Go Back   vb.org Archive > vBulletin Modifications > Archive > Modification Graveyard

Reply
 
Thread Tools
LDAP Authentication Details »»
LDAP Authentication
Version: 1.5, by Haqa Haqa is offline
Developer Last Online: Jun 2010 Show Printable Version Email this Page

Category: Miscellaneous Hacks - Version: 3.7.x Rating:
Released: 11-17-2008 Last Update: 03-18-2009 Installs: 65
Uses Plugins
Re-useable Code Additional Files Translations  
No support by the author.

I've only recently started using vBulletin, and this is my first mod so if you use this, please click Installed!

This mod (which builds on the fine work from malcomx and zemic) is intended to lower the barriers to using and LDAP directory as an external authentication source for your board. The idea is simple; capture a login attempt before authentication and test it against LDAP first, if that succeeds, see if there is already a matching user in vBulletin. If there is not, create one, using data from the LDAP to fill in the required fields, if there is already a matching user (Determined by comparing email addresses) then update the user.

You might be asking why this mod is better than the two mods I've mentioned above? Well firstly the only additional file is the XML file for the new hooks (See below), and no changes to vBulletin code so installation is simple, and upgrades to vBulletin don't get over complicated by re-applying changes. Secondly, all the settings are controlled from the admincp rather than an external config file. Thirdly (as if two wasn't enough) I've added some hook points so this mod can be extended, for example to get additional data from the LDAP and put it in user profile fields.

One important similarity with the two earlier mods is that in the admincp and modcp no LDAP authentication is performed, this is a safety feature, so even if the mod or an extending to it, breaks your board, you shouldn't ever get locked out of the admincp so you'll be able to turn if off quickly.

Additional Hooks

The mod is essentially a single plugin (plus options and help) which runs at global_complete which is before most other things have happened, but just after all the global setup has occurred.

To enable the additional hooks, you need to upload the file hooks_ldap_auth.xml to /includes/xml under your forum.

The following new hooks are created by this mod:
  • ldap_auth_start - After the list of attributes to fetch has been created, this list is in $ldapAttrs. You can simply add your own attributes to this array here.
  • ldap_auth_all_user - After a new user has been added to vBulletin or existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData. This happens before ldap_auth_new_user or ldap_auth_existing_user.
  • ldap_auth_new_user - After a new user has been added to vBulletin, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.
  • ldap_auth_existing_user - After an existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.

By requesting new attributes at ldap_auth_start and then applying them at either ldap_auth_all_user, ldap_auth_new_user or ldap_auth_existing_user you can setup your users easily without having to write all the LDAP code yourself!

AdminCP Settings

This mod creates a new options group called LDAP Authentication between email options and user registration options where you set the host name and port number of the LDAP server, the initial authentication type (Anonymous or authenticated), optionally the BindDN and Password for the LDAP server. You also set which attribute matches the vBulletin username (The default is cn which works well for inetOrgPerson based entries). You can set additional attributes to retrieve (If you want to quickly knock up a simple plugin which uses them at one of the hook points above). There is also the facility to disable (or rather make unavailable) accounts which exist in vBulletin but not in LDAP. Given that your initial admin may fall into this group, there is also a list of userids who should be allowed to log in anyway.

Requirements
  • PHP 4.3+ with LDAP support.

I'll try to provide support to users of my mod, but please bear in mind I fairly new to all this, so I may not be able to solve all problems immediately. Support will only be provided via this thread (Don't PM or email me unless I ask you to). Priority will be given to users who have clicked Installed.

Release Notes
  • 1.0 - Initial release
  • 1.1 - Corrected SQL queries to use TABLE_PREFIX
  • 1.2 - Corrected a bug which prevented the settings page from being created correctly
  • 1.3 - Corrected where the existing, new and all user hooks are called (Before, not after the user profile fields are set) to support dependant plugins
  • 1.4 - Added the ability to set a search base for directories which do not permit searching from the root
  • 1.5 - Fixed reported bug where hooks were called in the wrong order

Installation
  1. Add the command define('DISABLE_PASSWORD_CLEARING', 1); to your includes/config.php - This will NOT be overwritten by upgrades, so only needs doing once.
  2. Upload the file hooks_ldap_auth.xml to includes/xml under your forum.
  3. Install the latest product file (below) using the Add/Import Product link on the Manage Products page under Plugins & Products in your AdminCP.

Haqa...

Download Now

File Type: (21.4 KB, 0 views)

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.
Благодарность от:
Jimbot

Comments
  #92  
Old 08-18-2009, 04:48 PM
nsidcwww nsidcwww is offline
 
Join Date: Aug 2009
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Okay, so I got it working, somewhat...I basically added uid into the Naming Attribute field and now LDAP users are able to login, however, I get the following error message....

Error creating/updating user
Array

Now, what I did was the following:

1) Removed the hooks_ldap.xml

2) Removed the codes in the login.php file

3) Left the codes in the global.php file

4) Using the following LDAP settings:

HOST: My LDAP Server
LDAP PORT: 389
ANONYMOUS BIND: Yes
BIND DN: [Blank]
BIND PASSWORD: [Blank]
NAMING ATTRIBUTE: uid
SEARCH BASE DN: dc=colorado,dc=edu
LDAP ATTRIBUTES: cn=nsidc,ou=group,ou=people
DISABLE VBULLETIN USERS: Yes
ALLOW BUILT-IN ACCOUNTS: 1

I am so close, if anyone can assist me with overcoming this latest error, I would greatly appreciate it.
Reply With Quote
  #93  
Old 08-18-2009, 05:40 PM
nsidcwww nsidcwww is offline
 
Join Date: Aug 2009
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Okay, so I fixed it by changing the following setting:

NAMING ATTRIBUTE: uid

to the followng:

NAMING ATTRIBUTE: mail

But I would like to username/uid instead.

