Integration with vBulletin - LDAP Authentication

I've been using Vbulletin for a few years, and have had some great modifications from this community, so having had to recently integrate Vbulletin with LDAP for my University discussion boards I decided to release this as a modification. This is my present to the community .

Description:

LDAP authentication for Vbulletin.

How it works:

This does not modify Vbulletin files or Vbulletin login code in anyway. We simple stick some script infront of the login process so we can validate against LDAP. Below is a breakdown of what this thing does:

• First looks to see if login form has been submitted
• Checks if it should look up "this" user in LDAP (defined in ldapconfig)
• Queries LDAP for the username
  • If user is returned check if VB MD5 password matches LDAP MD5 password
    • If it does, check the VB user table to see if the user is already in the table. If yes, update VB user table password with LDAP password by encrypting MD5 password with the users 'salt' key
    • If not, create a new user in database using VB classes/functions.
  • If user/pass do not match in LDAP then check if user is in VB user table.
    • If they are, change the password to something random so they cannot login with an old password
• If a user is not returned from LDAP, assume the user has registered on the boards in the normal way and dont do anything to the VB user table.

Requirements:

The requirements are based on the system we use. It may / may not work with other Vbulletin versions:

• PHP 4.3+
• LDAP System
• uid (username), mail (email address), and a field containing MD5 password

Installation:

1. Download and unzip the file
2. Edit "ldapconfig.php" and then upload into your "includes" folder
3. Login to Admin CP and Add / Import the product (xml file)

Extra Info / Future Plans / Help:

This LDAP integration script currently requires you to have an LDAP field with the users password stored as MD5. From my understanding, CRYPT is the default password storage for LDAP so some of you may not have an MD5 field in LDAP with the users password encrypted as MD5.

It would be possible to modify the script to check against CRYPT, but it would also require a template edit as the login form converts the password field "onSubmit" to MD5. I did not do this because we already have the MD5 in LDAP as we use it on a number of different system already, and I did not want to change VB templates.

Also, I was unable to find documentation on doing a script / releasing a modification, so in future if someone could explain to me or change the script slightly to allow editing of LDAP configuration file within ADMIN CP interface, that would be great. This would also mean not having to upload a file into the includes folder.

I'm sure there will be something I havent thought of, or will make it easier if this script had this and that, so feel free to post your ideas, and suggestions on improving this modification.

Important Info:
Hack is provided free of charge (but if you really want to get rid of money PM me ). I make no guarantee it will work on your system, but it does on mine with 15,000 users .

Version:

• 1.1 - You can now specify the field to authenticate against in ldapconfig.php (19/05/2007)
• 1.0.1 - Corrected 'mysql_num_rows' query to use VB DB class call (19/04/2007)
• 1.0 - First release (18/04/2007)

Hope its useful for some of you :up:

[zemic]

Here it is. Stick this in your config.php

Quote:

define('DISABLE_HOOKS', true);

Instructions here:
http://www.vbulletin.com/docs/html/disable_plugins


p.s.
I'm still working on the a slight tweak for this modification to work with CRYPT as I said I would do a couple of weeks ago. I should get time to complete it this week.

[David_McPherson]

Fantastic... thank you sir. I'm back in.

[fhs2006]

malcolmx gives out his ldap authentication now for free. it has this feature.

[David_McPherson]

Quote:

Originally Posted by fhs2006

malcolmx gives out his ldap authentication now for free. it has this feature.

Forgive me... Malcolmx? Do you have a link to his website, or is it here?

[fhs2006]

<a href="https://vborg.vbsupport.ru/showthread.php?p=1258715" target="_blank">https://vborg.vbsupport.ru/showthread.php?p=1258715</a>

[ckm]

I'm modifying this code to authenticate against something different, but I was looking through the code for this plugin and found a possible error.

In the section where it tries to update the VB database's user password, it seems to MD5 a password that's already MD5'd:

Code:

 
//MD5 the password with SALT key
$passwordsalt = md5($_POST[vb_login_md5password] . $salt[0]);

(BTW, line 89 in the XML file)

It may be my lack of understanding as to how VB holds passwords, but wouldn't you MD5 the plain text password, not something that's already been hashed? If so, would $vbulletin->GPC['vb_login_password'] still be available to do this?

And if $vbulletin->GPC['vb_login_password'] is still available, you could use it to replace $_POST[vb_login_md5password]

Thx.

Chris.

[zemic]

Hello,

Its been a few months since I've been on here. In June I moved jobs and have gone from an institution using UNIX UNIX UNIX, to MICROSOFT MICROSOFT MICROSOFT so no LDAP server for me to play around with, and therefore havent been able to develop this any more since release. Good news MalcolmX decided to release his version for free after I spent hours figuring this thing out!! I've not tried his version but its good to give people choice .

Anyway....

ckm, yes it is correct. Vbulletin re-hashes the MD5 with a "salt" key. Its like an extra layer of protection. Salt is just a random 3 digit character made up when a new user is created. Its then used to encrypt the password. Does that make sense?



I'll try and get LDAP up and running somewhere so I can develop this a bit further. It works as is but I could add a few extra neat touches.

[Mark Tomlinson]

Our LDAP tree does not include an MD5 password hash field - or at least not one that is viewable with an anonymous bind. So I simply modified the IF that does the password hash comparison with an IF that does a bind with the user's name and password.

PHP Code:

//                if($info[0]["$ldapfield"][0] == $_POST[vb_login_md5password]) 
                if (@ldap_bind($ds, $info[0]["dn"][0], $vbulletin->GPC['vb_login_password'])) 


It works like a champ.

[zemic]

Brill :up:

[Mark Tomlinson]

I had to make another brief modification.

Many of our users do not have a 'uid', but everyone has a 'cn'. So initially I changed the code just to look for "cn=" rather than "uid=". But I realize that may not be very flexible, so I eventually added a variable to ldapconfig.php called $ldapuid which can be set to "uid", "cn", or what-have-you. A quick change to one line in ldap_authentication.php uses the variable.

PHP Code:

            //ldap search using the username entered in the login form
//    ----    Modified by Mark Tomlinson - 10/19/2007 ----                
//            $sr=ldap_search($ds, $ldapdn, "uid=$_POST[vb_login_username]");
            $sr=ldap_search($ds, $ldapdn, "$ldapuid=$_POST[vb_login_username]");
//    ----    End Modifications    ----