Go Back   vb.org Archive > vBulletin Modifications > Archive > Modification Graveyard
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
LDAP Authentication Details »»
LDAP Authentication
Version: 1.5, by Haqa Haqa is offline
Developer Last Online: Jun 2010 Show Printable Version Email this Page

Category: Miscellaneous Hacks - Version: 3.7.x Rating:
Released: 11-17-2008 Last Update: 03-18-2009 Installs: 65
Uses Plugins
Re-useable Code Additional Files Translations  
No support by the author.

I've only recently started using vBulletin, and this is my first mod so if you use this, please click Installed!

This mod (which builds on the fine work from malcomx and zemic) is intended to lower the barriers to using and LDAP directory as an external authentication source for your board. The idea is simple; capture a login attempt before authentication and test it against LDAP first, if that succeeds, see if there is already a matching user in vBulletin. If there is not, create one, using data from the LDAP to fill in the required fields, if there is already a matching user (Determined by comparing email addresses) then update the user.

You might be asking why this mod is better than the two mods I've mentioned above? Well firstly the only additional file is the XML file for the new hooks (See below), and no changes to vBulletin code so installation is simple, and upgrades to vBulletin don't get over complicated by re-applying changes. Secondly, all the settings are controlled from the admincp rather than an external config file. Thirdly (as if two wasn't enough) I've added some hook points so this mod can be extended, for example to get additional data from the LDAP and put it in user profile fields.

One important similarity with the two earlier mods is that in the admincp and modcp no LDAP authentication is performed, this is a safety feature, so even if the mod or an extending to it, breaks your board, you shouldn't ever get locked out of the admincp so you'll be able to turn if off quickly.

Additional Hooks

The mod is essentially a single plugin (plus options and help) which runs at global_complete which is before most other things have happened, but just after all the global setup has occurred.

To enable the additional hooks, you need to upload the file hooks_ldap_auth.xml to /includes/xml under your forum.

The following new hooks are created by this mod:
  • ldap_auth_start - After the list of attributes to fetch has been created, this list is in $ldapAttrs. You can simply add your own attributes to this array here.
  • ldap_auth_all_user - After a new user has been added to vBulletin or existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData. This happens before ldap_auth_new_user or ldap_auth_existing_user.
  • ldap_auth_new_user - After a new user has been added to vBulletin, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.
  • ldap_auth_existing_user - After an existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.

By requesting new attributes at ldap_auth_start and then applying them at either ldap_auth_all_user, ldap_auth_new_user or ldap_auth_existing_user you can setup your users easily without having to write all the LDAP code yourself!

AdminCP Settings

This mod creates a new options group called LDAP Authentication between email options and user registration options where you set the host name and port number of the LDAP server, the initial authentication type (Anonymous or authenticated), optionally the BindDN and Password for the LDAP server. You also set which attribute matches the vBulletin username (The default is cn which works well for inetOrgPerson based entries). You can set additional attributes to retrieve (If you want to quickly knock up a simple plugin which uses them at one of the hook points above). There is also the facility to disable (or rather make unavailable) accounts which exist in vBulletin but not in LDAP. Given that your initial admin may fall into this group, there is also a list of userids who should be allowed to log in anyway.

Requirements
  • PHP 4.3+ with LDAP support.

I'll try to provide support to users of my mod, but please bear in mind I fairly new to all this, so I may not be able to solve all problems immediately. Support will only be provided via this thread (Don't PM or email me unless I ask you to). Priority will be given to users who have clicked Installed.

Release Notes
  • 1.0 - Initial release
  • 1.1 - Corrected SQL queries to use TABLE_PREFIX
  • 1.2 - Corrected a bug which prevented the settings page from being created correctly
  • 1.3 - Corrected where the existing, new and all user hooks are called (Before, not after the user profile fields are set) to support dependant plugins
  • 1.4 - Added the ability to set a search base for directories which do not permit searching from the root
  • 1.5 - Fixed reported bug where hooks were called in the wrong order

Installation
  1. Add the command define('DISABLE_PASSWORD_CLEARING', 1); to your includes/config.php - This will NOT be overwritten by upgrades, so only needs doing once.
  2. Upload the file hooks_ldap_auth.xml to includes/xml under your forum.
  3. Install the latest product file (below) using the Add/Import Product link on the Manage Products page under Plugins & Products in your AdminCP.

Haqa...

Download Now

File Type: (21.4 KB, 0 views)

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.
Благодарность от:
Jimbot

Comments
  #32  
Old 04-01-2009, 12:42 PM
vocoder vocoder is offline
 
Join Date: Jul 2007
Posts: 8
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

any updates on how to get this working with Active Directory? Additionally I would like to use it without anonymous query access...for other apps that authenticate with Active Directory I have a specific user for that...
Reply With Quote
  #33  
Old 04-01-2009, 06:59 PM
Haqa Haqa is offline
 
Join Date: Jul 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by vocoder View Post
any updates on how to get this working with Active Directory? Additionally I would like to use it without anonymous query access...for other apps that authenticate with Active Directory I have a specific user for that...
Unfortunately my AD server had an accident (Well it corrupted its boot disk) so I can test AD at the moment, but the Bind DN and Bind Password are what you need for the user and password for non-anonymous access - But remember you'll need to be running in mixed (compatible) mode or the AD will require kerberos which PHP doesn't support out of the box (Or at all as far I can tell).

You should find the it will work, but you need to set the correct Naming Attribute, can't remember what it needs to be of the top of my head, but and LDAP browser should be able to connect and you should see which entry you want.

H.
Reply With Quote
  #34  
Old 04-08-2009, 04:25 AM
zhangyc zhangyc is offline
 
Join Date: Feb 2009
Posts: 7
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi Haqa,

I'm using your LDAP add-on (version 1.5) on my vBulletin 3.8.1 Patch Level 1.
I'm a new to LDAP, I tried a lot of times, but still could not get the parameters right.
Attachment is my configuration, would you please teach me what's wrong with my parameters? Thank you!
Attached Files
File Type: (21.4 KB, 85 views)
Reply With Quote
  #35  
Old 04-08-2009, 05:48 AM
Haqa Haqa is offline
 
Join Date: Jul 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by zhangyc View Post
Hi Haqa,

I'm using your LDAP add-on (version 1.5) on my vBulletin 3.8.1 Patch Level 1.
I'm a new to LDAP, I tried a lot of times, but still could not get the parameters right.
Attachment is my configuration, would you please teach me what's wrong with my parameters? Thank you!
I'd say you're pretty much spot on with the parameters. (For those looking for the attribute names for AD, these are they!!) however there appears to be an issue with 3.8.x where the hook I was using no longer occurs in the correct place.

I'm working on a new, 3.8 compatible version (Which therefore will probably NOT work on 3.7) but due to work commitments it's not going as quickly as I would like.

H.
Reply With Quote
  #36  
Old 04-08-2009, 06:33 AM
zhangyc zhangyc is offline
 
Join Date: Feb 2009
Posts: 7
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Haqa View Post
I'd say you're pretty much spot on with the parameters. (For those looking for the attribute names for AD, these are they!!) however there appears to be an issue with 3.8.x where the hook I was using no longer occurs in the correct place.

I'm working on a new, 3.8 compatible version (Which therefore will probably NOT work on 3.7) but due to work commitments it's not going as quickly as I would like.

H.
Hi Haqa,

Thank you for your generous reply, I just get the vBulletin 3.7.6 and tried again, no matter I configured as the picture you posted, or as the picture I posted, it still doesn't work. Can you explain me the exact meaning of the fields "Naming Attribute", "Search Base DN" and "LDAP Attributes"? And can these fields be blank? Thank you!
Reply With Quote
  #37  
Old 04-08-2009, 06:59 AM
Haqa Haqa is offline
 
Join Date: Jul 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by zhangyc View Post
Hi Haqa,

Thank you for your generous reply, I just get the vBulletin 3.7.6 and tried again, no matter I configured as the picture you posted, or as the picture I posted, it still doesn't work. Can you explain me the exact meaning of the fields "Naming Attribute", "Search Base DN" and "LDAP Attributes"? And can these fields be blank? Thank you!
Ahh.. hmm.. Yes, to use this product you need to know a little about how LDAP works. I don't claim to be a total expert but I'll try to help.

Firstly LDAP is a hierarchical database, that is it is structured like a file system with branches (Think directory) and leaves (Think file). Each node, either branch or leaf has a Distingushed Name (DN) which is made up of the Naming Attribute followed by the DN of the node in which it sits so if you have a branch of your tree called:-

dc=example,dc=com

And the naming attribute for an inetOrgPerson class is CN then an inetOrgPerson with CN=fred would have the DN of:-

cn=fred,dc=example,dc=com

The search base is the point in the tree to start searching from. Think of it like this, if on a windows machine you are searching for a document, you don't want to search the entire hard disk, you might start searching in "C:\Documents and Settings" to limit the time taken to find the file. This is what the search base does, so in my example above, to find fred I might set the search base to:-

dc=example,dc=com

The Additional LDAP Attributes setting is to support my add-on products, like Location Support and Fullname Support. For them to work you need to put the attribute name here so that the LDAP Authentication module pulls out the data needed by the add-on modules. If you are not using any modules which extend LDAP Authentication then you don't need to put anything there.

While I'm at it, don't forget that some AD servers don't support what's known as Simple Bind (Which is all that standard PHP can do) but instead need a different sort of login called Kerberos. If your Windows Server is configured to only support Native authentication then there is a good chance that PHP won't be able to bind (Login) and my module just won't work at all. I'm afraid there is nothing I can do about that, it's simply not possible with the standard version of PHP.

I hope this makes a rather complex and confusing subject a little clearer.

H.
Reply With Quote
  #38  
Old 04-08-2009, 07:45 PM
n0manarmy n0manarmy is offline
 
Join Date: Apr 2009
Location: Baltimore
Posts: 11
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Haqa I'm having a heck of a time getting this to work with 3.8.2.

I know you don't have it certified to work with it yet but I've seen a few others mention that they got it working with their AD setups.

The information in the screen shot is a copy and paste from a working LDAP tie in from a PHP/Tomcat application as well the PHPBB forums which I had running BEFORE I purchased VBulletin to switch over.

When I activate the plug-in
  • Cannot log in with the admin account (after the fact on another browser)
  • Cannot log in with a normal account

I don't need to add users to the database, all I really need is VB to reach out, see that the user is there, see that their password is correct and then let them in. We're an educational institution with our own Active Directory structure and we just want to unify as much as possible around one account system.

Side Note:
If anyone has any information on where I can turn on advanced logging to see if there's additional information I can get out of the VB that would be awesome.
Attached Files
File Type: (21.4 KB, 51 views)
File Type: (21.4 KB, 19 views)
Reply With Quote
  #39  
Old 04-09-2009, 02:01 AM
zhangyc zhangyc is offline
 
Join Date: Feb 2009
Posts: 7
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi Haqa, with your so detailed explanation, I think I get a little understand LDAP.
But still, I could not get the authentication passed.

I tried four times with different parameter groups, these parameters are not changed through my test:

"LDAP Server" is set "172.29.128.29" (IP address of my AD server),
"LDAP Port" is "389" (Default value),
"Naming Attribute" is set "cn",
"Search Base DN" is set "dc=test,dc=com" (My domain is test.com),
"LDAP Attributes" is always blank,
"Allow Built-in Accounts" is always set "1".

The other fields in the four test groups are:

1. "Anonymous Bind" is set "Yes",
"Bind DN" and "Bind Password" are set blank,
"Disable vBulletin Users" is set "Yes"

When I login with my domain account, it shows "You have entered an invalid username or password. ..."

2. "Anonymous Bind" is set "Yes",
"Bind DN" and "Bind Password" are set blank,
"Disable vBulletin Users" is set "No"

When I login with my domain account, it shows "You have entered an invalid username or password. ..."

3. "Anonymous Bind" is set "No",
"Bind DN" is set "Administrator"
"Bind Password" is set password for account "Administrator" in domain "test.com",
"Disable vBulletin Users" is set "Yes"

When I login with my domain account, it shows "Failed to bind to LDAP directory (Initial bind)"

4. "Anonymous Bind" is set "No",
"Bind DN" is set "Administrator"
"Bind Password" is set password for account "Administrator" in domain "test.com",
"Disable vBulletin Users" is set "No"

When I login with my domain account, it shows "You have entered an invalid username or password. ..."

Could you please tell me that did I get anything wrong for your program? Thank you!
Reply With Quote
  #40  
Old 04-09-2009, 11:52 AM
n0manarmy n0manarmy is offline
 
Join Date: Apr 2009
Location: Baltimore
Posts: 11
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I think I figured my problem out.

Haqa,

In your instructions you say to place the line below in to config.php

//LDAP Access Control
define('DISABLE_PASSWORD_CLEARING', 1);

Did you mean to say global.php?

Once I added it to global.php I was able to authenticate most of my users. I do believe there's a problem with users that have very long passwords. They're not able to log in.
Reply With Quote
  #41  
Old 04-09-2009, 12:30 PM
anthonym16 anthonym16 is offline
 
Join Date: Feb 2009
Posts: 12
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I got some PMs asking how I got Haqa's plugin working in 3.8.1 so here's what I did...

Start off by creating a hook in login.php and registering it by following the directions here:
https://vborg.vbsupport.ru/showthread.php?t=148573

Do the edit to global.php mentioned in the directions above. I verified that the 1 and 0 for DISABLE_PASSWORD_CLEARING in global.php were swapped in 3.8.1. If you don't do that edit, vb will encrypt the user's password in an md5 hash onsubmit of the login form. Unless your AD passwords are stored in an md5 hash, the password check will fail.

Install Haqa's plugin and go into the plugin manager and set it to fire on the new hook you created. I setup some logging in the plugin code so I could see what was going on. If you get this far, it's all configuration from there.


I extracted the logging code from the plugin linked above to help me debug and added it to Haqa's plugin code:

Code:
define('LDDEBUG', true);
function wrlog($text)
{
	global $fp;
	if($fp){fputs($fp, date("d/m/y : H:i:s", time()) ." >> " . $text . "\n");}
}

if(defined('LDDEBUG')) { $fp=fopen('C:\inetpub\wwwroot\forums\logs\ldap.debug', "a+"); }
if(defined('LDDEBUG')) { wrlog("++ -------- begin ldap log -------- ++"); }

The only downside of this approach is that I had to edit vb source. This is only a temporary solution I hope. I just upgraded to 3.8.2 and saw that global.php and login.php were both overwritten... Hopefully Haqa comes up with a way do to all this without altering any vb source.

Something else for people that are having trouble... vb uses your email as a primary key for users. Initially, my vb admin account was setup to use my email. When I went to test the plugin by using my username from AD to log in, the plugin code tried to create me a new account but failed because my email was already in use by the admin account.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 08:08 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05458 seconds
  • Memory Usage 2,368KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)bbcode_code
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (11)post_thanks_box
  • (1)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (4)postbit_attachment
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete