The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
LDAP Authentication Details »» | |||||||||||||||||||||||||||
I've only recently started using vBulletin, and this is my first mod so if you use this, please click Installed!
This mod (which builds on the fine work from malcomx and zemic) is intended to lower the barriers to using and LDAP directory as an external authentication source for your board. The idea is simple; capture a login attempt before authentication and test it against LDAP first, if that succeeds, see if there is already a matching user in vBulletin. If there is not, create one, using data from the LDAP to fill in the required fields, if there is already a matching user (Determined by comparing email addresses) then update the user. You might be asking why this mod is better than the two mods I've mentioned above? Well firstly the only additional file is the XML file for the new hooks (See below), and no changes to vBulletin code so installation is simple, and upgrades to vBulletin don't get over complicated by re-applying changes. Secondly, all the settings are controlled from the admincp rather than an external config file. Thirdly (as if two wasn't enough) I've added some hook points so this mod can be extended, for example to get additional data from the LDAP and put it in user profile fields. One important similarity with the two earlier mods is that in the admincp and modcp no LDAP authentication is performed, this is a safety feature, so even if the mod or an extending to it, breaks your board, you shouldn't ever get locked out of the admincp so you'll be able to turn if off quickly. Additional Hooks The mod is essentially a single plugin (plus options and help) which runs at global_complete which is before most other things have happened, but just after all the global setup has occurred. To enable the additional hooks, you need to upload the file hooks_ldap_auth.xml to /includes/xml under your forum. The following new hooks are created by this mod:
By requesting new attributes at ldap_auth_start and then applying them at either ldap_auth_all_user, ldap_auth_new_user or ldap_auth_existing_user you can setup your users easily without having to write all the LDAP code yourself! AdminCP Settings This mod creates a new options group called LDAP Authentication between email options and user registration options where you set the host name and port number of the LDAP server, the initial authentication type (Anonymous or authenticated), optionally the BindDN and Password for the LDAP server. You also set which attribute matches the vBulletin username (The default is cn which works well for inetOrgPerson based entries). You can set additional attributes to retrieve (If you want to quickly knock up a simple plugin which uses them at one of the hook points above). There is also the facility to disable (or rather make unavailable) accounts which exist in vBulletin but not in LDAP. Given that your initial admin may fall into this group, there is also a list of userids who should be allowed to log in anyway. Requirements
I'll try to provide support to users of my mod, but please bear in mind I fairly new to all this, so I may not be able to solve all problems immediately. Support will only be provided via this thread (Don't PM or email me unless I ask you to). Priority will be given to users who have clicked Installed. Release Notes
Installation
Haqa... Download Now
Show Your Support
|
Благодарность от: | ||
Jimbot |
Comments |
#12
|
|||
|
|||
Thanks for the pointer, this is fixed. Also I noticed I'd forgotten the hook definition file, this is now available above...
H. |
#13
|
|||
|
|||
---
|
#14
|
|||
|
|||
Quote:
The other point is that I'm trying to make my mods so that they don't break upgradability of VB (or any other products). Anyone else know of a simpler way to do Windows SSO? H. |
#15
|
|||
|
|||
Quote:
You'd still need some fairly significant mods to vB, (or perhaps a plug somewhere near global_start???) to tell it to use and trust the external username supplied by SPNEGO. H. |
#16
|
|||
|
|||
Very nice mod - installed with no fuss.
I though had the problem that my LDAP server was containing a new user where the username was not used in vB, but the email was already taken by another username in vB. This means that your plugin tries to create the new user when a correct username/password is issued (seen from the LDAP server). But due to that the email already exists i vB with another username then the creation of the new user fails. This is properly okay, as two different users can not have the same email. But the error messages indicates that a wrong password/username is issued. My suggestion for improvement is to give better response to this case. Best regards Tom |
#17
|
|||
|
|||
Quote:
I'll have to look into this bug, that's NOT what's meant to happen - It's supposed to rename the user to match the LDAP... I can see what you mean though, the error message is unhelpful in this instance, but in keeping with normal login failure message procedure, I've tried not to allow a potential brute-force attacker know what he/she got wrong (username/password etc). A more "helpful" error message might give away the fact that users are being created on the fly from an external database, and that might give an opportunity to inject a user into the system. (Sorry if I seem paranoid, but it's my job, I work with system security all day). H. |
#18
|
|||
|
|||
The plugin is populating vB's db properly when an exisiting LDAP user tries to login to the forums but doesn't exist in vB; however, it won't log them in -- stating they have entered an incorrect password. The samething happens for existing vB users.
The passwords are stored as an MD5 hash in LDAP, and I also made sure define('DISABLE_PASSWORD_CLEARING', 1); was in includes/config.php. The stange thing is, if I disable the plugin both exisiting and newly created users (from LDAP) can successfully login. Any ideas on what might be causing this? |
#19
|
|||
|
|||
I have installed this plugin, but cant get it to work. Has anyone gotten this plugin to work in an active directory environment. thank for your help.
|
#20
|
|||
|
|||
I was just going to ask if this worked with Active Directory.
|
#21
|
|||
|
|||
didn't you mix up your hooks in product-ldap_auth-1.4.xml? your ldap_auth_existing_user is called when you're creating a fresh user, while ldap_auth_new_user is called when the user has been found in forum... am i confused??
|
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|