Go Back   vb.org Archive > vBulletin Modifications > Archive > Modification Graveyard

Reply
 
Thread Tools
LDAP Authentication Details »»
LDAP Authentication
Version: 1.5, by Haqa Haqa is offline
Developer Last Online: Jun 2010 Show Printable Version Email this Page

Category: Miscellaneous Hacks - Version: 3.7.x Rating:
Released: 11-17-2008 Last Update: 03-18-2009 Installs: 65
Uses Plugins
Re-useable Code Additional Files Translations  
No support by the author.

I've only recently started using vBulletin, and this is my first mod so if you use this, please click Installed!

This mod (which builds on the fine work from malcomx and zemic) is intended to lower the barriers to using and LDAP directory as an external authentication source for your board. The idea is simple; capture a login attempt before authentication and test it against LDAP first, if that succeeds, see if there is already a matching user in vBulletin. If there is not, create one, using data from the LDAP to fill in the required fields, if there is already a matching user (Determined by comparing email addresses) then update the user.

You might be asking why this mod is better than the two mods I've mentioned above? Well firstly the only additional file is the XML file for the new hooks (See below), and no changes to vBulletin code so installation is simple, and upgrades to vBulletin don't get over complicated by re-applying changes. Secondly, all the settings are controlled from the admincp rather than an external config file. Thirdly (as if two wasn't enough) I've added some hook points so this mod can be extended, for example to get additional data from the LDAP and put it in user profile fields.

One important similarity with the two earlier mods is that in the admincp and modcp no LDAP authentication is performed, this is a safety feature, so even if the mod or an extending to it, breaks your board, you shouldn't ever get locked out of the admincp so you'll be able to turn if off quickly.

Additional Hooks

The mod is essentially a single plugin (plus options and help) which runs at global_complete which is before most other things have happened, but just after all the global setup has occurred.

To enable the additional hooks, you need to upload the file hooks_ldap_auth.xml to /includes/xml under your forum.

The following new hooks are created by this mod:
  • ldap_auth_start - After the list of attributes to fetch has been created, this list is in $ldapAttrs. You can simply add your own attributes to this array here.
  • ldap_auth_all_user - After a new user has been added to vBulletin or existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData. This happens before ldap_auth_new_user or ldap_auth_existing_user.
  • ldap_auth_new_user - After a new user has been added to vBulletin, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.
  • ldap_auth_existing_user - After an existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.

By requesting new attributes at ldap_auth_start and then applying them at either ldap_auth_all_user, ldap_auth_new_user or ldap_auth_existing_user you can setup your users easily without having to write all the LDAP code yourself!

AdminCP Settings

This mod creates a new options group called LDAP Authentication between email options and user registration options where you set the host name and port number of the LDAP server, the initial authentication type (Anonymous or authenticated), optionally the BindDN and Password for the LDAP server. You also set which attribute matches the vBulletin username (The default is cn which works well for inetOrgPerson based entries). You can set additional attributes to retrieve (If you want to quickly knock up a simple plugin which uses them at one of the hook points above). There is also the facility to disable (or rather make unavailable) accounts which exist in vBulletin but not in LDAP. Given that your initial admin may fall into this group, there is also a list of userids who should be allowed to log in anyway.

Requirements
  • PHP 4.3+ with LDAP support.

I'll try to provide support to users of my mod, but please bear in mind I fairly new to all this, so I may not be able to solve all problems immediately. Support will only be provided via this thread (Don't PM or email me unless I ask you to). Priority will be given to users who have clicked Installed.

Release Notes
  • 1.0 - Initial release
  • 1.1 - Corrected SQL queries to use TABLE_PREFIX
  • 1.2 - Corrected a bug which prevented the settings page from being created correctly
  • 1.3 - Corrected where the existing, new and all user hooks are called (Before, not after the user profile fields are set) to support dependant plugins
  • 1.4 - Added the ability to set a search base for directories which do not permit searching from the root
  • 1.5 - Fixed reported bug where hooks were called in the wrong order

Installation
  1. Add the command define('DISABLE_PASSWORD_CLEARING', 1); to your includes/config.php - This will NOT be overwritten by upgrades, so only needs doing once.
  2. Upload the file hooks_ldap_auth.xml to includes/xml under your forum.
  3. Install the latest product file (below) using the Add/Import Product link on the Manage Products page under Plugins & Products in your AdminCP.

Haqa...

Download Now

File Type: (21.4 KB, 0 views)

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.
Благодарность от:
Jimbot

Comments
  #102  
Old 11-07-2009, 08:41 PM
Haqa Haqa is offline
 
Join Date: Jul 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by kamalrij View Post
We're using this plugin along with Full Name support for LDAP Auth plugin to connect to our corporate LDAP directory.

