ideas?

Thanks

https://vborg.vbsupport.ru/external/2009/06/5.png

Hi Haqa

Great job on this plugin. I have got it working great on our 3.8.2 test vB installation with Active Directory no bother at all. :up:

I have a challenge in production however. Effectively we will need to search two 'Search Base DNs' as our users are split between two high level DN nodes. Is there any way I can tell the plugin to search two DNs? The admin panel appears to allow only one.

I don't want to set the Search Base DN to the level above the two DNs as this is effectively the root and will include masses of nodes that we are not interested in.

Any help would be greatly appreciated. :)

Thanks again
John.

Hi - first post, newbie alert, etc.
I've taken over running a forum which has around 5000 members. Now, we've got an online shop (which isn't quite live yet) running on OSCommerce and I'm just in the process of putting Joomla! on the site.

Now, I know LDAP from work, but there's a wondering I've got about how this works.

Firstly, if I install this mod on a clean LDAP database, how can I import the 5000 usernames from the vBulletin installation?

Would I be correct in assuming that when a user logs in to the forum, the LDAP would be checked, then report no such user. Then vB would be queried and report a success - with the LDAP then taking in the information from vB.

... or have I got this completely wrong. If so, any pointers on how to get the users in the LDAP DB?

Thanks in advance!

Hi!

What could be the reason for this "creating/updating user" - error? Two of 1500 users get it after some weeks of normal use. I can?t find any special configuration ....

https://vborg.vbsupport.ru/external/2009/07/19.png

Hi!

What could be the reason for this "creating/updating user" - error? Two of 1500 users get it after some weeks of normal use. I can?t find any special configuration ....

https://vborg.vbsupport.ru/external/2009/07/19.png


I found the difference: the user gets a new e-mailadress in our user-management-system ...

So I've finally gotten this to work! :) It took adding the OU to the search DN. Anyways, one issue I've noticed is that if I changed my testusers AD password or reset it from the AD Users & Computers my testuser can log in with both the OLD password and the NEW password.

So for some reason it still takes the old password and he's able to log in. So weird...

I am stuck with getting this MOD to work with 3.8.4. I have done the following:

1) Uploaded the hooks_ldap_auth.xml to the includes/xml directory.

2) Uploaded the hooks_ldap.xml (from the previous LDAPAuth for creating a hook in the /login.php file) to the includes/xml directory.

3) Imported this product via the Manage Product option in the vBulletin admin interface

4) Added the following line in the login.php file as instructed in the previous LDAPAuth module for creating a hook...

($hook = vBulletinHook::fetch_hook('ldap_login_hook')) ? eval($hook) : false;

after the following codes:

if ($vbulletin->GPC['vb_login_username'] == '')
{
eval(standard_error(fetch_error('badlogin', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl'], $strikes)));
}

5) Changed the following line in the global.php file....

$show['nopasswordempty'] = defined('DISABLE_PASSWORD_CLEARING') ? 1 : 0; // this nees to be an int for the templates

to the following codes:

$show['nopasswordempty'] = defined('DISABLE_PASSWORD_CLEARING') ? 0 : 1; // this nees to be an int for the templates

The main configuration in the LDAP Authorization window that I am most confused about the LDAPBase DN, which I have configured as follows:

cn=nsidc,dc=colorado,dc=edu,ou=people

Any assistance with getting this to work would be great!

We're using this plugin along with Full Name support for LDAP Auth (https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=ldap_auth_fullname) plugin to connect to our corporate LDAP directory.

The official email ID of people in our company is to change from handle@company.com to firstname.lastname@company.com.

When people try to login after their email ID has changed they get the following error

vBulletin Message
Error creating/updating user
Array

Once the email ID updated to firstname.lastname@company.com from the admin control panel they are able to login.

Is there a way to be dynamically updated every time everytime a user logs in through this plugin OR for the user to be allowed to login with his ldap credentials but reflecting his handle@company.com ID (i.e. for the authentication to work without the error mentioned earlier).
handle@company.com would be set as an alias to firstname.lastname@company.com on the mail servers so the email notifications would continue to work.

Thanks you in advance
Kamal

Okay, so I got it working, somewhat...I basically added uid into the Naming Attribute field and now LDAP users are able to login, however, I get the following error message....

Error creating/updating user
Array

Now, what I did was the following:

1) Removed the hooks_ldap.xml

2) Removed the codes in the login.php file

3) Left the codes in the global.php file

4) Using the following LDAP settings:

HOST: My LDAP Server
LDAP PORT: 389
ANONYMOUS BIND: Yes
BIND DN: [Blank]
BIND PASSWORD: [Blank]
NAMING ATTRIBUTE: uid
SEARCH BASE DN: dc=colorado,dc=edu
LDAP ATTRIBUTES: cn=nsidc,ou=group,ou=people
DISABLE VBULLETIN USERS: Yes
ALLOW BUILT-IN ACCOUNTS: 1

I am so close, if anyone can assist me with overcoming this latest error, I would greatly appreciate it. :)

Okay, so I fixed it by changing the following setting:

NAMING ATTRIBUTE: uid

to the followng:

NAMING ATTRIBUTE: mail

But I would like to username/uid instead.

Any thoughts of getting that to work correctly?

Haqa,

If you use a sniffer on the client's network port you see this.

POST /forum/login.php?do=login HTTP/1.1 (application/x-www-form-urlencoded)

vb_login_username=abek&vb_login_password=ThePlainTextPasswordOfAbeK&s=&securityt oken=guest&do=login&vb_login_md5password=dbfe6013c281e40468727267d7441 951&vb_log in_md5password_utf=dbfe6013c281e40468727267d744195 1

Is there anyway to stop the contents of vb_login_password from being sent as plain text from the client PC to the server?

Other than this issue, this is a great mod.

---------------------------------
EDIT

The answer to my question seems to be to serve the pages from a https server.

I have it working, vB3.8.4

I just spent hours trying to get this mod to work. For anyone that is having problems, follow the directions for the mod, then:

Disable vBulletin Users: YES

This quick fix resolved the issue related to the error around first login for the user.


:up: Yeap - this is missing for 3.8.4

great work

Thank you both

I cannot delete a few users using admincp under vB3.8.4, PHP 5.2.9, MySQL 5.0.84
I receive no error, instead I always receive a 'Deleted User Successfully' message.
And the user is always still there.

The user does not show as banned, has no threads or posts, is not a moderator.
The pattern is: users created by admincp or through vB registration can be deleted.
Users created by logging in with LDAP authentication cannot be deleted. even after the LDAP mod is disabled, uninstalled, files removed and config.php changed back. These users also seem to be uneditable.

The only other mod is vBGallery.
And I am serving https pages to protect the LDAP passwords.
I have looked at the code and the XXXXXuser table without seeing anything.
My searches on un-deletable vB users do not turn up any clues.
The funny thing is other users delete just fine.
Any thoughts?

I have this plugin working beautifully with our active directory. my only objection is that since we do not allow anonymous BIND, in the LDAP options control panel after setup it continues to display the BIND password in plain text. We have more than one vBulletin admin, but they do not need to know the LDAP setup, and as far as I can tell, I can't restrict the LDAP Authentication options by individual admin, nor can I figure out how to have the LDAP control panel just display a blank box or dots, rather than the actual value for that parameter. Ideas anyone?

Okay, so I fixed it by changing the following setting:

NAMING ATTRIBUTE: uid

to the followng:

NAMING ATTRIBUTE: mail

But I would like to username/uid instead.

Any thoughts of getting that to work correctly?

If no one told you it should work using sAMAccountName that gives you your Windows login account. If you have an account like john.smith LDAP will see it as john smith, sAMAccountName tosses in the dot.

After installing this product as listed in the instructions I don't belive it is working properly. The odd part is I receive no error messages. Everything looks to be correct in the LDAP settings. Anyone run into this before?

Do users still have to register or does it create the user automatically?

Hello,

I'm using this Addon with vBulletin 3.8.4. It basically works, but:
- I had to add another ldap_bind, because I can only fetch data with a proxy user. After the ldap_auth_start-Hook:
// re-bind with the proxy user, because the normal user has no access
// Bind (authenticate or anonymous depending on settings
if ($vbulletin->options['ldap_anon_bind']) {
$ldap_bind = ldap_bind($ldapConnection);
} else {
$ldap_bind = ldap_bind($ldapConnection, $vbulletin->options['ldap_bind_dn'], $vbulletin->options['ldap_bind_password']);
}

// ldap bind did not succeed, wrong Bind DN/Password combination in configuration
if ($ldap_bind != 1) {
ldap_close($ldapConnection);
if ($vbulletin->options['ldap_disable_internal_users']) {
process_logout();
eval(standard_error("Failed to bind to LDAP directory (Initial bind)"));
}
return;
}

- whenever a user comes for the first time, or the first time after he changed his password in the LDAP database, he has no access. He sees: "You have entered an invalid username or password. Please press the back button, enter the correct details and try again.".
When he tries right again, the login works.
How could I fix that?


Anyway, great mod! Thanks.

We're using this plugin along with Full Name support for LDAP Auth (https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=ldap_auth_fullname) plugin to connect to our corporate LDAP directory.

The official email ID of people in our company is to change from handle@company.com to firstname.lastname@company.com.

When people try to login after their email ID has changed they get the following error

vBulletin Message
Error creating/updating user
Array

Once the email ID updated to firstname.lastname@company.com from the admin control panel they are able to login.

Is there a way to be dynamically updated every time everytime a user logs in through this plugin OR for the user to be allowed to login with his ldap credentials but reflecting his handle@company.com ID (i.e. for the authentication to work without the error mentioned earlier).
handle@company.com would be set as an alias to firstname.lastname@company.com on the mail servers so the email notifications would continue to work.

Thanks you in advance
Kamal

The issue here is that the one thing which must not change is the users' email addresses.

You will have to manually update the email address for each account, I'm afraid...

H.

Hi guyz,

Any chance of getting this to work in vb4?

Ok so I am the first to report it works in vb4pl1.

Only problem is

Error creating/updating user
Array


but works ok if you do remove the mysql_real_escape_string() function in

WHERE LOWER(email) = LOWER('".mysql_real_escape_string($userData[0]['mail'][0])."')");


Will Test Further....

Nice work and congrats.

Hi Ho, this is Chris.

I am also implementing this in VBB4 right now .....

let's get dirty :)

UPDATE: Ldap_Auth is woring now BUT:

If a user is NOT in the LDAP it will not get generated :(
Is there a way to generate Users in LDAP from Existing Account data in VBB?
We want LDAP for Moodle and OTRS Integration SingleSignOn - so we need all Usernames with PWDs in LDAP.
( I wanted to export the UserPasswords direct via batch in LDIF BUT the salting prevents me from doing so ... )

Please give me a hint on the right direction,

Chris

Ok so I am the first to report it works in vb4pl1.

Only problem is



but works ok if you do remove the mysql_real_escape_string() function in


Will Test Further....

Nice work and congrats.

Removing that will bite you the first time someone has a character in their email which PHP or MySQL consider significant. We, for example, had a user whos email address contained a single quote (Their name was something like Fred O'Flintstone or something, so the brain-dead windows AD made their email address fred.o'flintstone or something disturbingly similar!!).

YMMV...

Many thanks to all who have taken this and made such progress including getting it to work on 4.0, I'd expected that not to be possible... Well done all!

H.

Installed as directed and worked first try without modification. Authenticating against server 2003 AD. :)

We're finding that the 'remember me' tick box is not working. The cookie is not being set correctly so that when the user comes back they have to re-enter their login each time.

Is anybody else gettings this?

Currently working on a fix...

Removing that will bite you the first time someone has a character in their email which PHP or MySQL consider significant. We, for example, had a user whos email address contained a single quote (Their name was something like Fred O'Flintstone or something, so the brain-dead windows AD made their email address fred.o'flintstone or something disturbingly similar!!).

YMMV...

Many thanks to all who have taken this and made such progress including getting it to work on 4.0, I'd expected that not to be possible... Well done all!

H.

Here is the fixup:

You need to use the new-style object call to escape the chars, don't use the php external function(s) (particularly because people may be using mysqli and so forth)

Replace all instances of "mysql_real_escape_string()" with:

$vbulletin->db->escape_string(htmlspecialchars_uni(

This is how functions_login.php makes the call, so should you...

We're finding that the 'remember me' tick box is not working. The cookie is not being set correctly so that when the user comes back they have to re-enter their login each time.

Is anybody else gettings this?

Currently working on a fix...

Have implemented fix for this, as shown below. The code expands on the "if ($newuser->errors)" statement right at the end.

The problem was that after the user is saved with "$newuser->save()" the cookie salt is changed and the password rehashed in the database. The cookie then doesnt match it. Fix is to simply recreate the cookie by getting and rehashing the db password.

Have also implemented jaikumarm's fix for the first time login issue here.

if ($newuser->errors) {
process_logout();
eval(standard_error("Error creating/updating user<br/>".$newuser->errors));
} else {
$newuserid = $newuser->save();

// Saving the user (above) rehashes the password on the DB so now need to update cookie password also, or 'remember me' login optoin will fail.
$dbuserinfo = $vbulletin->db->query_first_slave("SELECT password FROM vbull.user WHERE username = '$username'");
if ($dbuserinfo) {
$db_hashed_pwd = $dbuserinfo['password'];
$cookie_hashed_pwd = md5($db_hashed_pwd.COOKIE_SALT);
vbsetcookie('password', $cookie_hashed_pwd);
}

// Following code is necessary to fix a hook timing issue with this plugin that results in users being told their login credentials are wrong the first time they login with LDAP credentials
verify_authentication($username, $passwd, $vbulletin->GPC['vb_login_md5password'], $vbulletin->GPC['vb_login_md5password_utf'], $vbulletin->GPC['cookieuser'], true);
exec_unstrike_user($username);
process_new_login($vbulletin->GPC['logintype'], $vbulletin->GPC['cookieuser'], $vbulletin->GPC['cssprefs']);
do_login_redirect();

}
}

Note that $username needs to be set a the top top of the script, along with $passwd, with:

$username = $vbulletin->GPC['vb_login_username'];
$passwd = $vbulletin->GPC['vb_login_password'];

And I removed the following line (118) which doesnt seem to do anything useful:

$vbulletin->GPC['cookieuser'] = $vbulletin->GPC['vb_login_username'];

Have implemented fix for this, as shown below. The code expands on the "if ($newuser->errors)" statement right at the end.

The problem was that after the user is saved with "$newuser->save()" the cookie salt is changed and the password rehashed in the database. The cookie then doesnt match it. Fix is to simply recreate the cookie by getting and rehashing the db password.

Have also implemented jaikumarm's fix for the first time login issue here.

if ($newuser->errors) {
process_logout();
eval(standard_error("Error creating/updating user<br/>".$newuser->errors));
} else {
$newuserid = $newuser->save();

// Saving the user (above) rehashes the password on the DB so now need to update cookie password also, or 'remember me' login optoin will fail.
$dbuserinfo = $vbulletin->db->query_first_slave("SELECT password FROM vbull.user WHERE username = '$username'");
if ($dbuserinfo) {
$db_hashed_pwd = $dbuserinfo['password'];
$cookie_hashed_pwd = md5($db_hashed_pwd.COOKIE_SALT);
vbsetcookie('password', $cookie_hashed_pwd);
}

// Following code is necessary to fix a hook timing issue with this plugin that results in users being told their login credentials are wrong the first time they login with LDAP credentials
verify_authentication($username, $passwd, $vbulletin->GPC['vb_login_md5password'], $vbulletin->GPC['vb_login_md5password_utf'], $vbulletin->GPC['cookieuser'], true);
exec_unstrike_user($username);
process_new_login($vbulletin->GPC['logintype'], $vbulletin->GPC['cookieuser'], $vbulletin->GPC['cssprefs']);
do_login_redirect();

}
}

Note that $username and $passwd need to be set up at top of script with:

$username = $vbulletin->GPC['vb_login_username'];
$passwd = $vbulletin->GPC['vb_login_password'];

And I removed the following line (118) which doesnt seem to do anything useful:

$vbulletin->GPC['cookieuser'] = $vbulletin->GPC['vb_login_username'];

Remember to use the generic TABLE_PREFIX consts. I would recommend against setting new aliased variables; it only saves typing, and then you have to add additional doco like you do. Just stick with $vbulletin->GPC[]. (Btw $passwd is already assigned on line 30, and $vbulletin->GPC['vb_login_password'] is cleared for safety). And don't forget to $vbulletin->db->escape_string either...

