Integration with vBulletin - vBulletin Ldap Authentication Plugin

I am using vbulletin for a long time now and before there was the plugin system introduces i hacked every single version of vb to enable ldap authentication. with the introduction of the plugin system i have written a little plugin that works in every version since VBulletin 3.5. This Plugin is the buyable VBulletin Ligh Authentication from http://www.sartori.at. now its FREE.

Since its working and i will not enhance this small plugin anymore, i will make it public. If there are any enhancements, i can put it into my versioning system and update this plugin.

In contrast to the ldap authentication from zemic my board can authenticate against every - already deployed - ldap directory without changeing the encryption type.

If the ldap user is not added in the VBulletin database, the user is automatically added the first time he authenticates against the ldap. if the user already exists then nothing is changed, except the authentication against the directory.

in the admin or moderator panel no user is authenticated against the directory.

Requirements

• php with ldap support

Installation Notes:

1. copy ldapAuth directory to your vb forum installation directory
2. change the path to controller.php directory in ldap-plugin.xml
3. copy the hooks_ldap.xml to FORUM_ROOT/inclucdes/xml directory
4. in login.php search for:
   
   PHP Code:

   if ($vbulletin->GPC['vb_login_username'] == '')
         {
          eval(standard_error(fetch_error('badlogin', $vbulletin->options['bburl'], ....
         } 

   insert below:
   
   PHP Code:

   ($hook = vBulletinHook::fetch_hook('ldap_login_hook')) ? eval($hook) : false; 

5. activate plugin system (if not done already) in admincp
6. in admin cp import the product at "Download / Upload" Plugins
7. in global.php search for:
   
   PHP Code:

   $show['nopasswordempty'] 

   and change:
   
   PHP Code:

   defined('DISABLE_PASSWORD_CLEARING') ? 1 : 0; 

   to:
   
   PHP Code:

   defined('DISABLE_PASSWORD_CLEARING') ? 0 : 1; 

8. configure the ldap settings in: ldapconfig.inc.php
9. test the product

Additional Notes:
If you are running a Microsoft Active Directory as Ldap server you have to change some settings to allow anonymous queries. This is described at
Novell and Microsoft


I would be happy if you support my modification in any way. Install or nominate it or donate some cents at paypal.

[malcolmx]

i am sorry, but i had no time to help we had a cooling problem in our machine room, so i had some stressy days fixing broken and damaged machines..

if you need any help (if you give it one more try) ill help you. if it is possible for you and your company i can fix the problem for you.

-malc

[upnorth]

I'm looking at using this mod but was wondering

#1 will it work with vB 3.6.8

#2 for users authenticated by the LDAP server but not registered in vBulletin, from what I understand a new users created? If understood correctly what user group does the new user automatically get added to?

[fhs2006]

#1 probably yes
#2 yes, new users get created. users are added to the registered group (can be changed in the script with some vbulletin documentation reading)

-fhs

[upnorth]

First off....THIS IS A GREAT MOD!!!

One question that I do have is I've noticed that all the "User Registration Options" on the forum get by passed. i.e send welcome email, default registration options etc. which makes sense as you are creating a user directly in the db table. But is there anyway that I can set some of these user options and send an email notification to the admin, when the user is created and assigned to the registration group? Anyone able to help with this?

[upnorth]

Sorry for the multiple post but I just ran into a small problem. My ID is setup as an administrator and when I attempt to log in the board will not take either my local vB password or my LDAP password? Any ideas? I'm able to log in directly to the admin cp which then provides rights to the forum but for some reason it doesn't by pass the LDAP for admins? Am I understanding this correctly that if you are an admin then it shouldn't use LDAP but instead use the vB id and password?

The info in my debug file is as follows:
++ ---------- START ------- ++
++ LoginType: Normal Login
++ LdafFilter (uid=myUserID)
++ LdapServer connection successful
++ ldap bind did not succeed

Does this mean that it doesn't think that my account is an admin account?

[SteveCoppin]

Quote:

Originally Posted by malcolmx

just comment out the following code:

PHP Code:

// if login form is admin or moderator login, dont use ldap authentication
if(($vbulletin->GPC['logintype'] == "cplogin") || ($vbulletin->GPC['logintype'] == "modcplogin"))
{
        return;
} 


When I try this, I get an error saying that no password has been provided.. The form vairable is the same so I'm not sure what's going on. Any ideas?

[SteveCoppin]

Quote:

Originally Posted by SteveCoppin

When I try this, I get an error saying that no password has been provided.. The form vairable is the same so I'm not sure what's going on. Any ideas?

Got a fix for this.. Instead of going via the LDAP route for modcp and admincp I store the encrypted password in the database. I already have a set of users so have decided to put the code in the section that gets executed if the user already exists. The other advantage is that if a user's LDAP password changes, it's reflected in the database on the next time they log in. Code is as follows:

PHP Code:

// load the user
$userdata =& datamanager_init('user', $vbulletin, ERRTYPE_STANDARD);
$userdata->set_existing($vbulletin->userinfo);
// set password
$userdata->set('password', $vbulletin->GPC['vb_login_password']);
// save the user
$userdata->save(); 


I'm still pretty new to vBulletin so please let me know if I've done something horribly wrong!!

Steve

[SteveCoppin]

Great mod, but I have another slight problem.

The 'remember me' feature isn't working on my instance and I think it may be something to do with this mod. Has anyone else had the same problem?

[upnorth]

Does anyone know how to modify this code to bypass the LDAP log-in for specific user groups?

[D0ubleStakked]

Fantastic mod.
Thanks malcolmx for building this.

had a little bit of trouble at the start, but I have it working now for me.
Thought I'd share my experience.

1.) all the installation steps were easy to follow. I got tripped up on the ldap_plugin.xml vs hooks_ldap.xml, but I realized my mistake pretty quickly. Maybe an update to the documentation to state which file gets uploaded?

2.) controller.debug.php was the key for me. A note to all you linux people out there, make sure the debug logfile exists first and that apache has permissions to write to it. I changed my debug file to /var/log/vbulletin_ldap.debug, logged in as root, so I did the following :

cd /var/log/
touch vbulletin_ldap.debug
chmod 666 vbulletin_ldap.debug
chown apache:apache: vbulletin_ldap.debug

after the chmod & the chown, I started seeing output in my .debug file.

Another quick observation, I didn't have openldap-clients installed, so in reading the posts in this thread, all of the instructions of running "ldapsearch" won't work unless you have openldap-clients installed. Pretty easy from fedora:

yum install openldap-clients

So after that work, I'm up and running.
In total, it took me ~1 hr to get everything running, which isn't bad.
ldap authentication for MediaWiki took me longer.

Thanks again malcolmx!
-Brian