Thanks for the pointer, this is fixed. Also I noticed I'd forgotten the hook definition file, this is now available above...

H.

---

In theory, yes that should be possible, but it would require so pretty extensive changes to the VB login pages, which would pretty much break upgradability. The problem is that windows login sso works using a version of HTTP Digest auth (AFAIK) which is normally only supported by IIS - This would need to be faked by the login system, and is probably beyond my current level of experience with VB.

The other point is that I'm trying to make my mods so that they don't break upgradability of VB (or any other products).

Anyone else know of a simpler way to do Windows SSO?

H.

I've been doing some reasearch, and if you have control over your webserver (and the modules installed) you could try playing with mod_auth_vas which implements SPNEGO - The basis for windows domain login support for IIS/IE.

You'd still need some fairly significant mods to vB, (or perhaps a plug somewhere near global_start???) to tell it to use and trust the external username supplied by SPNEGO.

H.

Very nice mod - installed with no fuss.

I though had the problem that my LDAP server was containing a new user where the username was not used in vB, but the email was already taken by another username in vB.

This means that your plugin tries to create the new user when a correct username/password is issued (seen from the LDAP server). But due to that the email already exists i vB with another username then the creation of the new user fails. This is properly okay, as two different users can not have the same email. But the error messages indicates that a wrong password/username is issued.

My suggestion for improvement is to give better response to this case.

Best regards
Tom

Thanks :)

I'll have to look into this bug, that's NOT what's meant to happen - It's supposed to rename the user to match the LDAP...

I can see what you mean though, the error message is unhelpful in this instance, but in keeping with normal login failure message procedure, I've tried not to allow a potential brute-force attacker know what he/she got wrong (username/password etc). A more "helpful" error message might give away the fact that users are being created on the fly from an external database, and that might give an opportunity to inject a user into the system. (Sorry if I seem paranoid, but it's my job, I work with system security all day).

H.

The plugin is populating vB's db properly when an exisiting LDAP user tries to login to the forums but doesn't exist in vB; however, it won't log them in -- stating they have entered an incorrect password. The samething happens for existing vB users.

The passwords are stored as an MD5 hash in LDAP, and I also made sure define('DISABLE_PASSWORD_CLEARING', 1); was in includes/config.php. The stange thing is, if I disable the plugin both exisiting and newly created users (from LDAP) can successfully login.

Any ideas on what might be causing this?

I have installed this plugin, but cant get it to work. Has anyone gotten this plugin to work in an active directory environment. thank for your help.

I was just going to ask if this worked with Active Directory.

didn't you mix up your hooks in product-ldap_auth-1.4.xml? your ldap_auth_existing_user is called when you're creating a fresh user, while ldap_auth_new_user is called when the user has been found in forum... am i confused??