Go Back   vb.org Archive > vBulletin Modifications > Archive > Modification Graveyard
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
LDAP Authentication Details »»
LDAP Authentication
Version: 1.5, by Haqa Haqa is offline
Developer Last Online: Jun 2010 Show Printable Version Email this Page

Category: Miscellaneous Hacks - Version: 3.7.x Rating:
Released: 11-17-2008 Last Update: 03-18-2009 Installs: 65
Uses Plugins
Re-useable Code Additional Files Translations  
No support by the author.

I've only recently started using vBulletin, and this is my first mod so if you use this, please click Installed!

This mod (which builds on the fine work from malcomx and zemic) is intended to lower the barriers to using and LDAP directory as an external authentication source for your board. The idea is simple; capture a login attempt before authentication and test it against LDAP first, if that succeeds, see if there is already a matching user in vBulletin. If there is not, create one, using data from the LDAP to fill in the required fields, if there is already a matching user (Determined by comparing email addresses) then update the user.

You might be asking why this mod is better than the two mods I've mentioned above? Well firstly the only additional file is the XML file for the new hooks (See below), and no changes to vBulletin code so installation is simple, and upgrades to vBulletin don't get over complicated by re-applying changes. Secondly, all the settings are controlled from the admincp rather than an external config file. Thirdly (as if two wasn't enough) I've added some hook points so this mod can be extended, for example to get additional data from the LDAP and put it in user profile fields.

One important similarity with the two earlier mods is that in the admincp and modcp no LDAP authentication is performed, this is a safety feature, so even if the mod or an extending to it, breaks your board, you shouldn't ever get locked out of the admincp so you'll be able to turn if off quickly.

Additional Hooks

The mod is essentially a single plugin (plus options and help) which runs at global_complete which is before most other things have happened, but just after all the global setup has occurred.

To enable the additional hooks, you need to upload the file hooks_ldap_auth.xml to /includes/xml under your forum.

The following new hooks are created by this mod:
  • ldap_auth_start - After the list of attributes to fetch has been created, this list is in $ldapAttrs. You can simply add your own attributes to this array here.
  • ldap_auth_all_user - After a new user has been added to vBulletin or existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData. This happens before ldap_auth_new_user or ldap_auth_existing_user.
  • ldap_auth_new_user - After a new user has been added to vBulletin, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.
  • ldap_auth_existing_user - After an existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.

By requesting new attributes at ldap_auth_start and then applying them at either ldap_auth_all_user, ldap_auth_new_user or ldap_auth_existing_user you can setup your users easily without having to write all the LDAP code yourself!

AdminCP Settings

This mod creates a new options group called LDAP Authentication between email options and user registration options where you set the host name and port number of the LDAP server, the initial authentication type (Anonymous or authenticated), optionally the BindDN and Password for the LDAP server. You also set which attribute matches the vBulletin username (The default is cn which works well for inetOrgPerson based entries). You can set additional attributes to retrieve (If you want to quickly knock up a simple plugin which uses them at one of the hook points above). There is also the facility to disable (or rather make unavailable) accounts which exist in vBulletin but not in LDAP. Given that your initial admin may fall into this group, there is also a list of userids who should be allowed to log in anyway.

Requirements
  • PHP 4.3+ with LDAP support.

I'll try to provide support to users of my mod, but please bear in mind I fairly new to all this, so I may not be able to solve all problems immediately. Support will only be provided via this thread (Don't PM or email me unless I ask you to). Priority will be given to users who have clicked Installed.

Release Notes
  • 1.0 - Initial release
  • 1.1 - Corrected SQL queries to use TABLE_PREFIX
  • 1.2 - Corrected a bug which prevented the settings page from being created correctly
  • 1.3 - Corrected where the existing, new and all user hooks are called (Before, not after the user profile fields are set) to support dependant plugins
  • 1.4 - Added the ability to set a search base for directories which do not permit searching from the root
  • 1.5 - Fixed reported bug where hooks were called in the wrong order

Installation
  1. Add the command define('DISABLE_PASSWORD_CLEARING', 1); to your includes/config.php - This will NOT be overwritten by upgrades, so only needs doing once.
  2. Upload the file hooks_ldap_auth.xml to includes/xml under your forum.
  3. Install the latest product file (below) using the Add/Import Product link on the Manage Products page under Plugins & Products in your AdminCP.

Haqa...

Download Now

File Type: (21.4 KB, 0 views)

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.
Благодарность от:
Jimbot

Comments
  #22  
Old 01-27-2009, 02:34 PM
khan2002 khan2002 is offline
 
Join Date: Oct 2008
Posts: 2
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hy

I installed the plugin, but i get several errors or strange behaviours:

1) I can't login with an admin account
2) I get always following error at the login with an other user:

Quote:
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'xxx'@'localhost' (using password: NO) in /var/www/virtual/xxx/htdocs/_forum/includes/functions.php(5721) : eval()'d code on line 106
the new user is cerated, and after i gi back to the mein site he is logged in, but befor i get this message....

Anyone an idea?

thanks in advance
Reply With Quote
  #23  
Old 02-21-2009, 06:09 AM
Haqa Haqa is offline
 
Join Date: Jul 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by secrtagnt View Post
The plugin is populating vB's db properly when an exisiting LDAP user tries to login to the forums but doesn't exist in vB; however, it won't log them in -- stating they have entered an incorrect password. The samething happens for existing vB users.

The passwords are stored as an MD5 hash in LDAP, and I also made sure define('DISABLE_PASSWORD_CLEARING', 1); was in includes/config.php. The stange thing is, if I disable the plugin both exisiting and newly created users (from LDAP) can successfully login.

Any ideas on what might be causing this?
I'll have to investigate this, I have it working so it sounds like I missed something from the instructions. If I did, sorry, I'll fix it as soon as I find it.

Quote:
Originally Posted by Rondo44 View Post
I have installed this plugin, but cant get it to work. Has anyone gotten this plugin to work in an active directory environment. thank for your help.
Quote:
Originally Posted by ludachris View Post
I was just going to ask if this worked with Active Directory.
I have made this work with AD, but it requires a little fiddling. At work we have AD replicated into a real LDAP server so that normal access can be used. I'll post some instructions shortly.

Quote:
Originally Posted by sysadm View Post
didn't you mix up your hooks in product-ldap_auth-1.4.xml? your ldap_auth_existing_user is called when you're creating a fresh user, while ldap_auth_new_user is called when the user has been found in forum... am i confused??
Oops, Did I? I'll check, but I don't think I did. If I did, sorry, I'll fix the download shortly.

Quote:
Originally Posted by khan2002 View Post
Hy

I installed the plugin, but i get several errors or strange behaviours:

1) I can't login with an admin account
2) I get always following error at the login with an other user:



the new user is cerated, and after i gi back to the mein site he is logged in, but befor i get this message....

Anyone an idea?

thanks in advance
That sounds like your database access is at fault, but I don't understand why that would be the case if the rest of your site is working. As I stated above, I'm relatively new to VB and don't have all the answers. Perhaps someone here might know how a VB can work but sometimes throw a MySQL login failure?

Certainly though, failing to log into MySQL would prevent anyone logging in... Is the site sending you database error emails?

H.
Reply With Quote
  #24  
Old 02-22-2009, 12:18 AM
awillys awillys is offline
 
Join Date: Nov 2006
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi, does this work with vB 3.8.x and/or 3.7.5?

Thanks
A
Reply With Quote
  #25  
Old 02-22-2009, 07:06 PM
awillys awillys is offline
 
Join Date: Nov 2006
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi,

I have installed the plugin on a vB 3.7.5 following the above instruction.
I then created a new user usingthe forum registration and that user was not added in LDAP. what did i do wrong?

is it possible to get users added on ldap upon registration from the forum?

Thanks
Antonio
Reply With Quote
  #26  
Old 03-16-2009, 08:09 PM
jmccaffrey jmccaffrey is offline
 
Join Date: Mar 2009
Posts: 1
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I am not using this plugin, however I developed a different product to help me use a different login source than ldap, and I used this as a base. I noticed that the hook global_complete is called AFTER login logic takes place, this seems to be counter to how the hook is designed. This might be causing some of the issues people are seeing. I modified my plugin to use global_setup_complete instead. Note, using this approach requires a bit more setup logic to be used.
Reply With Quote
  #27  
Old 03-16-2009, 10:01 PM
Haqa Haqa is offline
 
Join Date: Jul 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by awillys View Post
Hi, does this work with vB 3.8.x and/or 3.7.5?

Thanks
A
Still testing with 3.8, though it looks promising.

Quote:
Originally Posted by awillys View Post
Hi,

I have installed the plugin on a vB 3.7.5 following the above instruction.
I then created a new user usingthe forum registration and that user was not added in LDAP. what did i do wrong?

is it possible to get users added on ldap upon registration from the forum?

Thanks
Antonio
I think you may have the purpose of the plugin backwards. This allows people in your LDAP to login to your VB even if they've never registered. You appear to be trying to get VB users put into your LDAP, which this plugin is not intended to do, sorry

Quote:
Originally Posted by jmccaffrey View Post
I am not using this plugin, however I developed a different product to help me use a different login source than ldap, and I used this as a base. I noticed that the hook global_complete is called AFTER login logic takes place, this seems to be counter to how the hook is designed. This might be causing some of the issues people are seeing. I modified my plugin to use global_setup_complete instead. Note, using this approach requires a bit more setup logic to be used.
I can see your point, as I've said this is my first mod. I'll go back to the code and see what refactoring would be needed to switch. However I am using this mod at work and it's working well (Or seems to be). I have many users who have all signed in without using the signup logic (Which I've disabled) and then have returned, re-logging in etc...

I'll have to revisit the code.

H.
Reply With Quote
  #28  
Old 03-16-2009, 10:04 PM
Haqa Haqa is offline
 
Join Date: Jul 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by sysadm View Post
didn't you mix up your hooks in product-ldap_auth-1.4.xml? your ldap_auth_existing_user is called when you're creating a fresh user, while ldap_auth_new_user is called when the user has been found in forum... am i confused??
You are quite right. I'll try to get a revised version up ASAP. It shouldn't prevent anything else working, unless you've written your own plugins triggered from my hooks, in which case they will get called at the wrong times.

Sorry.

H.
Reply With Quote
  #29  
Old 03-20-2009, 03:31 PM
anthonym16 anthonym16 is offline
 
Join Date: Feb 2009
Posts: 12
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Haqa,

I've been trying to get the plugin running with vb 3.8.1. I noticed that the gobal_complete hook isn't called on a login. I'm just learning the hooks but do I need to change that the plugin to fire on global_setup_complete?

Thanks,
Anthony
Reply With Quote
  #30  
Old 03-20-2009, 09:11 PM
Haqa Haqa is offline
 
Join Date: Jul 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by anthonym16 View Post
Haqa,

I've been trying to get the plugin running with vb 3.8.1. I noticed that the gobal_complete hook isn't called on a login. I'm just learning the hooks but do I need to change that the plugin to fire on global_setup_complete?

Thanks,
Anthony
I've just upgraded my dev system to 3.8.1 so it shouldn't be long before I've got a version which does support 3.8.x

H.
Reply With Quote
  #31  
Old 03-23-2009, 05:48 PM
anthonym16 anthonym16 is offline
 
Join Date: Feb 2009
Posts: 12
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Haqa View Post
I've just upgraded my dev system to 3.8.1 so it shouldn't be long before I've got a version which does support 3.8.x

H.
I just got the plug-in working w/ 3.8.1. I had to add my own hook in login.php so I'm interested to see what you come up with so that no vb code is altered.

Also, I had a problem with DISABLE_PASSWORD_CLEARING. I traced it back to line 598 of global.php. I had to switched the 1 and 0 on that line so $show['nopasswordempty'] would get the right value.

-Anthony
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:19 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04845 seconds
  • Memory Usage 2,355KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (12)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (11)post_thanks_box
  • (1)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (1)postbit_attachment
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete