Integration with vBulletin - vBulletin Ldap Authentication Plugin

I am using vbulletin for a long time now and before there was the plugin system introduces i hacked every single version of vb to enable ldap authentication. with the introduction of the plugin system i have written a little plugin that works in every version since VBulletin 3.5. This Plugin is the buyable VBulletin Ligh Authentication from http://www.sartori.at. now its FREE.

Since its working and i will not enhance this small plugin anymore, i will make it public. If there are any enhancements, i can put it into my versioning system and update this plugin.

In contrast to the ldap authentication from zemic my board can authenticate against every - already deployed - ldap directory without changeing the encryption type.

If the ldap user is not added in the VBulletin database, the user is automatically added the first time he authenticates against the ldap. if the user already exists then nothing is changed, except the authentication against the directory.

in the admin or moderator panel no user is authenticated against the directory.

Requirements

• php with ldap support

Installation Notes:

1. copy ldapAuth directory to your vb forum installation directory
2. change the path to controller.php directory in ldap-plugin.xml
3. copy the hooks_ldap.xml to FORUM_ROOT/inclucdes/xml directory
4. in login.php search for:
   
   PHP Code:

   if ($vbulletin->GPC['vb_login_username'] == '')
         {
          eval(standard_error(fetch_error('badlogin', $vbulletin->options['bburl'], ....
         } 

   insert below:
   
   PHP Code:

   ($hook = vBulletinHook::fetch_hook('ldap_login_hook')) ? eval($hook) : false; 

5. activate plugin system (if not done already) in admincp
6. in admin cp import the product at "Download / Upload" Plugins
7. in global.php search for:
   
   PHP Code:

   $show['nopasswordempty'] 

   and change:
   
   PHP Code:

   defined('DISABLE_PASSWORD_CLEARING') ? 1 : 0; 

   to:
   
   PHP Code:

   defined('DISABLE_PASSWORD_CLEARING') ? 0 : 1; 

8. configure the ldap settings in: ldapconfig.inc.php
9. test the product

Additional Notes:
If you are running a Microsoft Active Directory as Ldap server you have to change some settings to allow anonymous queries. This is described at
Novell and Microsoft


I would be happy if you support my modification in any way. Install or nominate it or donate some cents at paypal.

[malcolmx]

Quote:

Originally Posted by grahamar

Hi
I tried this plugin and followed the instructions but I get the following error:

Warning: ldap_search() [function.ldap-search]: Search: No such object in /ldapAuth/controller.php on line 37

Warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in /ldapAuth/controller.php on line 38


I'm not technical at all - but line 37 in the code is this:

36: // search for the username and get the DN
37: $searchDn=ldap_search($ldapConnection,$ldapBase,$l dapFilter);
38: $searchResult=ldap_get_entries($ldapConnection,$se archDn);

Can any one offer some help as to how I can fix this. I would really like to get this working. We want touse VB within our intranet and LDAP is used extensively.

Thanks

Graham

hey,

please show me the content of the variables

Code:

$ldapBase
$ldapFilter

thanks

-malc

[fhs2006]

the error is in your $ldapBase.

the base is just: "dc=sun,dc=com"

all the other stuff like ?sub? (objectclass=*) has nothign to do with the deafault search base (=$ldapbase).

my script is searching for a specific user ($ldapFilter in controller.php) below the $ldapBase in your ldap directory.

if you want to want to add an (objectclass=*) to your search filter you have to add that to line 29 in controller.php

Code:

$ldapFilter = "(uid=" . $vbulletin->GPC['vb_login_username'] .")";

you do not have to add ?sub? to your query, because phps ldapsearch scope defaults to SUB.

-fhs

[malcolmx]

please user controller.debug.php and change in line 17 the debug output file location (if needed)

Code:

 if(defined('LDDEBUG')) { $fp=fopen('/tmp/apache.debug', "a+"); }

then show me the content of that file.

-malc

[malcolmx]

Quote:

Originally Posted by grahamar

Hi Malc,

Just to confirm: Do you want me to run controller.debug.php from the browser after the login fails? or do you mean something else?

Graham

easiest you can do is:

1. rename controller.php to controller.php.orig
2. rename controller.debug.php to controller.php

-malc

[malcolmx]

please do me a favour:

on the linux commandline (if available) try the following:
ldapsearch -W -D "XXXX" -x -b YYYY -h ZZZZZZ "(uid=grahamar)"

exchange:
XXXX: the FULL DN to your username (e.g. uid=grahamar,ou=bla=o=buh)
YYYY: the ldap search base
ZZZZ: the ldap server ip

1) additional questions from my side:
is the wiki doing an ldapbind or is it comparing the hash values of the password?

2) are you sure you did all changes to the vbulletin php files as written in the INSTALL file?
especially:

PHP Code:

defined('DISABLE_PASSWORD_CLEARING') ? 1 : 0; 


to check that, add in the debug controller file below line 63

PHP Code:

 // bind to the ldap server with specified credentials (dn, password) 


the following piece of code:

PHP Code:

if(defined('LDDEBUG')) {
   $pass = $vbulletin->GPC['vb_login_password']; 
    wrlog("++ your password  is:\t  $pass");
} 


i dont have an working vb installation at home, but that should do fine. now if you login, you should see your password in plaintext in the debug output file. if this is not your password, please check all the installation steps.

-malc

[malcolmx]

Quote:

Originally Posted by Mark Tomlinson

Nice hack, works like a charm. Except...

[S]I set up vBulletin with the usual "Admin" account. After adding the hack, I logged in as myself with my LDAP ID - which automagically created my user ID in the user database. Then I logged on as Admin again gave my user ID administrative permissions. (I'll be wanting to give a couple of other users subsets of admin privledges as well).

Well, what happens is that I can not log into the Admin CP with my LDAP ID.
* I can log into the forums with my LDAP ID just fine.
* And I can log into the Admin CP with 'Admin' just fine.
* But I can't log into the Admin CP with my LDAP ID.
* And I can't log into the forums with 'Admin'.
My theory here is that there is a different log-in process for the Admin CP and it is trying to verify my password against the vBulletin database.

Familiar with this problem? Am I just missing something?[/S]

Nevermind! Missed the comment in the description that says LDAP is not used for the admin or moderation control panels. That's not going to work for me. I need it to check the LDAP directory and the database in all cases. I will settle for just checking LDAP, but would rather it check both.

Sounds like I need to do some digging.

just comment out the following code:

PHP Code:

// if login form is admin or moderator login, dont use ldap authentication
if(($vbulletin->GPC['logintype'] == "cplogin") || ($vbulletin->GPC['logintype'] == "modcplogin"))
{
        return;
} 


[malcolmx]

when your password is shown correctly then you should have done the install instructions.

i have to do some brainwork now... no idea where the problem could be.

[malcolmx]

Code:

ldapsearch --help 2>&1 |grep W
  -W         prompt for bind password

-W is for password austhentication
-D is the full DN to your entity in the directory.

please test if this authentication works.

thanks

-malc

ps: i will be gone over the weekend. i am back on monday.

[grahamar]

Hi Malc,

any update you can give to help proceed with this?

Thank you

Graham

[grahamar]

Hi,

I now have LDAP working on another a Bulletin board from another Source.
I'll leave the situation of not being able to use LDap on vbulletin as it is.

Thanks for those who tried to help me.

Graham