Yep agreed, these are all things you could do to make it more robust.

My user try to get the password - I thought this is disabled with the
define('DISABLE_PASSWORD_CLEARING', 1);
in the config file. How can I disable this function for Ldap User?

'Disable vBulletin Users' is No - I think this is related to this problem.

I'm using 3.8.4 and ldap 1.5 with the 'first logIn' fix

thanks for such a great plugin easy to use is there anyone try to transfer dateof birth and avatar from ldap to vbulletin? its because this plugin is only transfer email username and password

thanks.

The issue here is that the one thing which must not change is the users' email addresses.

You will have to manually update the email address for each account, I'm afraid...

H.

Anyone fix this problem? if ldap user change their email address from ldap and then try to login again it says
Error creating/updating user
Array

vb 4.02

is there anyone help me how can i set language for this plugin some non english characters on the location doesnt appear properly if not english at all thanks

Hi, Does anyone has make ldap work on vb 4.0.7?

I follow install instructions, but when I try to login with a AD valid user, display error "500 Internal Server Error" page.

Please help me...

Tanks a Lot.

jjuarez

Hi, Does anyone has make ldap work on vb 4.0.7?

I follow install instructions, but when I try to login with a AD valid user, display error "500 Internal Server Error" page.

Please help me...

Tanks a Lot.

jjuarez

I really need help as well. All I get is a blank page with this in the address field: http://hostname/login.php?do=login

No errors or anything else. I know I have the LDAP connections setup properly because I have other apps that I connect with LDAP that use the same parameters.

I haven't made any mods to the code that I see others talking about. If someone could provide a little direction I can figure it out from there.

Thanks

I really need help as well. All I get is a blank page with this in the address field: http://hostname/login.php?do=login

When I get blank pages it is usually caused by permissions problems. If you are using apache then the user you configured in the httpd.conf file (usually apache) must have permission to read the vBulletin files. There may be a better explaination of this on the board somewhere, if someone knows, please post a link.

If this is the cause; then it is just a webserver configuration problem and not a problem with LDAP or this mod.

Good luck ginab143

When I get blank pages it is usually caused by permissions problems. If you are using apache then the user you configured in the httpd.conf file (usually apache) must have permission to read the vBulletin files. There may be a better explaination of this on the board somewhere, if someone knows, please post a link.

If this is the cause; then it is just a webserver configuration problem and not a problem with LDAP or this mod.

Good luck ginab143
Thanks for the suggestion Abe. I played with this all day yesterday and couldn't get it to work. I get the 500 error on IE and blank on FF. I'm hosting this on an in-house 2003 IIS server to 2003 AD. I tried adding full permissions on the files, playing around with the IIS security, tried the mods from some of these posts... Nada. If there is anywhere else I should look at permissions I would love to know.

I can also connect over ldap from the command line using the same credentials so I know it is not a host connection issue. I just don't get it. I was really hoping to use ldap because I want to use VB as the front end for my end users. If they have to remember another password I may be in trouble. :eek:

If anyone else has any ideas I'm all ears.

Thanks

Hi, the error 500 is because I don´t have Ldap support on Php installation.

Just install or reinstall PHP with LDAP Support and this resolve the Blank page.

Now, there are some way to debug the Ldap connection, because I configure the LDAP Settings and when I try authenticate with an Active ¿Directory valid user, only say thar I entered an invalid username or password.

Tanks a Lot

Hi, the error 500 is because I don?t have Ldap support on Php installation.

Just install or reinstall PHP with LDAP Support and this resolve the Blank page.

Now, there are some way to debug the Ldap connection, because I configure the LDAP Settings and when I try authenticate with an Active ?Directory valid user, only say thar I entered an invalid username or password.

Tanks a Lot
Thank you for this. I didn't realize I had installed php without the ldap feature. PHP info always showed that I had LDAP when I checked it. I reinstalled PHP and setup fastcgi again.

I have the same behavior as you, "You have entered an invalid username or password". I had been receiving an error that the initial bind failed, but now I don't even receive this error.

Attached are the cumulative changes/updates for product-ldap_auth-1.5.xml provided by cowbert and john.parlane for running in version 4 so you don't have to update it by hand yourself. Thanks to all who have made this possible!

Also, make sure you install the php-ldap package via yum if you are running Linux, and then restart your apache server after you've installed it.
e.g.
> yum install php-ldap
> restart apache

Cheers,
Jim

changed vbull.user to forum.user in the user database query lookup so it will properly look up existing users

Attached are the cumulative changes/updates for product-ldap_auth-1.5.xml provided by cowbert and john.parlane for running in version 4 so you don't have to update it by hand yourself. Thanks to all who have made this possible!

Also, make sure you install the php-ldap package via yum if you are running Linux, and then restart your apache server after you've installed it.
e.g.
> yum install php-ldap
> restart apache

Cheers,
Jim
Thank you so much! I finally got this working, but now I'm not sure if it was from your code change or how I set it up this time. I was still getting the LDAP bind errors when I tried the changed code. After trying more settings I finally got it working by pointing the base DN at an OU first. OU=ou name,DC=domain,DC=domain,DC=org. Not sure if I had tried that in the past or not because I tried so many, many combinations. Unfortunately, it will ONLY work by pointing to an OU. If I try the root of the domain it won't bind. DC=domain,DC=forest domain,DC=org. I was hoping to point to the root of my domain or even the root of the forest because I may end up having to allow logins from other domains. The way it is right now I have to exclude the IT department from ldap logins so that I can point to our users OU. If you have any ideas on how I can get it working by pointing to the root I will be very grateful. Regardless, thank you for putting this up. I can't tell you how many hours I've put into trying this mod and a few others for ldap authentication.

Big thanks,
Gina

I'm having issues getting this working with our setup.

vBulletin 3.8.2
Openldap (linux debian)
php 5
product-ldap_auth-1.5.xml

It is binding ok, but setting Naming Attribute to what we use in the OU - "uid" it isn't picking up the username.

Full Name Support for LDAP Auth - seems to work, using the same username on vbulletin database as it is in the ldap database.

Just can't login with users using ldap auth details, also the mod isnt disabling vbulletin users.

changed vbull.user to forum.user in the user database query lookup so it will properly look up existing users

With this version do we need to do the edit to config.php or global.php to add

define('DISABLE_PASSWORD_CLEARING', 1);

Also: do any other edits need to be made?

How can I make any errors with this output to a log? I would like to better diagnose my failures.

There is a lot of good information scattered around this thread for connecting this plugin to Active Directory. In the interest of making things a bit more clear, here are the additional steps required for connecting to Active Directory:

Active Directory:
You need a user to query Active Directory

Firewall:
Don't forget to open firewall ports for authentication if you are working with a DMZ or the like.

LDAP Authentication Settings in vBulletin:
Anonymous Bind: No
Bind DN: <Domain>\<Username>
Naming Attribute: sAMAccountName
Search Base DN: OU=<Whatever>,DC=<your_domain>,DC=<your_domain_tld>
LDAP Attributes: fullName, mail, sAMAccountName

Some points to keep in mind:
1. This plugin doesn't seem to work if your Search Base DN begins with a DN in AD. You must have your search base begin with an OU. This means that if you have multiple OU's at the top level of AD that contain users, you may have a problem.
2. The Bind DN should be passed in the format shown above.
3. Make sure to download product-ldap_auth-1.5_vb4.xml found in this thread, not the one from Haqa's original post. This version contains patches needed for vBulletin 4.
4. The product-ldap_auth-1.5_vb4.xml code attached to this post has a change so that you do not have to specify your DB name:

$dbuserinfo = $vbulletin->db->query_first_slave("SELECT password FROM ".TABLE_PREFIX."user WHERE username = '$username'");

5. WARNING: If you aren't running vBulletin over SSL, you will be passing your Active Directory usernames and passwords in clear text.

Anything else?

Thanks,

Kirk.

Awesome plugin, one request though, how can I set it to give the LDAP users specific usergroup(s) by default?

Okay so I needed to use this for a setup that we have using Active Directory. Kirk's (KPatten) version was great, but being a hacker at heart I tweaked it. I thought I'd share this with the community as a way to say thanks. All the caveats and instructions that Kirk gave in post 127 (https://vborg.vbsupport.ru/showpost.php?p=2183860&postcount=127) still apply.

Differences:

Option to update the username of existing vbulletin users. I believe this is how it was supposed to work, but it didn't for me
New database field on user table to store which users are LDAP users, and provides an option to prevent access when those users are removed from AD
Lots of debug messages (I found this VERY helpful), with an option to disable. (requires includes\devtools.php I got this from here (https://vborg.vbsupport.ru/showthread.php?t=151288))
Puts LDAP 'displayname' into user field5 (I've found this to be a pretty common place to put a user's display name, although arguably I should have used the extension points as originally intended)
Puts LDAP 'title' into user field4 (This is "occupation" in my install)
I set the minimum version to 4.1.5 - this is because I haven't tested it on anything older, but there's every chance that it will work on whichever system Kirk's works on. Please let me know if this is the case, and I'll update the files here.
Puts an entry into the user table to indicate if they're an ldap user or not - this requires a new column to be created in the user table: 'ldap'. This is done by the install code for the product. This allows the system to disable users who have since been disabled by ldap, while still allowing external users to use the system.


For this to work you'll need the following files. They go in the following locations:
./includes/xml/hooks_ldap_auth.xml
./includes/devtools.php

A big thanks to everyone who has contributed to this solution: kpatten, haqa, malcolmx and zemic.

Okay so I needed to use this for a setup that we have using Active Directory. Kirk's (KPatten) version was great, but being a hacker at heart I tweaked it. I thought I'd share this with the community as a way to say thanks. All the caveats and instructions that Kirk gave in post 127 (https://vborg.vbsupport.ru/showpost.php?p=2183860&postcount=127) still apply.

Differences:

Option to update the username of existing vbulletin users. I believe this is how it was supposed to work, but it didn't for me
New database field on user table to store which users are LDAP users, and provides an option to prevent access when those users are removed from AD
Lots of debug messages (I found this VERY helpful), with an option to disable. (requires includes\devtools.php I got this from here (https://vborg.vbsupport.ru/showthread.php?t=151288))
Puts LDAP 'displayname' into user field5 (I've found this to be a pretty common place to put a user's display name, although arguably I should have used the extension points as originally intended)
Puts LDAP 'title' into user field4 (This is "occupation" in my install)
I set the minimum version to 4.1.5 - this is because I haven't tested it on anything older, but there's every chance that it will work on whichever system Kirk's works on. Please let me know if this is the case, and I'll update the files here.


For this to work you'll need the following files. They go in the following locations:
./includes/xml/hooks_ldap_auth.xml
./includes/devtools.php

A big thanks to everyone who has contributed to this solution: kpatten, haqa, malcolmx and zemic.

I followed this process and am getting...

Fatal error: Call to undefined function ldap_connect() in D:\www\vhosts\localhost\includes\functions.php(703 8) : eval()'d code on line 36

I am assuming this means I do not have ldap enabled for PHP... any thoughts on an easy way to "add" LDAP to an existing install? What specifically needs to be included and where?

I followed this process and am getting...

Fatal error: Call to undefined function ldap_connect() in D:\www\vhosts\localhost\includes\functions.php(703 8) : eval()'d code on line 36

I am assuming this means I do not have ldap enabled for PHP... any thoughts on an easy way to "add" LDAP to an existing install? What specifically needs to be included and where?

I've not got that error, but I have the LDAP extension for PHP installed. You can check the status of ldap through the vbulletin admincp->Maintenance->PHP info. There's a whole section devoted to ldap in mine.

I run on Windows, so installing LDAP support for PHP was simply an option I chose in the PHP installer (under 'extensions' if I recall correctly).

Good luck!

I am new to vBulletin so this is all new to me. I just installed the LDAP Authentication plugin referenced in this thread and for the most part it seems to be working just fine. However, I have a question. I have logged in as two different users from our LDAP server and vBulletin did indeed allow them to login and did create user accounts for them. However, I noticed that for some reason the "Primary Usergroup" for both of those users was set by default to "Super Moderators". It seems to me that they should be set to "Registered Users" instead.

If I go into the vbulletin admin panel and manually add a user the default settings does seem to be "Registered Users".

Is there any way to tell the LDAP Authentication plugin that new users should be created as "Registered Users" instead of "Super Moderators"?

Thanks in advance.

Is there any way to tell the LDAP Authentication plugin that new users should be created as "Registered Users" instead of "Super Moderators"?


Yes, but you'll need to edit the plugin source, as this option hasn't been added to the LDAP settings.

If you're using my version, from the post above, you'll need to edit line 193 of the plugin, shown in the snip below. The line that sets the usergroupid to 5 makes the new user a supermoderator. The 'Registered users' group has a usergroupid of 2 (at least it does in mine). So change the 5 to a 2, and that should resolve the issue. The usergroup IDs can be found in Usergroup manager in the admin control panel.


($debug = $debug ) ? print_log("New user. Creating with info from ldap") : false;
$newuser->set('email', strtolower($userData[0]['mail'][0]));
$newuser->set('username', $vbulletin->GPC['vb_login_username']);
---> $newuser->set('usergroupid', 5);
$newuser->set_bitfield('options', 'adminemail', true);
$newuser->set_bitfield('options', 'emailonpm', true)


Hope this helps!

I am new to vBulletin so this is all new to me. I just installed the LDAP Authentication plugin referenced in this thread and for the most part it seems to be working just fine. However, I have a question. I have logged in as two different users from our LDAP server and vBulletin did indeed allow them to login and did create user accounts for them. However, I noticed that for some reason the "Primary Usergroup" for both of those users was set by default to "Super Moderators". It seems to me that they should be set to "Registered Users" instead.

If I go into the vbulletin admin panel and manually add a user the default settings does seem to be "Registered Users".

Is there any way to tell the LDAP Authentication plugin that new users should be created as "Registered Users" instead of "Super Moderators"?

Thanks in advance.
Well, I did some digging through the module code (version 1.5.1_vb4) and noticed this on line 199.
$newuser->set('usergroupid', 5);
I changed the above to the following and reinstalled the addon.
$newuser->set('usergroupid', 2);
And now the default usergroup is Registered Users instead of Super Moderators. I'm wondering if this should not be the default behavior?

Thank you.

Yes, but you'll need to edit the plugin source, as this option hasn't been added to the LDAP settings.

If you're using my version, from the post above, you'll need to edit line 193 of the plugin, shown in the snip below. The line that sets the usergroupid to 5 makes the new user a supermoderator. The 'Registered users' group has a usergroupid of 2 (at least it does in mine). So change the 5 to a 2, and that should resolve the issue. The usergroup IDs can be found in Usergroup manager in the admin control panel.


($debug = $debug ) ? print_log("New user. Creating with info from ldap") : false;
$newuser->set('email', strtolower($userData[0]['mail'][0]));
$newuser->set('username', $vbulletin->GPC['vb_login_username']);
---> $newuser->set('usergroupid', 5);
$newuser->set_bitfield('options', 'adminemail', true);
$newuser->set_bitfield('options', 'emailonpm', true)


Hope this helps!
Thanks for your response, apparently I was posting the solution I found to this at the same time you were answering me so I didn't see your post until I completed mine. Clearly we are both on the same track and that indeed did fix my problem.

Thanks again.

And now the default usergroup is Registered Users instead of Super Moderators. I'm wondering if this should not be the default behavior?


Perhaps you are right. For my setup, though, by default LDAP users are considered 'trusted', and members using internal VB authentication are not. So all LDAP users are granted the super mod privileges.

What we really should do is make it a config setting.

Not sure when I'll get time to do this....

I didn't have any luck with using the original set_userfields method. The aforementioned code had:
$newuser->set_userfields($userFields);

It worked when I switched it to this:
$newuser->set_userfields($userFields, true, admin);

I think it's because the account I was testing was my own account which was promoted to administrator.

Has anyone conceived of the idea or attempted setting the username to the LDAP 'displayname' or 'givenname' and 'sn' while allowing the user to both login and authenticate using their LDAP credentials? ie, login as: jdoe, but username is set to John Doe so that all posts, member list, user profile and all show John Doe. My forum is internal, consists only of LDAP users all on the same domain and I've disabled registration since the LDAP auth code can create a new user. I've made a user profile field set to displayname but if I don't have to go through and modify the template to show the displayname userfield in lieu of username, that would be awesome.

Unless it's easier now to modify the template using the built-in search/replace? Suggestions or ideas?

I've not got that error, but I have the LDAP extension for PHP installed. You can check the status of ldap through the vbulletin admincp->Maintenance->PHP info. There's a whole section devoted to ldap in mine.

I run on Windows, so installing LDAP support for PHP was simply an option I chose in the PHP installer (under 'extensions' if I recall correctly).

Good luck!

This worked perfectly... thank you

I have another question, which is php related.

I have this plugin (vb4 version) and it is working, however, I cannot get the "Allow Built-in Accounts" (ldap_allow_builtin) setting to work when putting in a comma separated list. If I only have one userid in this setting it works for that user only, which leads me to believe this is an easy solution. Given the fact that I am php retard, the answer is not glaringly obvious, therefore, I will summarize what I know in hopes someone can help me.

In the product xml, this variable (setting) is defined as follows:

<setting varname="ldap_allow_builtin" displayorder="100">
<datatype>free</datatype>
<defaultvalue>1</defaultvalue>
</setting>

The piece of code that I believe to be broken that uses this variable is:


//if login is on the list of allowed logins, don't use ldap authentication
$userid = $vbulletin->db->query_first_slave("
SELECT userid
FROM ".TABLE_PREFIX."user
WHERE userid in ('".$vbulletin->db->escape_string(htmlspecialchars_uni($vbulletin->options['ldap_allow_builtin']))."')
AND username = '".$vbulletin->db->escape_string(htmlspecialchars_uni($vbulletin->GPC['vb_login_username']))."'");
if ($userid) {
($debug = $debug ) ? print_log("user on the non-ldap list. " . $vbulletin->GPC['vb_login_username'] . " with id: ". implode(",",$userid)) : false;
return;
}

So, what is wrong with the php code that is not searching "ldap_allow_builtin" as if it is an array?

Thanks.

For this to work you'll need the following files. They go in the following locations:
./includes/xml/hooks_ldap_auth.xml
./includes/devtools.php

A big thanks to everyone who has contributed to this solution: kpatten, haqa, malcolmx and zemic.


Thanks to everyone for their excellent work!

I have successfully implemented the above version on vBulletin 4.1.10

With regard to this problem:


1. This plugin doesn't seem to work if your Search Base DN begins with a DN in AD. You must have your search base begin with an OU. This means that if you have multiple OU's at the top level of AD that contain users, you may have a problem.


I have managed to get ldap_search to properly recurse through the sub-OU's on a Server 2008 DC running in 2008/2003 mixed mode by doing the following:

After:
// Enable LDAP version 3
ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);

Add:
ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0);

Now if I set the Base DN to DC=domain,DC=com it will find users in all OU's in the domain.

Hope this helps someone

Alex

Has anyone conceived of the idea or attempted setting the username to the LDAP 'displayname' or 'givenname' and 'sn' while allowing the user to both login and authenticate using their LDAP credentials? ie, login as: jdoe, but username is set to John Doe so that all posts, member list, user profile and all show John Doe. My forum is internal, consists only of LDAP users all on the same domain and I've disabled registration since the LDAP auth code can create a new user. I've made a user profile field set to displayname but if I don't have to go through and modify the template to show the displayname userfield in lieu of username, that would be awesome.

Unless it's easier now to modify the template using the built-in search/replace? Suggestions or ideas?

rguser: Did you ever find a good solution to this? The LDAP passes their employee ID as their user logon (required). But I would rather have all their posts show as their LDAP "displayName."

The closest I got was to modify the product-ldap_auth-1.5.1_vb4.xml to set the usertitle to the LDAP displayName so at least their name is below their employee ID.

I'd like to know how you worked around this.

} else {
($debug = $debug ) ? print_log("New user. Creating with info from ldap") : false;
$newuser->set('email', strtolower($userData[0]['mail'][0]));
$newuser->set('customtitle', 2);
$newuser->set('usertitle', ($userData[0]['displayName'][0]));
$newuser->set('username', $vbulletin->GPC['vb_login_username']);
$newuser->set('usergroupid', 2);
$newuser->set_bitfield('options', 'adminemail', true);
$newuser->set_bitfield('options', 'emailonpm', true);
$newuser->set_bitfield('options', 'vm_enable', true);
$newuser->set('pmpopup', 1);
$newuser->set('password', $passwd);
$vbulletin->db->query_first_slave("
UPDATE ".TABLE_PREFIX."user
SET ldap=true
WHERE username='". $vbulletin->GPC['vb_login_username'] ."'");

I am relatively new to vBulletin still but have version 4.1.8 installed and working just fine with this plug-in. I have never performed a vBulletin upgrade before and was just wondering what to expect regarding installed plugins when upgrading from 4.1.8 to 4.1.10. Will the LDAP Authentication plugin continue to work as it does now? Or will it need to be modified and/or reinstalled?

Thanks in advance.

Are there any issues with using this mod on vBulletin 4.2.0?

rguser: Did you ever find a good solution to this? The LDAP passes their employee ID as their user logon (required). But I would rather have all their posts show as their LDAP "displayName."

The closest I got was to modify the product-ldap_auth-1.5.1_vb4.xml to set the usertitle to the LDAP displayName so at least their name is below their employee ID.

I'd like to know how you worked around this.

} else {
($debug = $debug ) ? print_log("New user. Creating with info from ldap") : false;
$newuser->set('email', strtolower($userData[0]['mail'][0]));
$newuser->set('customtitle', 2);
$newuser->set('usertitle', ($userData[0]['displayName'][0]));
$newuser->set('username', $vbulletin->GPC['vb_login_username']);
$newuser->set('usergroupid', 2);
$newuser->set_bitfield('options', 'adminemail', true);
$newuser->set_bitfield('options', 'emailonpm', true);
$newuser->set_bitfield('options', 'vm_enable', true);
$newuser->set('pmpopup', 1);
$newuser->set('password', $passwd);
$vbulletin->db->query_first_slave("
UPDATE ".TABLE_PREFIX."user
SET ldap=true
WHERE username='". $vbulletin->GPC['vb_login_username'] ."'");

Sorry for the very late response. Yes, I solved this similarly to how you have it.

The username is only valid from the login screen. Within the code the username is converted over to the full display name right away and used consistently throughout. New account vs existing account is determined by doing a search for the userData[0]['mail'][0].

In transition, I just wrote a script to update all usernames from user alias to full name.

Hello,

I am trying to set this up in 4.2.0 and am at a loss right now what I have done wrong. I don't have any errors or any problems so far. I've installed the plugin fine, have LDAP PHP module ready, etc.

I have read this thread and seen that the plugin has many improvements contributed to it and it seems that jimbot's post is where the latest version ends up: https://vborg.vbsupport.ru/showpost.php?p=2242445&postcount=129

I've followed some instructions in post 127 as well, but I think my problem here is that I simply cannot connect to my LDAP server. My login system on vBulletin does not seem different at all, and is using my traditional "5 attempts" login. So you can imagine when trying this, it gets quite frustrating to have to wait 15 minutes to try logging in again. Every time I am trying new settings nothing changes. I am not sure if I am even connecting to Active Directory. This is what I have currently for settings:

My LDAP settings (having trouble connecting?):
LDAP Server: mydomain.blah.site.com
LDAP Port: xxxx
Anonymous Bind: NO
Bind DN: DOMAIN\username
Bind Password: xxxxxxxxxxx
Naming Attribute: sAMAccountNAme (how does this look, is it first initial + lastname? (e.g. John Doe = jdoe))
Search Base DN: CN=distributionlistname,OU=Distribution Lists,DC=max,DC=blah,DC=site,DC=com
LDAP Attributes: [blank]
Disable vBulletin USers: No
Allow Built-in Accounts: 1 (my admin account id)
Update username: No (I will play with this later)
Disallow disable LDAP logins: Yes
Debug: Yes (in hopes I can see what is wrong! But I don't even see debug output when logging in at the moment)


Any advice as to what works and doesn't work would be helpful. Thank you!

Hello,

I My login system on vBulletin does not seem different at all, and is using my traditional "5 attempts" login. So you can imagine when trying this, it gets quite frustrating to have to wait 15 minutes to try logging in again.

I'm having difficulty too with the latest version 4

Wireshark on your LDAP / AD server can tell you if its hitting your server for authentication.. Use the filter ip.addr==192.168.1.34 or something similar

Also under General Settings turn off (Use Login "Strikes" System) which will remove the 15 minute gap problem!

Hope this helps!

Thanks havokit.

Hopefully someone comes along in this thread to resolve our connection issues in 4.2.0 :(. I didn't think a plugin such as this would be incompatible from a few older versions of 4.x. Perhaps it is something to do with the hook(s).

I am not knowledgeable with PHP or any of this, so I am stuck trying to figure this out.

Thanks havokit.

Hopefully someone comes along in this thread to resolve our connection issues in 4.2.0 :(. I didn't think a plugin such as this would be incompatible from a few older versions of 4.x. Perhaps it is something to do with the hook(s).

I am not knowledgeable with PHP or any of this, so I am stuck trying to figure this out.

Tweak589, were you able to get this working? We are also in the process of LDAP implementation.

thanks :confused:

FWIW I've just done an upgrade from 4.1.10 to 4.2.1 and the plugin is still working fine for me!

My settings are:

LDAP Server dcname.domain.com
LDAP Port 389
Anonymous Bind No
Bind DN CN=Account Name,CN=Users,DC=domain,DC=com
Bind Password <password for above account>
Naming Attribute sAMAccountName
Search Base DN DC=domain,DC=com (see my earlier post (https://vborg.vbsupport.ru/showthread.php?p=2291957#post2291957) in this thread about searching sub-OU's)
LDAP Attributes fullName,mail,sAMAccountName,displayname,title,l