The official email ID of people in our company is to change from handle@company.com to firstname.lastname@company.com.

When people try to login after their email ID has changed they get the following error

vBulletin Message
Error creating/updating user
Array


Once the email ID updated to firstname.lastname@company.com from the admin control panel they are able to login.

Is there a way to be dynamically updated every time everytime a user logs in through this plugin OR for the user to be allowed to login with his ldap credentials but reflecting his handle@company.com ID (i.e. for the authentication to work without the error mentioned earlier).
handle@company.com would be set as an alias to firstname.lastname@company.com on the mail servers so the email notifications would continue to work.

Thanks you in advance
Kamal
The issue here is that the one thing which must not change is the users' email addresses.

You will have to manually update the email address for each account, I'm afraid...

H.
Reply With Quote
  #103  
Old 12-28-2009, 07:12 PM
ysam ysam is offline
 
Join Date: Dec 2009
Posts: 25
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi guyz,

Any chance of getting this to work in vb4?
Reply With Quote
  #104  
Old 12-29-2009, 09:07 PM
ysam ysam is offline
 
Join Date: Dec 2009
Posts: 25
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Ok so I am the first to report it works in vb4pl1.

Only problem is

Quote:
Error creating/updating user
Array
but works ok if you do remove the mysql_real_escape_string() function in
Quote:
WHERE LOWER(email) = LOWER('".mysql_real_escape_string($userData[0]['mail'][0])."')");
Will Test Further....

Nice work and congrats.
Reply With Quote
  #105  
Old 12-31-2009, 01:15 PM
chri55555 chri55555 is offline
 
Join Date: Dec 2009
Posts: 4
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi Ho, this is Chris.

I am also implementing this in VBB4 right now .....

let's get dirty

UPDATE: Ldap_Auth is woring now BUT:

If a user is NOT in the LDAP it will not get generated
Is there a way to generate Users in LDAP from Existing Account data in VBB?
We want LDAP for Moodle and OTRS Integration SingleSignOn - so we need all Usernames with PWDs in LDAP.
( I wanted to export the UserPasswords direct via batch in LDIF BUT the salting prevents me from doing so ... )

Please give me a hint on the right direction,

Chris
Reply With Quote
  #106  
Old 01-04-2010, 11:46 AM
Haqa Haqa is offline
 
Join Date: Jul 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by ysam View Post
Ok so I am the first to report it works in vb4pl1.

Only problem is



but works ok if you do remove the mysql_real_escape_string() function in


Will Test Further....

Nice work and congrats.
Removing that will bite you the first time someone has a character in their email which PHP or MySQL consider significant. We, for example, had a user whos email address contained a single quote (Their name was something like Fred O'Flintstone or something, so the brain-dead windows AD made their email address fred.o'flintstone or something disturbingly similar!!).

YMMV...

Many thanks to all who have taken this and made such progress including getting it to work on 4.0, I'd expected that not to be possible... Well done all!

H.
Reply With Quote
  #107  
Old 03-15-2010, 07:35 PM
FFSBC FFSBC is offline
 
Join Date: Apr 2009
Posts: 7
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Installed as directed and worked first try without modification. Authenticating against server 2003 AD.
Reply With Quote
  #108  
Old 04-01-2010, 12:04 AM
john.parlane john.parlane is offline
 
Join Date: Aug 2008
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

We're finding that the 'remember me' tick box is not working. The cookie is not being set correctly so that when the user comes back they have to re-enter their login each time.

Is anybody else gettings this?

Currently working on a fix...
Reply With Quote
  #109  
Old 05-21-2010, 02:33 AM
cowbert cowbert is offline
 
Join Date: May 2010
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Haqa View Post
Removing that will bite you the first time someone has a character in their email which PHP or MySQL consider significant. We, for example, had a user whos email address contained a single quote (Their name was something like Fred O'Flintstone or something, so the brain-dead windows AD made their email address fred.o'flintstone or something disturbingly similar!!).

YMMV...

Many thanks to all who have taken this and made such progress including getting it to work on 4.0, I'd expected that not to be possible... Well done all!

H.
Here is the fixup:

You need to use the new-style object call to escape the chars, don't use the php external function(s) (particularly because people may be using mysqli and so forth)

Replace all instances of "mysql_real_escape_string()" with:

$vbulletin->db->escape_string(htmlspecialchars_uni(

This is how functions_login.php makes the call, so should you...
Reply With Quote
  #110  
Old 05-21-2010, 02:55 AM
john.parlane john.parlane is offline
 
Join Date: Aug 2008
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by john.parlane View Post
We're finding that the 'remember me' tick box is not working. The cookie is not being set correctly so that when the user comes back they have to re-enter their login each time.

Is anybody else gettings this?

Currently working on a fix...
Have implemented fix for this, as shown below. The code expands on the "if ($newuser->errors)" statement right at the end.

The problem was that after the user is saved with "$newuser->save()" the cookie salt is changed and the password rehashed in the database. The cookie then doesnt match it. Fix is to simply recreate the cookie by getting and rehashing the db password.

Have also implemented jaikumarm's fix for the first time login issue here.

Code:
 if ($newuser->errors) {
  process_logout();
  eval(standard_error("Error creating/updating user<br/>".$newuser->errors));
 } else {
  $newuserid = $newuser->save();
  
  // Saving the user (above) rehashes the password on the DB so now need to update cookie password also, or 'remember me' login optoin will fail.
  $dbuserinfo = $vbulletin->db->query_first_slave("SELECT password FROM vbull.user WHERE username = '$username'");
  if ($dbuserinfo) {
    $db_hashed_pwd = $dbuserinfo['password'];
    $cookie_hashed_pwd = md5($db_hashed_pwd.COOKIE_SALT);
    vbsetcookie('password', $cookie_hashed_pwd);
  }
  
  // Following code is necessary to fix a hook timing issue with this plugin that results in users being told their login credentials are wrong the first time they login with LDAP credentials
  verify_authentication($username, $passwd, $vbulletin->GPC['vb_login_md5password'], $vbulletin->GPC['vb_login_md5password_utf'], $vbulletin->GPC['cookieuser'], true);
  exec_unstrike_user($username);
  process_new_login($vbulletin->GPC['logintype'], $vbulletin->GPC['cookieuser'], $vbulletin->GPC['cssprefs']);
  do_login_redirect();

 }
}
Note that $username needs to be set a the top top of the script, along with $passwd, with:

$username = $vbulletin->GPC['vb_login_username'];
$passwd = $vbulletin->GPC['vb_login_password'];

And I removed the following line (118) which doesnt seem to do anything useful:

$vbulletin->GPC['cookieuser'] = $vbulletin->GPC['vb_login_username'];
Reply With Quote
  #111  
Old 05-21-2010, 01:59 PM
cowbert cowbert is offline
 
Join Date: May 2010
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by john.parlane View Post
Have implemented fix for this, as shown below. The code expands on the "if ($newuser->errors)" statement right at the end.

The problem was that after the user is saved with "$newuser->save()" the cookie salt is changed and the password rehashed in the database. The cookie then doesnt match it. Fix is to simply recreate the cookie by getting and rehashing the db password.

Have also implemented jaikumarm's fix for the first time login issue here.

Code:
 if ($newuser->errors) {
  process_logout();
  eval(standard_error("Error creating/updating user<br/>".$newuser->errors));
 } else {
  $newuserid = $newuser->save();
  
  // Saving the user (above) rehashes the password on the DB so now need to update cookie password also, or 'remember me' login optoin will fail.
  $dbuserinfo = $vbulletin->db->query_first_slave("SELECT password FROM vbull.user WHERE username = '$username'");
  if ($dbuserinfo) {
    $db_hashed_pwd = $dbuserinfo['password'];
    $cookie_hashed_pwd = md5($db_hashed_pwd.COOKIE_SALT);
    vbsetcookie('password', $cookie_hashed_pwd);
  }
  
  // Following code is necessary to fix a hook timing issue with this plugin that results in users being told their login credentials are wrong the first time they login with LDAP credentials
  verify_authentication($username, $passwd, $vbulletin->GPC['vb_login_md5password'], $vbulletin->GPC['vb_login_md5password_utf'], $vbulletin->GPC['cookieuser'], true);
  exec_unstrike_user($username);
  process_new_login($vbulletin->GPC['logintype'], $vbulletin->GPC['cookieuser'], $vbulletin->GPC['cssprefs']);
  do_login_redirect();

 }
}
Note that $username and $passwd need to be set up at top of script with:

$username = $vbulletin->GPC['vb_login_username'];
$passwd = $vbulletin->GPC['vb_login_password'];

And I removed the following line (118) which doesnt seem to do anything useful:

$vbulletin->GPC['cookieuser'] = $vbulletin->GPC['vb_login_username'];
Remember to use the generic TABLE_PREFIX consts. I would recommend against setting new aliased variables; it only saves typing, and then you have to add additional doco like you do. Just stick with $vbulletin->GPC[]. (Btw $passwd is already assigned on line 30, and $vbulletin->GPC['vb_login_password'] is cleared for safety). And don't forget to $vbulletin->db->escape_string either...
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:50 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.08312 seconds
  • Memory Usage 2,355KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (2)bbcode_code
  • (7)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (11)post_thanks_box
  • (1)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (1)postbit_attachment
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete