I need to make some corrections to my original posting about using the LDAP bind for authentication. Unfortunately, there were two errors in the code which was causing @ldap_bind to do an anonymous bind. If your directory does not allow anonymous, then the code would fail. If your directory does allow anonymous, then any password would work.

Here is the corrected code from ldap_authentication.php.
Also, this code has "dn" hard-coded into it. Your directory may need to use the CN or UID attributes. Chris has suggested that we can reuse $ldapfield for that purpose.

I'm a newbie, and seem to be technically challenged today.
Have installed vBulletin v3.6.8 PL2 on Solaris, w/Apache2.2, PHP5.2.4, and MySQL4.1.22.
vBulletin is working, but now I need to have LDAP support for Single Sign On authentication.

Ok, followed the simple instructions for installing the "ldapconfig.php",
but I'm stuck at step #3, where I "Add / Import the product (xml file)"

I logged in to the Admin CP, but don't see the Add/Import.
Down the left side I see:
- vBulletin Options
- Style & Template
- Language & Phrases
- FAQ
(and the list goes on)

I have expanded each and all sections, but nothing is jumping out at me
that says "Add/Import" Where is it???

Lost and wandering aimlessly.
Stacy

OK, I figured out the installation, but now its not authenticating known users?

any clues???

Usual culprits are UID field or no MD5 field. MD5 is not a standard LDAP field but most people create it. So if you only got CRYPT to store your passwords, this script wont work without some template changes (which is not recommended).

Are there any logs to find out why a user isn't able to authenticate correctly? I'm using openldap for telnet/ssh access to the server, but I'm still trying to debug this plugin.

Thanks

Ok, I think I have narrowed my problem down.

I can't do an anonymous bind and refused access to the md5hash due to security reasons.

So, not I am looking to use a .htaccess mechanism, and have started to search the forum.
any recommendations???

Cafelatte,

You may want to try the method of binding using the user ID that I outline several posts above. Here is a reprise of the code.
Also, however, you may find that you use CN for the user name instead of UID. In that case, make the following change and set $ldapuid to "cn".

-- addendum --
And here is something very important that I forgot to mention before. This only works if the login form passes the password. To make that happen, you have to modify global.php (if anyone knows a better way, please let me know). Add the following anywhere near the top.
What it says is exactly what it means - the password will be passed in clear text. Not good. I know. Shouldn't be too much of an issue if your forum is SSL, but most aren't. I'm trying to find another way, but this is the only way for now.

Has anyone got this to work with Active Directory? If so, mind lending some insight? :)

I have also set this module up correctly as far as I can tell, but I'm not seeing anything in the security event log on the domain controller...

Does this LDAP mod also sit on top of admincp and modcp? Currently using another mod that doesn't and it's causing some headaches..

Great work folks, I've tried the plugin with Mark's modifications to the CRYPT "problem" and it works...

Now, I see a little problem, we want to perform always the login towards the LDAP, so if the user changes his password in the userCP, this password isn't going to be valid.

You know if it's possible to deactivate some UserCP fields (in our case, the password and possibly the e-mail) ?

Thanks in advance

I couldn't find anywhere in the admincp to turn this off so as a temporary fix I have commented out the link from the usercp template. The page still exists, but it's unreachable unless you know the link. I'm sure you could edit the templates elsewhere too to remove the fields from the page and display a sensible message.

I'm not using this mod yet, I am using another one for LDAP. Could you tell me oasi (as someone who has installed the mod), does this one store the password in the database? Also, does it use LDAP to authenticate for modcp and admincp?

Actually, if the user changes his or her password it's irrelevant. The plug in updates the password every time the user logs into the forums, just before vBulletin checks it. If the user passes LDAP authentication, the password and salt are MD5 hashed and stuck in the database so that vBulletin's log-in process will be successful. If the user does not pass LDAP authentication, garbage is stuck in the database so that vBulletin's log-in process will fail.

Still, it's probably a good idea to not imply that the user can update his or her password through vBulletin. I can imagine the Help Desk calls now. Since my workplace also won't allow the user to change his or her e-mail address, I've made the following code changes - it may or may not work for you. I just commented out blocks of code. Note that there are already comment tags in modifyprofile and I had to replace them with x!-- and --X to make this work.

Since I'm just a lowly user of the plug-in as well, I'd love to here what other people are doing about this.

USERCP_SHELL
modifyprofile

I'll try to :)

Hi again!

I'm having a problem with the autentication, I'm trying to find what happens, but I've put some error_log sentences that doesn't seem to work...

The problem is that the users only can be authenticated if they use a valid LDAP user name and set as password the user name again.

I only see on the error log this:

[08-Apr-2008 08:42:14] PHP Parse error: syntax error, unexpected ')' in /aplicacions/vbulletin/upload/global.php(384) : eval()'d code on line 48

I'm usign vbulletin 3.7 RC2
Some idea?

Ops!
It was my fault :D

But there's an other problem...
Now my administrators/moderators can't login to the admin interface/moderation interface, because the DISABLE_PASSWORD_CLEARING thing doesn't work with these validation forms.

I tried to set this definition in admin/global.php and modcp/global.php but the passwords continue to pass MD5 codified (and empty value in the vb_login_password var).

I know that i can put these login in the ldapconfig.php field to skip the LDAP validation, but there could be other way to perform this??

Thanks

Crap. I didn't post all of the code. I will correct post #47, above. But here is the piece I missed.
What this does is avoid going through LDAP authentication for the admin and moderator control panels.

Why, you ask? What Zemic's plug-in does is put an MD5 hash of your password into the vBulletin database if you pass LDAP authentication, or garbage if you don't pass LDAP authentication. Then it returns control to vBulletin, who goes through the usual authentication process and MD5 hashes the password and compares it to the hash on file. Therefore, assuming that the moderators and admins sign into the forum first and the correct LDAP password hash is in the database, the admin and moderator sign-in pages don't have to go through this process again.

The only time this doesn't work is if the admin or moderator changes their LDAP password and then goes to the control panel without signing onto the forum. And that can happen if they check the "Remember Me" box for the forums. I haven't worked out a solution to that yet.

Suggestions welcome.

It also fails if you erase some user from your LDAP directory but not from the forums I think...

I was trying to do a mix between the zemick's solution and the one from sartori's, but I'm having a basic/weird problem.

I can't access the $vbulletin var, I do an isset and it is, but I print_r his value and is '1'.
I've seen you access it, and I think it's better than $_POST without processing, so, you know what could I be doing wrong?

Here is the code to test it in my xml file:

It prints '1' on my error_log, I've tried without the require for global.php, and it's the same result...

Thanks again

Hello

Does anyone run this plugin on a 3.7 Forum?
I try it since days with no effort.

No error messages, the only thing I get is user unkown if i try to login with a user saved in ldap
No way to login, neither to register in ldap.

I'm running it successfully in vBulletin 3.7.2.

Hi,

I was wondering if this addon works as expected in v3.8 of vbulletin

Any feedback is appreciated!

Thanks,
a

I don't think this works in v3.8... getting an error when trying it: "Fatal error: Call to undefined function ldap_connect() in vbulletin\global.php(400) : eval()'d code on line 25"

Have you been able to implement single sign on for vBulletin or do you know if this
problem has been solved.
Looks like a plugin exists for AD authentication but I think the user still has to login.

Thanks

Dave

Best example I can give is of my work..... we use LDAP to authenticate users accross different services we offer on campus - logging into computers, access programs, databases, and web sites. On the web for example our CMS, Blackboard, Campus Pipeline, Intranet and now VBulletin all authenticate against LDAP. This allows us to give out 1 username and password to every staff and student to access any service we offer; we can restrict access via LDAP as well.

There's a bit more to it than that. You've got to have someone to populate LDAP, or some program to automatically insert / update records i.e. our finance department enter a new staff member onto the pay roll system, and in an overnight job LDAP is synchronised with it, creating new usernames if neccessary or expire accounts if someone has left.

Its our "yellow pages" of staff and students. Benefit to us is 1 username and password to access all our services. Less maintenance. Also in time it will allow us to roll out "single sign on". Sign into a computer on the network, and then you are automatically logged into our web sites or Vbulletin when you go to that site. No need for cookies.

You may have heard of Active Directory which is similar.

Does that make sense? :s :)[/QUOTE]