Integration with vBulletin - vBulletin Ldap Authentication Plugin

I am using vbulletin for a long time now and before there was the plugin system introduces i hacked every single version of vb to enable ldap authentication. with the introduction of the plugin system i have written a little plugin that works in every version since VBulletin 3.5. This Plugin is the buyable VBulletin Ligh Authentication from http://www.sartori.at. now its FREE.

Since its working and i will not enhance this small plugin anymore, i will make it public. If there are any enhancements, i can put it into my versioning system and update this plugin.

In contrast to the ldap authentication from zemic my board can authenticate against every - already deployed - ldap directory without changeing the encryption type.

If the ldap user is not added in the VBulletin database, the user is automatically added the first time he authenticates against the ldap. if the user already exists then nothing is changed, except the authentication against the directory.

in the admin or moderator panel no user is authenticated against the directory.

Requirements

• php with ldap support

Installation Notes:

1. copy ldapAuth directory to your vb forum installation directory
2. change the path to controller.php directory in ldap-plugin.xml
3. copy the hooks_ldap.xml to FORUM_ROOT/inclucdes/xml directory
4. in login.php search for:
   
   PHP Code:

   if ($vbulletin->GPC['vb_login_username'] == '')
         {
          eval(standard_error(fetch_error('badlogin', $vbulletin->options['bburl'], ....
         } 

   insert below:
   
   PHP Code:

   ($hook = vBulletinHook::fetch_hook('ldap_login_hook')) ? eval($hook) : false; 

5. activate plugin system (if not done already) in admincp
6. in admin cp import the product at "Download / Upload" Plugins
7. in global.php search for:
   
   PHP Code:

   $show['nopasswordempty'] 

   and change:
   
   PHP Code:

   defined('DISABLE_PASSWORD_CLEARING') ? 1 : 0; 

   to:
   
   PHP Code:

   defined('DISABLE_PASSWORD_CLEARING') ? 0 : 1; 

8. configure the ldap settings in: ldapconfig.inc.php
9. test the product

Additional Notes:
If you are running a Microsoft Active Directory as Ldap server you have to change some settings to allow anonymous queries. This is described at
Novell and Microsoft


I would be happy if you support my modification in any way. Install or nominate it or donate some cents at paypal.

[j_ainsworth]

123

[j_ainsworth]

I have managed to figure out ldp.exe and have now got anonymous searchs working against our Active Directory
However still having trouble with this mod.

I have modified the controller so
$ldapFilter = "(sAMAccountName=" . $vbulletin->GPC['vb_login_username'] .")";
using ldp.exe I can do the above search ok

Using the debug controller I can see it hangs at
$searchDn=ldap_search($ldapConnection,$ldapBase,$l dapFilter);

If I add a line before it
if(defined('LDDEBUG')) { wrlog("++ presearch /t $ldapConnection,$ldapBase,$ldapFilter"); }
I get this in my log file
++ presearch /t Resource id #15,dc=thebookpeople,dc=com,(sAMAccountName=test98 7)

ANy ideas, desperate for this to work!

Cheers
John

[malcolmx]

Quote:

Originally Posted by j_ainsworth

I get this in my log file
++ presearch /t Resource id #15,dc=thebookpeople,dc=com,(sAMAccountName=test98 7)

ANy ideas, desperate for this to work!

Cheers
John

great that you got ldap working on windows. the logfile entry shows
- $ldapBase printed (dc=thebookpeople,dc=com)
- $ldapFiler printed (sAMAccountName=test987)
- $ldapConnection is working, too

is it working when you print some text into debuglog right after $searchDn=ldap_search($ldapConnection,$ldapBase,$l dapFilter); ?

-malc

[g9g6.com]

Thanks

[j_ainsworth]

Quote:

Originally Posted by malcolmx

great that you got ldap working on windows. the logfile entry shows
- $ldapBase printed (dc=thebookpeople,dc=com)
- $ldapFiler printed (sAMAccountName=test987)
- $ldapConnection is working, too

is it working when you print some text into debuglog right after $searchDn=ldap_search($ldapConnection,$ldapBase,$l dapFilter); ?

-malc

Hi Malc
Progress! I have had some partial success.

If I specify in the ldapconfig.php the actual OU that the account exists in
$ldapBase = "OU=users,OU=Haydock,DC=thebookpeople,DC=com";

and use the cn for the ldapfilter
$ldapFilter = "(cn=" . $vbulletin->GPC['vb_login_username'] .")";

then it works if I login with the actual fullname , ie for me cn=john ainsworth

What I really need is to be able to set the Base to be our top level AD DC=thebookpeople,DC=com rather than be specific
Also to be able to use their login name rather than the Active Directory Object name

I did work out that I changed ldapfilter to query the Active Directory property sAMAccountName instead of cn
and
changed the ldapbase to be
CN=John Ainsworth,OU=HayIT,OU=Haydock,DC=thebookpeople,DC= com

then it would log me in

Cheers

[malcolmx]

if you can only find your user in the "long" tree but the search does not succed with the top level AD base, then it "could" be possivle that AD has a mechanism (like any other ldap) to deny a subtreee (scope) search.

if that works (test with the ldap client command), php standard search scope is subtree (LDAP_SCOPE_SUBTREE) - http://de.php.net/manual/en/function.ldap-search.php

your other thoughts are right:
- login with samaccountname
- search for user (samaccountname=username)
- bind with the full dn (cn=....)

-malc

[j_ainsworth]

[QUOTE=malcolmx;1510358]if you can only find your user in the "long" tree but the search does not succed with the top level AD base, then it "could" be possivle that AD has a mechanism (like any other ldap) to deny a subtreee (scope) search.

All sorted!! If you want to query sub trees in Active Directory don't use the standard port number , use 3268 instead

Once I changed the port number I was able to change the filter to
$ldapFilter = "(sAMAccountName=" . $vbulletin->GPC['vb_login_username'] .")";

to login using the AD login name rather than the cn name

Cheers for all your help malc

[malcolmx]

thanks for using my plugin and its nice to see another one using it

dont forget to click on "Mark as Installed"

thanks for your support!

-malc

[rrusinko]

I am new to using plugins for vBulletin and the error is probaly basic.
I downloaded the plugin and followed the directions, but when I get to step 6:
I receive a message "invalid file specified".
Step 6 is in admin cp import the product at "Download / Upload" Plugins
I am using the plugin hooks_ldap.xml located in the ./includes/xml/.

Any help would be appreciated.

[rrusinko]

I got it working.