Any thoughts of getting that to work correctly?
Reply With Quote
  #94  
Old 08-26-2009, 04:35 PM
Abe Koenghiem Abe Koenghiem is offline
 
Join Date: Feb 2009
Posts: 9
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Haqa,

If you use a sniffer on the client's network port you see this.

POST /forum/login.php?do=login HTTP/1.1 (application/x-www-form-urlencoded)

vb_login_username=abek&vb_login_password=ThePlainT extPasswordOfAbeK&s=&securityt oken=guest&do=login&vb_login_md5password=dbfe6013c 281e40468727267d7441951&vb_log in_md5password_utf=dbfe6013c281e40468727267d744195 1

Is there anyway to stop the contents of vb_login_password from being sent as plain text from the client PC to the server?

Other than this issue, this is a great mod.

---------------------------------
EDIT

The answer to my question seems to be to serve the pages from a https server.

I have it working, vB3.8.4
Reply With Quote
  #95  
Old 09-08-2009, 09:02 PM
brandon515 brandon515 is offline
 
Join Date: Nov 2006
Posts: 52
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I just spent hours trying to get this mod to work. For anyone that is having problems, follow the directions for the mod, then:

Disable vBulletin Users: YES
Reply With Quote
  #96  
Old 09-11-2009, 12:39 PM
Teamghost Teamghost is offline
 
Join Date: Aug 2009
Posts: 2
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by kamalrij View Post
This quick fix resolved the issue related to the error around first login for the user.

:up: Yeap - this is missing for 3.8.4

great work

Thank you both
Reply With Quote
  #97  
Old 09-21-2009, 04:43 PM
Abe Koenghiem Abe Koenghiem is offline
 
Join Date: Feb 2009
Posts: 9
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I cannot delete a few users using admincp under vB3.8.4, PHP 5.2.9, MySQL 5.0.84
I receive no error, instead I always receive a 'Deleted User Successfully' message.
And the user is always still there.

The user does not show as banned, has no threads or posts, is not a moderator.
The pattern is: users created by admincp or through vB registration can be deleted.
Users created by logging in with LDAP authentication cannot be deleted. even after the LDAP mod is disabled, uninstalled, files removed and config.php changed back. These users also seem to be uneditable.

The only other mod is vBGallery.
And I am serving https pages to protect the LDAP passwords.
I have looked at the code and the XXXXXuser table without seeing anything.
My searches on un-deletable vB users do not turn up any clues.
The funny thing is other users delete just fine.
Any thoughts?
Reply With Quote
  #98  
Old 09-28-2009, 06:34 PM
cschroeder1 cschroeder1 is offline
 
Join Date: Sep 2009
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I have this plugin working beautifully with our active directory. my only objection is that since we do not allow anonymous BIND, in the LDAP options control panel after setup it continues to display the BIND password in plain text. We have more than one vBulletin admin, but they do not need to know the LDAP setup, and as far as I can tell, I can't restrict the LDAP Authentication options by individual admin, nor can I figure out how to have the LDAP control panel just display a blank box or dots, rather than the actual value for that parameter. Ideas anyone?
Reply With Quote
  #99  
Old 10-02-2009, 06:28 PM
Praxis Praxis is offline
 
Join Date: Jun 2007
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by nsidcwww View Post
Okay, so I fixed it by changing the following setting:

NAMING ATTRIBUTE: uid

to the followng:

NAMING ATTRIBUTE: mail

But I would like to username/uid instead.

Any thoughts of getting that to work correctly?
If no one told you it should work using sAMAccountName that gives you your Windows login account. If you have an account like john.smith LDAP will see it as john smith, sAMAccountName tosses in the dot.
Reply With Quote
  #100  
Old 10-17-2009, 11:29 PM
cvcheart cvcheart is offline
 
Join Date: Oct 2009
Posts: 1
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

After installing this product as listed in the instructions I don't belive it is working properly. The odd part is I receive no error messages. Everything looks to be correct in the LDAP settings. Anyone run into this before?

Do users still have to register or does it create the user automatically?
Reply With Quote
  #101  
Old 11-02-2009, 04:09 AM
bkoeppel bkoeppel is offline
 
Join Date: Oct 2009
Posts: 1
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hello,

I'm using this Addon with vBulletin 3.8.4. It basically works, but:
- I had to add another ldap_bind, because I can only fetch data with a proxy user. After the ldap_auth_start-Hook:
PHP Code:
// re-bind with the proxy user, because the normal user has no access
// Bind (authenticate or anonymous depending on settings
if ($vbulletin->options['ldap_anon_bind']) {
 
$ldap_bind ldap_bind($ldapConnection);
} else {
 
$ldap_bind ldap_bind($ldapConnection$vbulletin->options['ldap_bind_dn'], $vbulletin->options['ldap_bind_password']);
}

// ldap bind did not succeed, wrong Bind DN/Password combination in configuration
if ($ldap_bind != 1) {
 
ldap_close($ldapConnection);
 if (
$vbulletin->options['ldap_disable_internal_users']) {
  
process_logout();
  eval(
standard_error("Failed to bind to LDAP directory (Initial bind)"));
 }
 return;

- whenever a user comes for the first time, or the first time after he changed his password in the LDAP database, he has no access. He sees: "You have entered an invalid username or password. Please press the back button, enter the correct details and try again.".
When he tries right again, the login works.
How could I fix that?


Anyway, great mod! Thanks.
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:55 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04915 seconds
  • Memory Usage 2,345KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)bbcode_php
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (11)post_thanks_box
  • (1)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (1)postbit_attachment
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete