Integration with vBulletin - vBulletin Ldap Authentication Plugin

I am using vbulletin for a long time now and before there was the plugin system introduces i hacked every single version of vb to enable ldap authentication. with the introduction of the plugin system i have written a little plugin that works in every version since VBulletin 3.5. This Plugin is the buyable VBulletin Ligh Authentication from http://www.sartori.at. now its FREE.

Since its working and i will not enhance this small plugin anymore, i will make it public. If there are any enhancements, i can put it into my versioning system and update this plugin.

In contrast to the ldap authentication from zemic my board can authenticate against every - already deployed - ldap directory without changeing the encryption type.

If the ldap user is not added in the VBulletin database, the user is automatically added the first time he authenticates against the ldap. if the user already exists then nothing is changed, except the authentication against the directory.

in the admin or moderator panel no user is authenticated against the directory.

Requirements

• php with ldap support

Installation Notes:

1. copy ldapAuth directory to your vb forum installation directory
2. change the path to controller.php directory in ldap-plugin.xml
3. copy the hooks_ldap.xml to FORUM_ROOT/inclucdes/xml directory
4. in login.php search for:
   
   PHP Code:

   if ($vbulletin->GPC['vb_login_username'] == '')
         {
          eval(standard_error(fetch_error('badlogin', $vbulletin->options['bburl'], ....
         } 

   insert below:
   
   PHP Code:

   ($hook = vBulletinHook::fetch_hook('ldap_login_hook')) ? eval($hook) : false; 

5. activate plugin system (if not done already) in admincp
6. in admin cp import the product at "Download / Upload" Plugins
7. in global.php search for:
   
   PHP Code:

   $show['nopasswordempty'] 

   and change:
   
   PHP Code:

   defined('DISABLE_PASSWORD_CLEARING') ? 1 : 0; 

   to:
   
   PHP Code:

   defined('DISABLE_PASSWORD_CLEARING') ? 0 : 1; 

8. configure the ldap settings in: ldapconfig.inc.php
9. test the product

Additional Notes:
If you are running a Microsoft Active Directory as Ldap server you have to change some settings to allow anonymous queries. This is described at
Novell and Microsoft


I would be happy if you support my modification in any way. Install or nominate it or donate some cents at paypal.

[kthompso]

Return from LONG vacation. Problems still exist. Here is current status.

a) Yes, LDAP is enabled per PHPInfo().

b) After hacking the calls to verify_authentication in includes/ldapAuth/controller.php the behaviour changes and we have varied success but new users cannot join.
Here are the changes applied:

Code:

$ grep -n verify_authentication controller.php
94:    verify_authentication($vbulletin->GPC['vb_login_username'], dummy, dummy, dummy, $vbulletin->GPC['cookieuser'], true);
104:   verify_authentication($vbulletin->GPC['vb_login_username'], dummy, dummy, dummy, $vbulletin->GPC['cookieuser'], true);

The "dummy" variables were added to correct the function call.

Current Problem:
LDAP now works for one user (previously registered) and fails for another (never registered).
user kthompso is able to be deleted (via admincp or MySQL data row delete). User kthompso can then use LDAP to register and shows as logged in.

Another user (never having logged in before) is able to login with LDAP and it gives a success screen, but then returns to the NON-logged in screen. The user is NOT added to the vb_users table.

Why is ldapAuth/controller.php calling the variable with three parameters when 6 are required by includes/function_login.php

This LDAP integration is critical to our design. Any help is appreciated.

[gabbs]

I'm currently having some problems getting this plugin to work as well - after logging in I only get to see an empty screen (...login.php?do=login)

If anyone has some advice or if anyone experienced this problem as well, please let me know...

Thanks in advance!

[hciisd]

Anyone had any success modifying this to use ldap_bind instead? Then you would not have to use anonymous bind for Microsoft as an example. I've been playing around trying to change the ldap_connect to bind but not too much success unfortunately.

Cheers!

[Mark Tomlinson]

Nice hack, works like a charm. Except...

[S]I set up vBulletin with the usual "Admin" account. After adding the hack, I logged in as myself with my LDAP ID - which automagically created my user ID in the user database. Then I logged on as Admin again gave my user ID administrative permissions. (I'll be wanting to give a couple of other users subsets of admin privledges as well).

Well, what happens is that I can not log into the Admin CP with my LDAP ID.
* I can log into the forums with my LDAP ID just fine.
* And I can log into the Admin CP with 'Admin' just fine.
* But I can't log into the Admin CP with my LDAP ID.
* And I can't log into the forums with 'Admin'.
My theory here is that there is a different log-in process for the Admin CP and it is trying to verify my password against the vBulletin database.

Familiar with this problem? Am I just missing something?[/S]

Nevermind! Missed the comment in the description that says LDAP is not used for the admin or moderation control panels. That's not going to work for me. I need it to check the LDAP directory and the database in all cases. I will settle for just checking LDAP, but would rather it check both.

Sounds like I need to do some digging.

[Mark Tomlinson]

Thought I'd throw this out there for everyone's consideration. We're looking at using vBulletin for our intranet, so LDAP became very important. What also became important is that we remove any hint of anonymity. My LDAP ID, for instance, is A000657 - which says nothing about who I am. It would be far better if my full name appeared in my profile somewhere.

So here's what I did. I added a bit of code to controller.php that would retrieve my full name, location, and title from LDAP and stick them in the additional user profile fields. Then I went into the Admin CP and made sure the user can not modify these fields. Here's what the code looks like. The attributes "l", "title", and "fullName" may be different in your configuration.

PHP Code:

// get the email address from ldap
        $ldapConnection = ldap_connect($ldapServer, $ldapPort);
        if($ldapConnection)
        {
            $searchEmail=ldap_search($ldapConnection, $ldapBase, $ldapFilter, $ldapEmailAttr);
            $userEmail=ldap_get_entries($ldapConnection,$searchEmail);
            if(sizeof($userEmail) < 2)
            {
                $newuser->set('email', $noEmailExists);
            }
            else 
            {
                $newuser->set('email', $userEmail[0]['mail'][0]);
            }
//    ---- Modified by Mark Tomlinson - 10/15/2007 ----
            // get user attributes from ldap
            $searchField = ldap_search($ldapConnection, $ldapBase, $ldapFilter);
            $userAttributes = ldap_get_entries($ldapConnection, $searchField);

            // set fields
            $vbulletin->GPC['userfield']['field2'] = $userAttributes[0]['l'][0];
            $vbulletin->GPC['userfield']['field4'] = $userAttributes[0]['title'][0];
            $vbulletin->GPC['userfield']['field5'] = $userAttributes[0]['fullname'][0];
            $newuser->set_userfields($vbulletin->GPC['userfield'], true, 'admin'); 
//    ---- End Modifications ----
        } 
        ldap_close($ldapConnection); 


Next up - plugging the full name and title in the signiture field.

[Mark Tomlinson]

Quote:

Originally Posted by gabbs

I'm currently having some problems getting this plugin to work as well - after logging in I only get to see an empty screen (...login.php?do=login)

If anyone has some advice or if anyone experienced this problem as well, please let me know...

Thanks in advance!

A blank page usually indicates a PHP error. You will want to double check your work and look in the Apache error_log for a clue.

If you are absolutly sure that all the code is correct, then the problem might be that you don't have the LDAP extension in PHP. Check your php.ini file for "extension=php_ldap.dll". If it's not there, you may need to reinstall PHP and include the LDAP extension.

[razgrp]

Gabbs - did you solve it? I am having the same problem and I dont have a clue.

[malcolmx]

he< guys, i am sorry i did not help anyone of you. was a really busy early/mid/end summer. i move to my new house, had wedding, was on honeymoon, at the university the winter semesters started, but now i do have more time again.

so anything i can help with, or any patch i should look at? any feature request?

thanks to those like, zachery, who helped others out of their problems. i read that one of you added that problem with displaying the "real" name. i solved that in another version of the plugin, probably ill add that stuff later on to this realease. (small database change and template change).

so then,

let the postin begin

-malc

[malcolmx]

Quote:

Originally Posted by gabbs

I'm currently having some problems getting this plugin to work as well - after logging in I only get to see an empty screen (...login.php?do=login)

If anyone has some advice or if anyone experienced this problem as well, please let me know...

Thanks in advance!

you are runnign linux or windows? can you please post the error message from the httpd error log?

-malc

[Zachery]

Does php have LDAP support compiled into it?