Go Back   vb.org Archive > vBulletin Modifications > Archive > Modification Graveyard
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
LDAP Authentication Details »»
LDAP Authentication
Version: 1.5, by Haqa Haqa is offline
Developer Last Online: Jun 2010 Show Printable Version Email this Page

Category: Miscellaneous Hacks - Version: 3.7.x Rating:
Released: 11-17-2008 Last Update: 03-18-2009 Installs: 65
Uses Plugins
Re-useable Code Additional Files Translations  
No support by the author.

I've only recently started using vBulletin, and this is my first mod so if you use this, please click Installed!

This mod (which builds on the fine work from malcomx and zemic) is intended to lower the barriers to using and LDAP directory as an external authentication source for your board. The idea is simple; capture a login attempt before authentication and test it against LDAP first, if that succeeds, see if there is already a matching user in vBulletin. If there is not, create one, using data from the LDAP to fill in the required fields, if there is already a matching user (Determined by comparing email addresses) then update the user.

You might be asking why this mod is better than the two mods I've mentioned above? Well firstly the only additional file is the XML file for the new hooks (See below), and no changes to vBulletin code so installation is simple, and upgrades to vBulletin don't get over complicated by re-applying changes. Secondly, all the settings are controlled from the admincp rather than an external config file. Thirdly (as if two wasn't enough) I've added some hook points so this mod can be extended, for example to get additional data from the LDAP and put it in user profile fields.

One important similarity with the two earlier mods is that in the admincp and modcp no LDAP authentication is performed, this is a safety feature, so even if the mod or an extending to it, breaks your board, you shouldn't ever get locked out of the admincp so you'll be able to turn if off quickly.

Additional Hooks

The mod is essentially a single plugin (plus options and help) which runs at global_complete which is before most other things have happened, but just after all the global setup has occurred.

To enable the additional hooks, you need to upload the file hooks_ldap_auth.xml to /includes/xml under your forum.

The following new hooks are created by this mod:
  • ldap_auth_start - After the list of attributes to fetch has been created, this list is in $ldapAttrs. You can simply add your own attributes to this array here.
  • ldap_auth_all_user - After a new user has been added to vBulletin or existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData. This happens before ldap_auth_new_user or ldap_auth_existing_user.
  • ldap_auth_new_user - After a new user has been added to vBulletin, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.
  • ldap_auth_existing_user - After an existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.

By requesting new attributes at ldap_auth_start and then applying them at either ldap_auth_all_user, ldap_auth_new_user or ldap_auth_existing_user you can setup your users easily without having to write all the LDAP code yourself!

AdminCP Settings

This mod creates a new options group called LDAP Authentication between email options and user registration options where you set the host name and port number of the LDAP server, the initial authentication type (Anonymous or authenticated), optionally the BindDN and Password for the LDAP server. You also set which attribute matches the vBulletin username (The default is cn which works well for inetOrgPerson based entries). You can set additional attributes to retrieve (If you want to quickly knock up a simple plugin which uses them at one of the hook points above). There is also the facility to disable (or rather make unavailable) accounts which exist in vBulletin but not in LDAP. Given that your initial admin may fall into this group, there is also a list of userids who should be allowed to log in anyway.

Requirements
  • PHP 4.3+ with LDAP support.

I'll try to provide support to users of my mod, but please bear in mind I fairly new to all this, so I may not be able to solve all problems immediately. Support will only be provided via this thread (Don't PM or email me unless I ask you to). Priority will be given to users who have clicked Installed.

Release Notes
  • 1.0 - Initial release
  • 1.1 - Corrected SQL queries to use TABLE_PREFIX
  • 1.2 - Corrected a bug which prevented the settings page from being created correctly
  • 1.3 - Corrected where the existing, new and all user hooks are called (Before, not after the user profile fields are set) to support dependant plugins
  • 1.4 - Added the ability to set a search base for directories which do not permit searching from the root
  • 1.5 - Fixed reported bug where hooks were called in the wrong order

Installation
  1. Add the command define('DISABLE_PASSWORD_CLEARING', 1); to your includes/config.php - This will NOT be overwritten by upgrades, so only needs doing once.
  2. Upload the file hooks_ldap_auth.xml to includes/xml under your forum.
  3. Install the latest product file (below) using the Add/Import Product link on the Manage Products page under Plugins & Products in your AdminCP.

Haqa...

Download Now

File Type: (21.4 KB, 0 views)

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.
Благодарность от:
Jimbot

Comments
  #142  
Old 02-03-2012, 11:01 PM
ItsDrew ItsDrew is offline
 
Join Date: Jan 2012
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by rguser View Post
Has anyone conceived of the idea or attempted setting the username to the LDAP 'displayname' or 'givenname' and 'sn' while allowing the user to both login and authenticate using their LDAP credentials? ie, login as: jdoe, but username is set to John Doe so that all posts, member list, user profile and all show John Doe. My forum is internal, consists only of LDAP users all on the same domain and I've disabled registration since the LDAP auth code can create a new user. I've made a user profile field set to displayname but if I don't have to go through and modify the template to show the displayname userfield in lieu of username, that would be awesome.

Unless it's easier now to modify the template using the built-in search/replace? Suggestions or ideas?
rguser: Did you ever find a good solution to this? The LDAP passes their employee ID as their user logon (required). But I would rather have all their posts show as their LDAP "displayName."

The closest I got was to modify the product-ldap_auth-1.5.1_vb4.xml to set the usertitle to the LDAP displayName so at least their name is below their employee ID.

I'd like to know how you worked around this.

PHP Code:
} else {
      (
$debug $debug ) ? print_log("New user. Creating with info from ldap") : false;
      
$newuser->set('email'strtolower($userData[0]['mail'][0]));
      
$newuser->set('customtitle'2);
      
$newuser->set('usertitle', ($userData[0]['displayName'][0]));
      
$newuser->set('username'$vbulletin->GPC['vb_login_username']);
      
$newuser->set('usergroupid'2);
      
$newuser->set_bitfield('options''adminemail'true);
      
$newuser->set_bitfield('options''emailonpm'true);
      
$newuser->set_bitfield('options''vm_enable'true);
      
$newuser->set('pmpopup'1);
      
$newuser->set('password'$passwd);
      
$vbulletin->db->query_first_slave("
      UPDATE "
.TABLE_PREFIX."user
      SET ldap=true
      WHERE username='"
$vbulletin->GPC['vb_login_username'] ."'"); 
Reply With Quote
  #143  
Old 02-28-2012, 08:37 PM
roarkh roarkh is offline
 
Join Date: Nov 2011
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I am relatively new to vBulletin still but have version 4.1.8 installed and working just fine with this plug-in. I have never performed a vBulletin upgrade before and was just wondering what to expect regarding installed plugins when upgrading from 4.1.8 to 4.1.10. Will the LDAP Authentication plugin continue to work as it does now? Or will it need to be modified and/or reinstalled?

Thanks in advance.
Reply With Quote
  #144  
Old 06-06-2012, 02:07 PM
tdarvill tdarvill is offline
 
Join Date: Mar 2011
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Are there any issues with using this mod on vBulletin 4.2.0?
Reply With Quote
  #145  
Old 08-30-2012, 07:43 PM
rguser rguser is offline
 
Join Date: Nov 2011
Posts: 2
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by ItsDrew View Post
rguser: Did you ever find a good solution to this? The LDAP passes their employee ID as their user logon (required). But I would rather have all their posts show as their LDAP "displayName."

The closest I got was to modify the product-ldap_auth-1.5.1_vb4.xml to set the usertitle to the LDAP displayName so at least their name is below their employee ID.

I'd like to know how you worked around this.

PHP Code:
} else {
      (
$debug $debug ) ? print_log("New user. Creating with info from ldap") : false;
      
$newuser->set('email'strtolower($userData[0]['mail'][0]));
      
$newuser->set('customtitle'2);
      
$newuser->set('usertitle', ($userData[0]['displayName'][0]));
      
$newuser->set('username'$vbulletin->GPC['vb_login_username']);
      
$newuser->set('usergroupid'2);
      
$newuser->set_bitfield('options''adminemail'true);
      
$newuser->set_bitfield('options''emailonpm'true);
      
$newuser->set_bitfield('options''vm_enable'true);
      
$newuser->set('pmpopup'1);
      
$newuser->set('password'$passwd);
      
$vbulletin->db->query_first_slave("
      UPDATE "
.TABLE_PREFIX."user
      SET ldap=true
      WHERE username='"
$vbulletin->GPC['vb_login_username'] ."'"); 
Sorry for the very late response. Yes, I solved this similarly to how you have it.

The username is only valid from the login screen. Within the code the username is converted over to the full display name right away and used consistently throughout. New account vs existing account is determined by doing a search for the userData[0]['mail'][0].

In transition, I just wrote a script to update all usernames from user alias to full name.
Reply With Quote
  #146  
Old 09-29-2012, 12:48 AM
Tweak589 Tweak589 is offline
 
Join Date: Nov 2003
Location: California
Posts: 25
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hello,

I am trying to set this up in 4.2.0 and am at a loss right now what I have done wrong. I don't have any errors or any problems so far. I've installed the plugin fine, have LDAP PHP module ready, etc.

I have read this thread and seen that the plugin has many improvements contributed to it and it seems that jimbot's post is where the latest version ends up: https://vborg.vbsupport.ru/showpost....&postcount=129

I've followed some instructions in post 127 as well, but I think my problem here is that I simply cannot connect to my LDAP server. My login system on vBulletin does not seem different at all, and is using my traditional "5 attempts" login. So you can imagine when trying this, it gets quite frustrating to have to wait 15 minutes to try logging in again. Every time I am trying new settings nothing changes. I am not sure if I am even connecting to Active Directory. This is what I have currently for settings:

My LDAP settings (having trouble connecting?):
LDAP Server: mydomain.blah.site.com
LDAP Port: xxxx
Anonymous Bind: NO
Bind DN: DOMAIN\username
Bind Password: xxxxxxxxxxx
Naming Attribute: sAMAccountNAme (how does this look, is it first initial + lastname? (e.g. John Doe = jdoe))
Search Base DN: CN=distributionlistname,OU=Distribution Lists,DC=max,DC=blah,DC=site,DC=com
LDAP Attributes: [blank]
Disable vBulletin USers: No
Allow Built-in Accounts: 1 (my admin account id)
Update username: No (I will play with this later)
Disallow disable LDAP logins: Yes
Debug: Yes (in hopes I can see what is wrong! But I don't even see debug output when logging in at the moment)


Any advice as to what works and doesn't work would be helpful. Thank you!
Reply With Quote
  #147  
Old 10-10-2012, 04:15 PM
havokit havokit is offline
 
Join Date: Oct 2012
Posts: 1
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Tweak589 View Post
Hello,

I My login system on vBulletin does not seem different at all, and is using my traditional "5 attempts" login. So you can imagine when trying this, it gets quite frustrating to have to wait 15 minutes to try logging in again.
I'm having difficulty too with the latest version 4

Wireshark on your LDAP / AD server can tell you if its hitting your server for authentication.. Use the filter ip.addr==192.168.1.34 or something similar

Also under General Settings turn off (Use Login "Strikes" System) which will remove the 15 minute gap problem!

Hope this helps!
Reply With Quote
  #148  
Old 10-10-2012, 05:00 PM
Tweak589 Tweak589 is offline
 
Join Date: Nov 2003
Location: California
Posts: 25
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks havokit.

Hopefully someone comes along in this thread to resolve our connection issues in 4.2.0 . I didn't think a plugin such as this would be incompatible from a few older versions of 4.x. Perhaps it is something to do with the hook(s).

I am not knowledgeable with PHP or any of this, so I am stuck trying to figure this out.
Reply With Quote
  #149  
Old 01-30-2013, 07:59 PM
miklr miklr is offline
 
Join Date: Jan 2013
Posts: 2
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Tweak589 View Post
Thanks havokit.

Hopefully someone comes along in this thread to resolve our connection issues in 4.2.0 . I didn't think a plugin such as this would be incompatible from a few older versions of 4.x. Perhaps it is something to do with the hook(s).

I am not knowledgeable with PHP or any of this, so I am stuck trying to figure this out.
Tweak589, were you able to get this working? We are also in the process of LDAP implementation.

thanks
Reply With Quote
  #150  
Old 05-10-2013, 12:50 PM
alexm's Avatar
alexm alexm is offline
 
Join Date: Apr 2005
Location: United Kingdom
Posts: 34
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

FWIW I've just done an upgrade from 4.1.10 to 4.2.1 and the plugin is still working fine for me!

My settings are:

LDAP Server dcname.domain.com
LDAP Port 389
Anonymous Bind No
Bind DN CN=Account Name,CN=Users,DC=domain,DC=com
Bind Password <password for above account>
Naming Attribute sAMAccountName
Search Base DN DC=domain,DC=com (see my earlier post in this thread about searching sub-OU's)
LDAP Attributes fullName,mail,sAMAccountName,displayname,title,l
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:45 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04708 seconds
  • Memory Usage 2,368KB
  • Queries Executed 25 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (2)bbcode_php
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (10)post_thanks_box
  • (1)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (9)postbit
  • (1)postbit_attachment
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete