Go Back   vb.org Archive > vBulletin Modifications > Archive > Modification Graveyard

Reply
 
Thread Tools
LDAP Authentication Details »»
LDAP Authentication
Version: 1.5, by Haqa Haqa is offline
Developer Last Online: Jun 2010 Show Printable Version Email this Page

Category: Miscellaneous Hacks - Version: 3.7.x Rating:
Released: 11-17-2008 Last Update: 03-18-2009 Installs: 65
Uses Plugins
Re-useable Code Additional Files Translations  
No support by the author.

I've only recently started using vBulletin, and this is my first mod so if you use this, please click Installed!

This mod (which builds on the fine work from malcomx and zemic) is intended to lower the barriers to using and LDAP directory as an external authentication source for your board. The idea is simple; capture a login attempt before authentication and test it against LDAP first, if that succeeds, see if there is already a matching user in vBulletin. If there is not, create one, using data from the LDAP to fill in the required fields, if there is already a matching user (Determined by comparing email addresses) then update the user.

You might be asking why this mod is better than the two mods I've mentioned above? Well firstly the only additional file is the XML file for the new hooks (See below), and no changes to vBulletin code so installation is simple, and upgrades to vBulletin don't get over complicated by re-applying changes. Secondly, all the settings are controlled from the admincp rather than an external config file. Thirdly (as if two wasn't enough) I've added some hook points so this mod can be extended, for example to get additional data from the LDAP and put it in user profile fields.

One important similarity with the two earlier mods is that in the admincp and modcp no LDAP authentication is performed, this is a safety feature, so even if the mod or an extending to it, breaks your board, you shouldn't ever get locked out of the admincp so you'll be able to turn if off quickly.

Additional Hooks

The mod is essentially a single plugin (plus options and help) which runs at global_complete which is before most other things have happened, but just after all the global setup has occurred.

To enable the additional hooks, you need to upload the file hooks_ldap_auth.xml to /includes/xml under your forum.

The following new hooks are created by this mod:
  • ldap_auth_start - After the list of attributes to fetch has been created, this list is in $ldapAttrs. You can simply add your own attributes to this array here.
  • ldap_auth_all_user - After a new user has been added to vBulletin or existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData. This happens before ldap_auth_new_user or ldap_auth_existing_user.
  • ldap_auth_new_user - After a new user has been added to vBulletin, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.
  • ldap_auth_existing_user - After an existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.

By requesting new attributes at ldap_auth_start and then applying them at either ldap_auth_all_user, ldap_auth_new_user or ldap_auth_existing_user you can setup your users easily without having to write all the LDAP code yourself!

AdminCP Settings

This mod creates a new options group called LDAP Authentication between email options and user registration options where you set the host name and port number of the LDAP server, the initial authentication type (Anonymous or authenticated), optionally the BindDN and Password for the LDAP server. You also set which attribute matches the vBulletin username (The default is cn which works well for inetOrgPerson based entries). You can set additional attributes to retrieve (If you want to quickly knock up a simple plugin which uses them at one of the hook points above). There is also the facility to disable (or rather make unavailable) accounts which exist in vBulletin but not in LDAP. Given that your initial admin may fall into this group, there is also a list of userids who should be allowed to log in anyway.

Requirements
  • PHP 4.3+ with LDAP support.

I'll try to provide support to users of my mod, but please bear in mind I fairly new to all this, so I may not be able to solve all problems immediately. Support will only be provided via this thread (Don't PM or email me unless I ask you to). Priority will be given to users who have clicked Installed.

Release Notes
  • 1.0 - Initial release
  • 1.1 - Corrected SQL queries to use TABLE_PREFIX
  • 1.2 - Corrected a bug which prevented the settings page from being created correctly
  • 1.3 - Corrected where the existing, new and all user hooks are called (Before, not after the user profile fields are set) to support dependant plugins
  • 1.4 - Added the ability to set a search base for directories which do not permit searching from the root
  • 1.5 - Fixed reported bug where hooks were called in the wrong order

Installation
  1. Add the command define('DISABLE_PASSWORD_CLEARING', 1); to your includes/config.php - This will NOT be overwritten by upgrades, so only needs doing once.
  2. Upload the file hooks_ldap_auth.xml to includes/xml under your forum.
  3. Install the latest product file (below) using the Add/Import Product link on the Manage Products page under Plugins & Products in your AdminCP.

Haqa...

Download Now

File Type: (21.4 KB, 0 views)

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.
Благодарность от:
Jimbot

Comments
  #42  
Old 04-09-2009, 01:02 PM
n0manarmy n0manarmy is offline
 
Join Date: Apr 2009
Location: Baltimore
Posts: 11
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

anthonym16 thanks for the post. Ive managed to make a lot of progress so far due to your information. I've gotten to an interesting sticking point though. When I have a user log in with their username and password, it fails the first time, when they try again right away it succeeds and adds them as a user. Any thoughts?

Edit:
It's adding the user on the first failed attempt allowing them to log in successfully on the second attempt.
Reply With Quote
  #43  
Old 04-09-2009, 01:36 PM
anthonym16 anthonym16 is offline
 
Join Date: Feb 2009
Posts: 12
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by n0manarmy View Post
anthonym16 thanks for the post. Ive managed to make a lot of progress so far due to your information. I've gotten to an interesting sticking point though. When I have a user log in with their username and password, it fails the first time, when they try again right away it succeeds and adds them as a user. Any thoughts?

Edit:
It's adding the user on the first failed attempt.
Where do you have your hook in login.php? In my 3.8.1 login.php file, it's on line 100. It seems like the the ldap plugin is firing correctly but in the wrong place? If the hook is in the right place, my next thought is maybe your cookies are not working properly.

In Haqa's code, once an email is found in AD, this line executes:
Code:
$vbulletin->GPC['cookieuser'] = $vbulletin->GPC['vb_login_username'];
Then, in login.php, after the correct hook location, GPC['cookieuser'] is passed into verify_authentication().

I'm still trying to learn the hooks system and vb myself. I only have a couple weeks of head start on you...
Reply With Quote
  #44  
Old 04-09-2009, 01:45 PM
n0manarmy n0manarmy is offline
 
Join Date: Apr 2009
Location: Baltimore
Posts: 11
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Mine's on line 100 as well


if ($vbulletin->GPC['vb_login_username'] == '')
{
eval(standard_error(fetch_error('badlogin', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl'], $strikes)));
}
($hook = vBulletinHook::fetch_hook('ldap_login_hook')) ? eval($hook) : false;


I'm extremely new to VB so I know very little about the system.

When you mentioned to follow the directions here
https://vborg.vbsupport.ru/showthread.php?t=148573
did you intend for that plugin to also be installed along side Haqa's?
Reply With Quote
  #45  
Old 04-09-2009, 02:25 PM
n0manarmy n0manarmy is offline
 
Join Date: Apr 2009
Location: Baltimore
Posts: 11
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I think I'm also having problems creating the hook as I've never done this before. Now that I think of it, i didn't even create a hook yet.
Reply With Quote
  #46  
Old 04-09-2009, 02:37 PM
Haqa Haqa is offline
 
Join Date: Jul 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

@anthonym16: You are a genius! Thanks. I hope you don't mind if I borrow some of that for the next release? (Credit given of course!).

@n0manarmy: The biggest problem I had with the plugin was getting it to fire at the right point in the login process. Too late and you'll get the effect you are describing with the use created correctly but the login failing first time.

H.
Reply With Quote
  #47  
Old 04-09-2009, 02:40 PM
Haqa Haqa is offline
 
Join Date: Jul 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by anthonym16 View Post
The only downside of this approach is that I had to edit vb source. This is only a temporary solution I hope. I just upgraded to 3.8.2 and saw that global.php and login.php were both overwritten... Hopefully Haqa comes up with a way do to all this without altering any vb source.
That's my plan - I hate having to modify the main code because it breaks every time you upgrade.

Quote:
Originally Posted by anthonym16 View Post
Something else for people that are having trouble... vb uses your email as a primary key for users. Initially, my vb admin account was setup to use my email. When I went to test the plugin by using my username from AD to log in, the plugin code tried to create me a new account but failed because my email was already in use by the admin account.
That's not quite would SHOULD have happened (Need to check why it didn't work as it should). What should happen is that if you login with a different account name BUT THE SAME EMAIL then the account should get renamed!

H.
Reply With Quote
  #48  
Old 04-09-2009, 02:57 PM
n0manarmy n0manarmy is offline
 
Join Date: Apr 2009
Location: Baltimore
Posts: 11
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'll hang tight then and wait to see how the update goes. I can get people in to the system now, even though it takes two login attempts.
Reply With Quote
  #49  
Old 04-14-2009, 12:13 AM
zhangyc zhangyc is offline
 
Join Date: Feb 2009
Posts: 7
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi Haqa,

I have went through your code, and added
PHP Code:
// Disable LDAP referrals option 
ldap_set_option($ldapConnectionLDAP_OPT_REFERRALS0); 
under your code
PHP Code:
// Enable LDAP version 3 
ldap_set_option($ldapConnectionLDAP_OPT_PROTOCOL_VERSION3); 
and change your LDAP bind code like this
PHP Code:
// Bind (authenticate or anonymous depending on settings 
//if ($vbulletin->options['ldap_anon_bind']) { 
// $ldap_bind = ldap_bind($ldapConnection); 
//} else { 
// $ldap_bind = ldap_bind($ldapConnection, $vbulletin->options['ldap_bind_dn'], $vbulletin->options['ldap_bind_password']); 
//} 
$ldap_bind ldap_bind($ldapConnection$vbulletin->GPC['vb_login_username'], $passwd); 
I could ignore your "ldap_anon_bind", "ldap_bind_dn" and "ldap_bind_password" options.
Now, I can get it work with my vBulletin 3.7.6, but I got the same problem with n0manarmy , that's when a domain user login for the first time, it returns "password error" message, when login for the next time, third time, etc., it's ok.

In my poinion, the reason I got this problem is the position of the hook "global_complete", what do you think? Thanks!
Reply With Quote
  #50  
Old 04-14-2009, 05:22 PM
n0manarmy n0manarmy is offline
 
Join Date: Apr 2009
Location: Baltimore
Posts: 11
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Any updates on this? Not that I want to rush you or anything but I want to get VB live and active with my students and I don't want to tell them that the registration process requires one failed logon to get an account
Reply With Quote
  #51  
Old 04-17-2009, 09:13 PM
FFSBC FFSBC is offline
 
Join Date: Apr 2009
Posts: 7
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I've followed all the instructions and cannot get the logon to work with 3.8.2 and 2003 active directory.. would really love an update on this one.
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:25 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06111 seconds
  • Memory Usage 2,344KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)bbcode_code
  • (3)bbcode_php
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (11)post_thanks_box
  • (1)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (1)postbit_attachment
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete