Miscellaneous Hacks - LDAP Authentication

I've only recently started using vBulletin, and this is my first mod so if you use this, please click Installed!

This mod (which builds on the fine work from malcomx and zemic) is intended to lower the barriers to using and LDAP directory as an external authentication source for your board. The idea is simple; capture a login attempt before authentication and test it against LDAP first, if that succeeds, see if there is already a matching user in vBulletin. If there is not, create one, using data from the LDAP to fill in the required fields, if there is already a matching user (Determined by comparing email addresses) then update the user.

You might be asking why this mod is better than the two mods I've mentioned above? Well firstly the only additional file is the XML file for the new hooks (See below), and no changes to vBulletin code so installation is simple, and upgrades to vBulletin don't get over complicated by re-applying changes. Secondly, all the settings are controlled from the admincp rather than an external config file. Thirdly (as if two wasn't enough) I've added some hook points so this mod can be extended, for example to get additional data from the LDAP and put it in user profile fields.

One important similarity with the two earlier mods is that in the admincp and modcp no LDAP authentication is performed, this is a safety feature, so even if the mod or an extending to it, breaks your board, you shouldn't ever get locked out of the admincp so you'll be able to turn if off quickly.

Additional Hooks

The mod is essentially a single plugin (plus options and help) which runs at global_complete which is before most other things have happened, but just after all the global setup has occurred.

To enable the additional hooks, you need to upload the file hooks_ldap_auth.xml to /includes/xml under your forum.

The following new hooks are created by this mod:

• ldap_auth_start - After the list of attributes to fetch has been created, this list is in $ldapAttrs. You can simply add your own attributes to this array here.
• ldap_auth_all_user - After a new user has been added to vBulletin or existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData. This happens before ldap_auth_new_user or ldap_auth_existing_user.
• ldap_auth_new_user - After a new user has been added to vBulletin, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.
• ldap_auth_existing_user - After an existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.

By requesting new attributes at ldap_auth_start and then applying them at either ldap_auth_all_user, ldap_auth_new_user or ldap_auth_existing_user you can setup your users easily without having to write all the LDAP code yourself!

AdminCP Settings

This mod creates a new options group called LDAP Authentication between email options and user registration options where you set the host name and port number of the LDAP server, the initial authentication type (Anonymous or authenticated), optionally the BindDN and Password for the LDAP server. You also set which attribute matches the vBulletin username (The default is cn which works well for inetOrgPerson based entries). You can set additional attributes to retrieve (If you want to quickly knock up a simple plugin which uses them at one of the hook points above). There is also the facility to disable (or rather make unavailable) accounts which exist in vBulletin but not in LDAP. Given that your initial admin may fall into this group, there is also a list of userids who should be allowed to log in anyway.

Requirements

• PHP 4.3+ with LDAP support.

I'll try to provide support to users of my mod, but please bear in mind I fairly new to all this, so I may not be able to solve all problems immediately. Support will only be provided via this thread (Don't PM or email me unless I ask you to). Priority will be given to users who have clicked Installed.

Release Notes

• 1.0 - Initial release
• 1.1 - Corrected SQL queries to use TABLE_PREFIX
• 1.2 - Corrected a bug which prevented the settings page from being created correctly
• 1.3 - Corrected where the existing, new and all user hooks are called (Before, not after the user profile fields are set) to support dependant plugins
• 1.4 - Added the ability to set a search base for directories which do not permit searching from the root
• 1.5 - Fixed reported bug where hooks were called in the wrong order

Installation

1. Add the command define('DISABLE_PASSWORD_CLEARING', 1); to your includes/config.php - This will NOT be overwritten by upgrades, so only needs doing once.
2. Upload the file hooks_ldap_auth.xml to includes/xml under your forum.
3. Install the latest product file (below) using the Add/Import Product link on the Manage Products page under Plugins & Products in your AdminCP.

Haqa...

[ginab143]

Quote:

Originally Posted by jjuarez

Hi, the error 500 is because I don?t have Ldap support on Php installation.

Just install or reinstall PHP with LDAP Support and this resolve the Blank page.

Now, there are some way to debug the Ldap connection, because I configure the LDAP Settings and when I try authenticate with an Active ?Directory valid user, only say thar I entered an invalid username or password.

Tanks a Lot

Thank you for this. I didn't realize I had installed php without the ldap feature. PHP info always showed that I had LDAP when I checked it. I reinstalled PHP and setup fastcgi again.

I have the same behavior as you, "You have entered an invalid username or password". I had been receiving an error that the initial bind failed, but now I don't even receive this error.

[phpdweeb]

Attached are the cumulative changes/updates for product-ldap_auth-1.5.xml provided by cowbert and john.parlane for running in version 4 so you don't have to update it by hand yourself. Thanks to all who have made this possible!

Also, make sure you install the php-ldap package via yum if you are running Linux, and then restart your apache server after you've installed it.
e.g.
> yum install php-ldap
> restart apache

Cheers,
Jim

[phpdweeb]

changed vbull.user to forum.user in the user database query lookup so it will properly look up existing users

[ginab143]

Quote:

Originally Posted by phpdweeb

Attached are the cumulative changes/updates for product-ldap_auth-1.5.xml provided by cowbert and john.parlane for running in version 4 so you don't have to update it by hand yourself. Thanks to all who have made this possible!

Also, make sure you install the php-ldap package via yum if you are running Linux, and then restart your apache server after you've installed it.
e.g.
> yum install php-ldap
> restart apache

Cheers,
Jim

Thank you so much! I finally got this working, but now I'm not sure if it was from your code change or how I set it up this time. I was still getting the LDAP bind errors when I tried the changed code. After trying more settings I finally got it working by pointing the base DN at an OU first. OU=ou name,DC=domain,DC=domain,DC=org. Not sure if I had tried that in the past or not because I tried so many, many combinations. Unfortunately, it will ONLY work by pointing to an OU. If I try the root of the domain it won't bind. DC=domain,DC=forest domain,DC=org. I was hoping to point to the root of my domain or even the root of the forest because I may end up having to allow logins from other domains. The way it is right now I have to exclude the IT department from ldap logins so that I can point to our users OU. If you have any ideas on how I can get it working by pointing to the root I will be very grateful. Regardless, thank you for putting this up. I can't tell you how many hours I've put into trying this mod and a few others for ldap authentication.

Big thanks,
Gina

[Dwayne]

I'm having issues getting this working with our setup.

vBulletin 3.8.2
Openldap (linux debian)
php 5
product-ldap_auth-1.5.xml

It is binding ok, but setting Naming Attribute to what we use in the OU - "uid" it isn't picking up the username.

Full Name Support for LDAP Auth - seems to work, using the same username on vbulletin database as it is in the ldap database.

Just can't login with users using ldap auth details, also the mod isnt disabling vbulletin users.

[Raun]

Quote:

Originally Posted by phpdweeb

changed vbull.user to forum.user in the user database query lookup so it will properly look up existing users

With this version do we need to do the edit to config.php or global.php to add

Code:

define('DISABLE_PASSWORD_CLEARING', 1);

Also: do any other edits need to be made?

How can I make any errors with this output to a log? I would like to better diagnose my failures.

[kpatten]

There is a lot of good information scattered around this thread for connecting this plugin to Active Directory. In the interest of making things a bit more clear, here are the additional steps required for connecting to Active Directory:

Active Directory:
You need a user to query Active Directory

Firewall:
Don't forget to open firewall ports for authentication if you are working with a DMZ or the like.

LDAP Authentication Settings in vBulletin:
Anonymous Bind: No
Bind DN: <Domain>\<Username>
Naming Attribute: sAMAccountName
Search Base DN: OU=<Whatever>,DC=<your_domain>,DC=<your_domain_tld >
LDAP Attributes: fullName, mail, sAMAccountName

Some points to keep in mind:
1. This plugin doesn't seem to work if your Search Base DN begins with a DN in AD. You must have your search base begin with an OU. This means that if you have multiple OU's at the top level of AD that contain users, you may have a problem.
2. The Bind DN should be passed in the format shown above.
3. Make sure to download product-ldap_auth-1.5_vb4.xml found in this thread, not the one from Haqa's original post. This version contains patches needed for vBulletin 4.
4. The product-ldap_auth-1.5_vb4.xml code attached to this post has a change so that you do not have to specify your DB name:

Code:

$dbuserinfo = $vbulletin->db->query_first_slave("SELECT password FROM ".TABLE_PREFIX."user WHERE username = '$username'");

5. WARNING: If you aren't running vBulletin over SSL, you will be passing your Active Directory usernames and passwords in clear text.

Anything else?

Thanks,

Kirk.

[DarkLord7854]

Awesome plugin, one request though, how can I set it to give the LDAP users specific usergroup(s) by default?

[Jimbot]

Okay so I needed to use this for a setup that we have using Active Directory. Kirk's (KPatten) version was great, but being a hacker at heart I tweaked it. I thought I'd share this with the community as a way to say thanks. All the caveats and instructions that Kirk gave in post 127 still apply.

Differences:

• Option to update the username of existing vbulletin users. I believe this is how it was supposed to work, but it didn't for me
• New database field on user table to store which users are LDAP users, and provides an option to prevent access when those users are removed from AD
• Lots of debug messages (I found this VERY helpful), with an option to disable. (requires includes\devtools.php I got this from here)
• Puts LDAP 'displayname' into user field5 (I've found this to be a pretty common place to put a user's display name, although arguably I should have used the extension points as originally intended)
• Puts LDAP 'title' into user field4 (This is "occupation" in my install)
• I set the minimum version to 4.1.5 - this is because I haven't tested it on anything older, but there's every chance that it will work on whichever system Kirk's works on. Please let me know if this is the case, and I'll update the files here.
• Puts an entry into the user table to indicate if they're an ldap user or not - this requires a new column to be created in the user table: 'ldap'. This is done by the install code for the product. This allows the system to disable users who have since been disabled by ldap, while still allowing external users to use the system.

For this to work you'll need the following files. They go in the following locations:
./includes/xml/hooks_ldap_auth.xml
./includes/devtools.php

A big thanks to everyone who has contributed to this solution: kpatten, haqa, malcolmx and zemic.

[jugbugs]

Quote:

Originally Posted by Jimbot

Okay so I needed to use this for a setup that we have using Active Directory. Kirk's (KPatten) version was great, but being a hacker at heart I tweaked it. I thought I'd share this with the community as a way to say thanks. All the caveats and instructions that Kirk gave in post 127 still apply.

Differences:

• Option to update the username of existing vbulletin users. I believe this is how it was supposed to work, but it didn't for me
• New database field on user table to store which users are LDAP users, and provides an option to prevent access when those users are removed from AD
• Lots of debug messages (I found this VERY helpful), with an option to disable. (requires includes\devtools.php I got this from here)
• Puts LDAP 'displayname' into user field5 (I've found this to be a pretty common place to put a user's display name, although arguably I should have used the extension points as originally intended)
• Puts LDAP 'title' into user field4 (This is "occupation" in my install)
• I set the minimum version to 4.1.5 - this is because I haven't tested it on anything older, but there's every chance that it will work on whichever system Kirk's works on. Please let me know if this is the case, and I'll update the files here.

For this to work you'll need the following files. They go in the following locations:
./includes/xml/hooks_ldap_auth.xml
./includes/devtools.php

A big thanks to everyone who has contributed to this solution: kpatten, haqa, malcolmx and zemic.

I followed this process and am getting...

Code:

Fatal error: Call to undefined function ldap_connect() in D:\www\vhosts\localhost\includes\functions.php(7038) : eval()'d code on line 36

I am assuming this means I do not have ldap enabled for PHP... any thoughts on an easy way to "add" LDAP to an existing install? What specifically needs to be included and where?