Thank you for this. I didn't realize I had installed php without the ldap feature. PHP info always showed that I had LDAP when I checked it. I reinstalled PHP and setup fastcgi again.

I have the same behavior as you, "You have entered an invalid username or password". I had been receiving an error that the initial bind failed, but now I don't even receive this error.

Attached are the cumulative changes/updates for product-ldap_auth-1.5.xml provided by cowbert and john.parlane for running in version 4 so you don't have to update it by hand yourself. Thanks to all who have made this possible!

Also, make sure you install the php-ldap package via yum if you are running Linux, and then restart your apache server after you've installed it.
e.g.
> yum install php-ldap
> restart apache

Cheers,
Jim

changed vbull.user to forum.user in the user database query lookup so it will properly look up existing users

Thank you so much! I finally got this working, but now I'm not sure if it was from your code change or how I set it up this time. I was still getting the LDAP bind errors when I tried the changed code. After trying more settings I finally got it working by pointing the base DN at an OU first. OU=ou name,DC=domain,DC=domain,DC=org. Not sure if I had tried that in the past or not because I tried so many, many combinations. Unfortunately, it will ONLY work by pointing to an OU. If I try the root of the domain it won't bind. DC=domain,DC=forest domain,DC=org. I was hoping to point to the root of my domain or even the root of the forest because I may end up having to allow logins from other domains. The way it is right now I have to exclude the IT department from ldap logins so that I can point to our users OU. If you have any ideas on how I can get it working by pointing to the root I will be very grateful. Regardless, thank you for putting this up. I can't tell you how many hours I've put into trying this mod and a few others for ldap authentication.

Big thanks,
Gina

I'm having issues getting this working with our setup.

vBulletin 3.8.2
Openldap (linux debian)
php 5
product-ldap_auth-1.5.xml

It is binding ok, but setting Naming Attribute to what we use in the OU - "uid" it isn't picking up the username.

Full Name Support for LDAP Auth - seems to work, using the same username on vbulletin database as it is in the ldap database.

Just can't login with users using ldap auth details, also the mod isnt disabling vbulletin users.

With this version do we need to do the edit to config.php or global.php to add

Also: do any other edits need to be made?

How can I make any errors with this output to a log? I would like to better diagnose my failures.

There is a lot of good information scattered around this thread for connecting this plugin to Active Directory. In the interest of making things a bit more clear, here are the additional steps required for connecting to Active Directory:

Active Directory:
You need a user to query Active Directory

Firewall:
Don't forget to open firewall ports for authentication if you are working with a DMZ or the like.

LDAP Authentication Settings in vBulletin:
Anonymous Bind: No
Bind DN: <Domain>\<Username>
Naming Attribute: sAMAccountName
Search Base DN: OU=<Whatever>,DC=<your_domain>,DC=<your_domain_tld >
LDAP Attributes: fullName, mail, sAMAccountName

Some points to keep in mind:
1. This plugin doesn't seem to work if your Search Base DN begins with a DN in AD. You must have your search base begin with an OU. This means that if you have multiple OU's at the top level of AD that contain users, you may have a problem.
2. The Bind DN should be passed in the format shown above.
3. Make sure to download product-ldap_auth-1.5_vb4.xml found in this thread, not the one from Haqa's original post. This version contains patches needed for vBulletin 4.
4. The product-ldap_auth-1.5_vb4.xml code attached to this post has a change so that you do not have to specify your DB name:

5. WARNING: If you aren't running vBulletin over SSL, you will be passing your Active Directory usernames and passwords in clear text.

Anything else?

Thanks,

Kirk.

Awesome plugin, one request though, how can I set it to give the LDAP users specific usergroup(s) by default?

Okay so I needed to use this for a setup that we have using Active Directory. Kirk's (KPatten) version was great, but being a hacker at heart I tweaked it. I thought I'd share this with the community as a way to say thanks. All the caveats and instructions that Kirk gave in post 127 still apply.

Differences:

• Option to update the username of existing vbulletin users. I believe this is how it was supposed to work, but it didn't for me
• New database field on user table to store which users are LDAP users, and provides an option to prevent access when those users are removed from AD
• Lots of debug messages (I found this VERY helpful), with an option to disable. (requires includes\devtools.php I got this from here)
• Puts LDAP 'displayname' into user field5 (I've found this to be a pretty common place to put a user's display name, although arguably I should have used the extension points as originally intended)
• Puts LDAP 'title' into user field4 (This is "occupation" in my install)
• I set the minimum version to 4.1.5 - this is because I haven't tested it on anything older, but there's every chance that it will work on whichever system Kirk's works on. Please let me know if this is the case, and I'll update the files here.
• Puts an entry into the user table to indicate if they're an ldap user or not - this requires a new column to be created in the user table: 'ldap'. This is done by the install code for the product. This allows the system to disable users who have since been disabled by ldap, while still allowing external users to use the system.

For this to work you'll need the following files. They go in the following locations:
./includes/xml/hooks_ldap_auth.xml
./includes/devtools.php

A big thanks to everyone who has contributed to this solution: kpatten, haqa, malcolmx and zemic.

I followed this process and am getting...

I am assuming this means I do not have ldap enabled for PHP... any thoughts on an easy way to "add" LDAP to an existing install? What specifically needs to be included and where?

I've not got that error, but I have the LDAP extension for PHP installed. You can check the status of ldap through the vbulletin admincp->Maintenance->PHP info. There's a whole section devoted to ldap in mine.

I run on Windows, so installing LDAP support for PHP was simply an option I chose in the PHP installer (under 'extensions' if I recall correctly).

Good luck!

I am new to vBulletin so this is all new to me. I just installed the LDAP Authentication plugin referenced in this thread and for the most part it seems to be working just fine. However, I have a question. I have logged in as two different users from our LDAP server and vBulletin did indeed allow them to login and did create user accounts for them. However, I noticed that for some reason the "Primary Usergroup" for both of those users was set by default to "Super Moderators". It seems to me that they should be set to "Registered Users" instead.

If I go into the vbulletin admin panel and manually add a user the default settings does seem to be "Registered Users".

Is there any way to tell the LDAP Authentication plugin that new users should be created as "Registered Users" instead of "Super Moderators"?

Thanks in advance.

Yes, but you'll need to edit the plugin source, as this option hasn't been added to the LDAP settings.

If you're using my version, from the post above, you'll need to edit line 193 of the plugin, shown in the snip below. The line that sets the usergroupid to 5 makes the new user a supermoderator. The 'Registered users' group has a usergroupid of 2 (at least it does in mine). So change the 5 to a 2, and that should resolve the issue. The usergroup IDs can be found in Usergroup manager in the admin control panel.

Hope this helps!

Well, I did some digging through the module code (version 1.5.1_vb4) and noticed this on line 199.
I changed the above to the following and reinstalled the addon.
And now the default usergroup is Registered Users instead of Super Moderators. I'm wondering if this should not be the default behavior?

Thank you.

Thanks for your response, apparently I was posting the solution I found to this at the same time you were answering me so I didn't see your post until I completed mine. Clearly we are both on the same track and that indeed did fix my problem.

Thanks again.

Perhaps you are right. For my setup, though, by default LDAP users are considered 'trusted', and members using internal VB authentication are not. So all LDAP users are granted the super mod privileges.

What we really should do is make it a config setting.

Not sure when I'll get time to do this....

I didn't have any luck with using the original set_userfields method. The aforementioned code had:
It worked when I switched it to this:
I think it's because the account I was testing was my own account which was promoted to administrator.

Has anyone conceived of the idea or attempted setting the username to the LDAP 'displayname' or 'givenname' and 'sn' while allowing the user to both login and authenticate using their LDAP credentials? ie, login as: jdoe, but username is set to John Doe so that all posts, member list, user profile and all show John Doe. My forum is internal, consists only of LDAP users all on the same domain and I've disabled registration since the LDAP auth code can create a new user. I've made a user profile field set to displayname but if I don't have to go through and modify the template to show the displayname userfield in lieu of username, that would be awesome.

Unless it's easier now to modify the template using the built-in search/replace? Suggestions or ideas?

This worked perfectly... thank you

I have another question, which is php related.

I have this plugin (vb4 version) and it is working, however, I cannot get the "Allow Built-in Accounts" (ldap_allow_builtin) setting to work when putting in a comma separated list. If I only have one userid in this setting it works for that user only, which leads me to believe this is an easy solution. Given the fact that I am php retard, the answer is not glaringly obvious, therefore, I will summarize what I know in hopes someone can help me.

In the product xml, this variable (setting) is defined as follows:

The piece of code that I believe to be broken that uses this variable is:

So, what is wrong with the php code that is not searching "ldap_allow_builtin" as if it is an array?

Thanks.

Thanks to everyone for their excellent work!

I have successfully implemented the above version on vBulletin 4.1.10

With regard to this problem:

I have managed to get ldap_search to properly recurse through the sub-OU's on a Server 2008 DC running in 2008/2003 mixed mode by doing the following:

After:Add:
Now if I set the Base DN to DC=domain,DC=com it will find users in all OU's in the domain.

Hope this helps someone

Alex

rguser: Did you ever find a good solution to this? The LDAP passes their employee ID as their user logon (required). But I would rather have all their posts show as their LDAP "displayName."

The closest I got was to modify the product-ldap_auth-1.5.1_vb4.xml to set the usertitle to the LDAP displayName so at least their name is below their employee ID.

I'd like to know how you worked around this.

I am relatively new to vBulletin still but have version 4.1.8 installed and working just fine with this plug-in. I have never performed a vBulletin upgrade before and was just wondering what to expect regarding installed plugins when upgrading from 4.1.8 to 4.1.10. Will the LDAP Authentication plugin continue to work as it does now? Or will it need to be modified and/or reinstalled?

Thanks in advance.

Are there any issues with using this mod on vBulletin 4.2.0?

Sorry for the very late response. Yes, I solved this similarly to how you have it.

The username is only valid from the login screen. Within the code the username is converted over to the full display name right away and used consistently throughout. New account vs existing account is determined by doing a search for the userData[0]['mail'][0].

In transition, I just wrote a script to update all usernames from user alias to full name.

Hello,

I am trying to set this up in 4.2.0 and am at a loss right now what I have done wrong. I don't have any errors or any problems so far. I've installed the plugin fine, have LDAP PHP module ready, etc.

I have read this thread and seen that the plugin has many improvements contributed to it and it seems that jimbot's post is where the latest version ends up: https://vborg.vbsupport.ru/showpost....&postcount=129

I've followed some instructions in post 127 as well, but I think my problem here is that I simply cannot connect to my LDAP server. My login system on vBulletin does not seem different at all, and is using my traditional "5 attempts" login. So you can imagine when trying this, it gets quite frustrating to have to wait 15 minutes to try logging in again. Every time I am trying new settings nothing changes. I am not sure if I am even connecting to Active Directory. This is what I have currently for settings:

My LDAP settings (having trouble connecting?):
LDAP Server: mydomain.blah.site.com
LDAP Port: xxxx
Anonymous Bind: NO
Bind DN: DOMAIN\username
Bind Password: xxxxxxxxxxx
Naming Attribute: sAMAccountNAme (how does this look, is it first initial + lastname? (e.g. John Doe = jdoe))
Search Base DN: CN=distributionlistname,OU=Distribution Lists,DC=max,DC=blah,DC=site,DC=com
LDAP Attributes: [blank]
Disable vBulletin USers: No
Allow Built-in Accounts: 1 (my admin account id)
Update username: No (I will play with this later)
Disallow disable LDAP logins: Yes
Debug: Yes (in hopes I can see what is wrong! But I don't even see debug output when logging in at the moment)


Any advice as to what works and doesn't work would be helpful. Thank you!

I'm having difficulty too with the latest version 4

Wireshark on your LDAP / AD server can tell you if its hitting your server for authentication.. Use the filter ip.addr==192.168.1.34 or something similar

Also under General Settings turn off (Use Login "Strikes" System) which will remove the 15 minute gap problem!

Hope this helps!

Thanks havokit.

Hopefully someone comes along in this thread to resolve our connection issues in 4.2.0 :(. I didn't think a plugin such as this would be incompatible from a few older versions of 4.x. Perhaps it is something to do with the hook(s).

I am not knowledgeable with PHP or any of this, so I am stuck trying to figure this out.

Tweak589, were you able to get this working? We are also in the process of LDAP implementation.

thanks :confused:

FWIW I've just done an upgrade from 4.1.10 to 4.2.1 and the plugin is still working fine for me!

My settings are:

LDAP Server dcname.domain.com
LDAP Port 389
Anonymous Bind No
Bind DN CN=Account Name,CN=Users,DC=domain,DC=com
Bind Password <password for above account>
Naming Attribute sAMAccountName
Search Base DN DC=domain,DC=com (see my earlier post in this thread about searching sub-OU's)
LDAP Attributes fullName,mail,sAMAccountName,displayname,title,l