Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > vBulletin 3.6 > vBulletin 3.6 Add-ons
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
LDAP Authentication Details »»
LDAP Authentication
Version: 1.1, by zemic zemic is offline
Developer Last Online: Apr 2010 Show Printable Version Email this Page

Category: Integration with vBulletin - Version: 3.6.5 Rating:
Released: 04-17-2007 Last Update: 05-20-2007 Installs: 38
Uses Plugins
Additional Files  
No support by the author.

I've been using Vbulletin for a few years, and have had some great modifications from this community, so having had to recently integrate Vbulletin with LDAP for my University discussion boards I decided to release this as a modification. This is my present to the community .

Description:

LDAP authentication for Vbulletin.

How it works:

This does not modify Vbulletin files or Vbulletin login code in anyway. We simple stick some script infront of the login process so we can validate against LDAP. Below is a breakdown of what this thing does:
  • First looks to see if login form has been submitted
  • Checks if it should look up "this" user in LDAP (defined in ldapconfig)
  • Queries LDAP for the username
    • If user is returned check if VB MD5 password matches LDAP MD5 password
      • If it does, check the VB user table to see if the user is already in the table. If yes, update VB user table password with LDAP password by encrypting MD5 password with the users 'salt' key
      • If not, create a new user in database using VB classes/functions.
    • If user/pass do not match in LDAP then check if user is in VB user table.
      • If they are, change the password to something random so they cannot login with an old password
  • If a user is not returned from LDAP, assume the user has registered on the boards in the normal way and dont do anything to the VB user table.
Requirements:

The requirements are based on the system we use. It may / may not work with other Vbulletin versions:
  • PHP 4.3+
  • LDAP System
  • uid (username), mail (email address), and a field containing MD5 password
Installation:
  1. Download and unzip the file
  2. Edit "ldapconfig.php" and then upload into your "includes" folder
  3. Login to Admin CP and Add / Import the product (xml file)
Extra Info / Future Plans / Help:

This LDAP integration script currently requires you to have an LDAP field with the users password stored as MD5. From my understanding, CRYPT is the default password storage for LDAP so some of you may not have an MD5 field in LDAP with the users password encrypted as MD5.

It would be possible to modify the script to check against CRYPT, but it would also require a template edit as the login form converts the password field "onSubmit" to MD5. I did not do this because we already have the MD5 in LDAP as we use it on a number of different system already, and I did not want to change VB templates.

Also, I was unable to find documentation on doing a script / releasing a modification, so in future if someone could explain to me or change the script slightly to allow editing of LDAP configuration file within ADMIN CP interface, that would be great. This would also mean not having to upload a file into the includes folder.

I'm sure there will be something I havent thought of, or will make it easier if this script had this and that, so feel free to post your ideas, and suggestions on improving this modification.

Important Info:
Hack is provided free of charge (but if you really want to get rid of money PM me ). I make no guarantee it will work on your system, but it does on mine with 15,000 users .

Version:
  • 1.1 - You can now specify the field to authenticate against in ldapconfig.php (19/05/2007)
  • 1.0.1 - Corrected 'mysql_num_rows' query to use VB DB class call (19/04/2007)
  • 1.0 - First release (18/04/2007)
Hope its useful for some of you :up:

Supporters / CoAuthors

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #52  
Old 04-01-2008, 08:24 AM
SteveCoppin SteveCoppin is offline
 
Join Date: Feb 2008
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by oasi View Post
You know if it's possible to deactivate some UserCP fields (in our case, the password and possibly the e-mail) ?
Thanks in advance
I couldn't find anywhere in the admincp to turn this off so as a temporary fix I have commented out the link from the usercp template. The page still exists, but it's unreachable unless you know the link. I'm sure you could edit the templates elsewhere too to remove the fields from the page and display a sensible message.

I'm not using this mod yet, I am using another one for LDAP. Could you tell me oasi (as someone who has installed the mod), does this one store the password in the database? Also, does it use LDAP to authenticate for modcp and admincp?
Reply With Quote
  #53  
Old 04-01-2008, 04:20 PM
Mark Tomlinson's Avatar
Mark Tomlinson Mark Tomlinson is offline
 
Join Date: Oct 2007
Location: Chicago Area
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by oasi View Post
Great work folks, I've tried the plugin with Mark's modifications to the CRYPT "problem" and it works...

Now, I see a little problem, we want to perform always the login towards the LDAP, so if the user changes his password in the userCP, this password isn't going to be valid.

You know if it's possible to deactivate some UserCP fields (in our case, the password and possibly the e-mail) ?

Thanks in advance
Actually, if the user changes his or her password it's irrelevant. The plug in updates the password every time the user logs into the forums, just before vBulletin checks it. If the user passes LDAP authentication, the password and salt are MD5 hashed and stuck in the database so that vBulletin's log-in process will be successful. If the user does not pass LDAP authentication, garbage is stuck in the database so that vBulletin's log-in process will fail.

Still, it's probably a good idea to not imply that the user can update his or her password through vBulletin. I can imagine the Help Desk calls now. Since my workplace also won't allow the user to change his or her e-mail address, I've made the following code changes - it may or may not work for you. I just commented out blocks of code. Note that there are already comment tags in modifyprofile and I had to replace them with x!-- and --X to make this work.

Since I'm just a lowly user of the plug-in as well, I'd love to here what other people are doing about this.

USERCP_SHELL
PHP Code:
<!-- Commented out by Mark Tomlinson4/1/2008
<tr>
    <
td class="$navclass[password]nowrap="nowrap"><class="smallfont" href="profile.php?$session[sessionurl]do=editpassword">$vbphrase[edit_email_and_password]</a></td>
</
tr>
--> 
modifyprofile
PHP Code:
<!-- commented out by Mark Tomlinson4/1/2008
<table class="tborder" cellpadding="$stylevar[cellpadding]cellspacing="$stylevar[cellspacing]border="0" width="100%" align="center">
<
tr>
    <
td class="tcat">$vbphrase[edit_profile]<span class="normal"$bbuserinfo[username]</span></td>
</
tr>
<
tr>
    <
td class="thead">$vbphrase[registration_required_information]</td>
</
tr>
<
tr>
    <
td class="panelsurround" align="center">
    <
div class="panel">
        <
div style="width:$stylevar[formwidth_usercp]align="$stylevar[left]">
            
            <
fieldset class="fieldset">
                <
legend>$vbphrase[email_and_password]</legend>
                <
table cellpadding="0" cellspacing="$stylevar[formspacer]border="0" width="100%">
                <
tr>
                    <
td>$vbphrase[click_button_below_edit_email]</td>
                </
tr>
                <
tr>
                    <
td>
                        
x!-- don't remove --x
                        <input type="image" src="$vboptions[cleargifurl]" width="1" height="1" />
                        x!-- / don'
t remove --x
                        
<input type="submit" class="button" style="font-weight:normal" value="$vbphrase[edit_email_and_password]name="gotopassword" />
                    </
td>
                </
tr>
                </
table>
            </
fieldset>
            
            <if 
condition="$bbuserinfo['coppauser']">
            <
fieldset class="fieldset">
                <
legend><label for="tb_parentemail">$vbphrase[parent_guardian_email]</label></legend>
                <
table cellpadding="0" cellspacing="$stylevar[formspacer]border="0" width="100%">
                <
tr>
                    <
td>$vbphrase[if_under_13_provide_parent]</td>
                </
tr>
                <
tr>
                    <
td>
                        
$vbphrase[parent_guardian_email]<br />
                        <
input type="text" class="bginput" name="parentemail" id="tb_parentemail" size="50" maxlength="30" value="$bbuserinfo[parentemail]/>
                        <
input type="hidden" name="coppauser" value="1" />
                    </
td>
                </
tr>
                </
table>
            </
fieldset>
            </if>
            
            <if 
condition="$show['birthday_required']">
                
$birthdaybit
            
</if>
        
            
$customfields[required]
            
        </
div>
    </
div>
    </
td>
</
tr>
</
table>

<
br />
End modificationsMark Tomlinson4/1/2008 --> 
Reply With Quote
  #54  
Old 04-03-2008, 12:18 PM
snunhuck snunhuck is offline
 
Join Date: May 2007
Posts: 157
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Andy Pace View Post
Has anyone got this to work with Active Directory? If so, mind lending some insight?

I have also set this module up correctly as far as I can tell, but I'm not seeing anything in the security event log on the domain controller...
I'll try to
Reply With Quote
  #55  
Old 04-08-2008, 05:43 AM
oasi oasi is offline
 
Join Date: Mar 2008
Location: Tarragona
Posts: 31
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi again!

I'm having a problem with the autentication, I'm trying to find what happens, but I've put some error_log sentences that doesn't seem to work...

The problem is that the users only can be authenticated if they use a valid LDAP user name and set as password the user name again.

I only see on the error log this:

[08-Apr-2008 08:42:14] PHP Parse error: syntax error, unexpected ')' in /aplicacions/vbulletin/upload/global.php(384) : eval()'d code on line 48

I'm usign vbulletin 3.7 RC2
Some idea?
Reply With Quote
  #56  
Old 04-08-2008, 10:21 AM
oasi oasi is offline
 
Join Date: Mar 2008
Location: Tarragona
Posts: 31
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Ops!
It was my fault

But there's an other problem...
Now my administrators/moderators can't login to the admin interface/moderation interface, because the DISABLE_PASSWORD_CLEARING thing doesn't work with these validation forms.

I tried to set this definition in admin/global.php and modcp/global.php but the passwords continue to pass MD5 codified (and empty value in the vb_login_password var).

I know that i can put these login in the ldapconfig.php field to skip the LDAP validation, but there could be other way to perform this??

Thanks
Reply With Quote
  #57  
Old 04-10-2008, 04:15 AM
Mark Tomlinson's Avatar
Mark Tomlinson Mark Tomlinson is offline
 
Join Date: Oct 2007
Location: Chicago Area
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by oasi View Post
Ops!
It was my fault

But there's an other problem...
Now my administrators/moderators can't login to the admin interface/moderation interface, because the DISABLE_PASSWORD_CLEARING thing doesn't work with these validation forms.

I tried to set this definition in admin/global.php and modcp/global.php but the passwords continue to pass MD5 codified (and empty value in the vb_login_password var).

I know that i can put these login in the ldapconfig.php field to skip the LDAP validation, but there could be other way to perform this??

Thanks
Crap. I didn't post all of the code. I will correct post #47, above. But here is the piece I missed.
PHP Code:
/**********
      *  DO NOT execute if one of the users is in VB and LDAP (list in
config file)
      ***********/
//    ----  Modified by Mark Tomlinson - 12/04/2007 ----
//    if($_POST[vb_login_username] != "$nosearch")
      
if (($_POST[logintype] != 'cplogin')
      AND (
$_POST[logintype] != 'modcplogin')
      AND (
$_POST[vb_login_username] != '$nosearch'))
//    ----  End Modifications ----
      

What this does is avoid going through LDAP authentication for the admin and moderator control panels.

Why, you ask? What Zemic's plug-in does is put an MD5 hash of your password into the vBulletin database if you pass LDAP authentication, or garbage if you don't pass LDAP authentication. Then it returns control to vBulletin, who goes through the usual authentication process and MD5 hashes the password and compares it to the hash on file. Therefore, assuming that the moderators and admins sign into the forum first and the correct LDAP password hash is in the database, the admin and moderator sign-in pages don't have to go through this process again.

The only time this doesn't work is if the admin or moderator changes their LDAP password and then goes to the control panel without signing onto the forum. And that can happen if they check the "Remember Me" box for the forums. I haven't worked out a solution to that yet.

Suggestions welcome.
Reply With Quote
  #58  
Old 04-10-2008, 11:42 AM
oasi oasi is offline
 
Join Date: Mar 2008
Location: Tarragona
Posts: 31
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It also fails if you erase some user from your LDAP directory but not from the forums I think...

I was trying to do a mix between the zemick's solution and the one from sartori's, but I'm having a basic/weird problem.

I can't access the $vbulletin var, I do an isset and it is, but I print_r his value and is '1'.
I've seen you access it, and I think it's better than $_POST without processing, so, you know what could I be doing wrong?

Here is the code to test it in my xml file:

PHP Code:
<phpcode><![CDATA[//if the login form has not been submitted dont execute the code
define('THIS_SCRIPT''functions_ldap.php');
require_once(
'./global.php');
if (isset(
$vbulletin->GPC)){error_log("->".print_r($vbulletin->GPC),0);}
if(isset(
$_POST[vb_login_username])) {
... 
It prints '1' on my error_log, I've tried without the require for global.php, and it's the same result...

Thanks again
Reply With Quote
  #59  
Old 10-16-2008, 11:27 AM
khan2002 khan2002 is offline
 
Join Date: Oct 2008
Posts: 2
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hello

Does anyone run this plugin on a 3.7 Forum?
I try it since days with no effort.

No error messages, the only thing I get is user unkown if i try to login with a user saved in ldap
No way to login, neither to register in ldap.
Reply With Quote
  #60  
Old 10-22-2008, 02:37 PM
Mark Tomlinson's Avatar
Mark Tomlinson Mark Tomlinson is offline
 
Join Date: Oct 2007
Location: Chicago Area
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by khan2002 View Post
Hello

Does anyone run this plugin on a 3.7 Forum?
I try it since days with no effort.

No error messages, the only thing I get is user unkown if i try to login with a user saved in ldap
No way to login, neither to register in ldap.
I'm running it successfully in vBulletin 3.7.2.
Reply With Quote
  #61  
Old 02-11-2009, 07:14 PM
asiegel asiegel is offline
 
Join Date: Aug 2007
Posts: 7
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi,

I was wondering if this addon works as expected in v3.8 of vbulletin

Any feedback is appreciated!

Thanks,
a
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:57 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.08892 seconds
  • Memory Usage 2,377KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (4)bbcode_php
  • (5)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (11)post_thanks_box
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete