Integration with vBulletin - LDAP Authentication

I've been using Vbulletin for a few years, and have had some great modifications from this community, so having had to recently integrate Vbulletin with LDAP for my University discussion boards I decided to release this as a modification. This is my present to the community .

Description:

LDAP authentication for Vbulletin.

How it works:

This does not modify Vbulletin files or Vbulletin login code in anyway. We simple stick some script infront of the login process so we can validate against LDAP. Below is a breakdown of what this thing does:

• First looks to see if login form has been submitted
• Checks if it should look up "this" user in LDAP (defined in ldapconfig)
• Queries LDAP for the username
  • If user is returned check if VB MD5 password matches LDAP MD5 password
    • If it does, check the VB user table to see if the user is already in the table. If yes, update VB user table password with LDAP password by encrypting MD5 password with the users 'salt' key
    • If not, create a new user in database using VB classes/functions.
  • If user/pass do not match in LDAP then check if user is in VB user table.
    • If they are, change the password to something random so they cannot login with an old password
• If a user is not returned from LDAP, assume the user has registered on the boards in the normal way and dont do anything to the VB user table.

Requirements:

The requirements are based on the system we use. It may / may not work with other Vbulletin versions:

• PHP 4.3+
• LDAP System
• uid (username), mail (email address), and a field containing MD5 password

Installation:

1. Download and unzip the file
2. Edit "ldapconfig.php" and then upload into your "includes" folder
3. Login to Admin CP and Add / Import the product (xml file)

Extra Info / Future Plans / Help:

This LDAP integration script currently requires you to have an LDAP field with the users password stored as MD5. From my understanding, CRYPT is the default password storage for LDAP so some of you may not have an MD5 field in LDAP with the users password encrypted as MD5.

It would be possible to modify the script to check against CRYPT, but it would also require a template edit as the login form converts the password field "onSubmit" to MD5. I did not do this because we already have the MD5 in LDAP as we use it on a number of different system already, and I did not want to change VB templates.

Also, I was unable to find documentation on doing a script / releasing a modification, so in future if someone could explain to me or change the script slightly to allow editing of LDAP configuration file within ADMIN CP interface, that would be great. This would also mean not having to upload a file into the includes folder.

I'm sure there will be something I havent thought of, or will make it easier if this script had this and that, so feel free to post your ideas, and suggestions on improving this modification.

Important Info:
Hack is provided free of charge (but if you really want to get rid of money PM me ). I make no guarantee it will work on your system, but it does on mine with 15,000 users .

Version:

• 1.1 - You can now specify the field to authenticate against in ldapconfig.php (19/05/2007)
• 1.0.1 - Corrected 'mysql_num_rows' query to use VB DB class call (19/04/2007)
• 1.0 - First release (18/04/2007)

Hope its useful for some of you :up:

[Mark Tomlinson]

I need to make some corrections to my original posting about using the LDAP bind for authentication. Unfortunately, there were two errors in the code which was causing @ldap_bind to do an anonymous bind. If your directory does not allow anonymous, then the code would fail. If your directory does allow anonymous, then any password would work.

Here is the corrected code from ldap_authentication.php.

Code:

				//... check if the username and password entered in the login form are correct (in LDAP)
				//by default LDAP stores passwords in CRYPT format, but we'd need to know the plain text
				//password to check against CRYPT. VB converts the password into MD5 on form submission
				//and because we have the password already stored as MD5 in LDAP, we can do this!
//	----	Modified by Mark Tomlinson - 11/28/2007 ----
//				if($info[0]["$ldapfield"][0] == $_POST[vb_login_md5password])
				if (@ldap_bind($ds, $info[0]["dn"], $_POST[vb_login_password]))
//	----	End Modifications	----
				{

Also, this code has "dn" hard-coded into it. Your directory may need to use the CN or UID attributes. Chris has suggested that we can reuse $ldapfield for that purpose.

[cafelatte]

I'm a newbie, and seem to be technically challenged today.
Have installed vBulletin v3.6.8 PL2 on Solaris, w/Apache2.2, PHP5.2.4, and MySQL4.1.22.
vBulletin is working, but now I need to have LDAP support for Single Sign On authentication.

Ok, followed the simple instructions for installing the "ldapconfig.php",
but I'm stuck at step #3, where I "Add / Import the product (xml file)"

I logged in to the Admin CP, but don't see the Add/Import.
Down the left side I see:
- vBulletin Options
- Style & Template
- Language & Phrases
- FAQ
(and the list goes on)

I have expanded each and all sections, but nothing is jumping out at me
that says "Add/Import" Where is it???

Lost and wandering aimlessly.
Stacy

[cafelatte]

OK, I figured out the installation, but now its not authenticating known users?

any clues???

[zemic]

Usual culprits are UID field or no MD5 field. MD5 is not a standard LDAP field but most people create it. So if you only got CRYPT to store your passwords, this script wont work without some template changes (which is not recommended).

[growler]

Are there any logs to find out why a user isn't able to authenticate correctly? I'm using openldap for telnet/ssh access to the server, but I'm still trying to debug this plugin.

Thanks

[cafelatte]

Ok, I think I have narrowed my problem down.

I can't do an anonymous bind and refused access to the md5hash due to security reasons.

So, not I am looking to use a .htaccess mechanism, and have started to search the forum.
any recommendations???

[Mark Tomlinson]

Quote:

Originally Posted by cafelatte

Ok, I think I have narrowed my problem down.

I can't do an anonymous bind and refused access to the md5hash due to security reasons.

So, not I am looking to use a .htaccess mechanism, and have started to search the forum.
any recommendations???

Cafelatte,

You may want to try the method of binding using the user ID that I outline several posts above. Here is a reprise of the code.

PHP Code:

/**********
      *  DO NOT execute if one of the users is in VB and LDAP (list in
config file)
      ***********/
//    ----  Modified by Mark Tomlinson - 12/04/2007 ----
//    if($_POST[vb_login_username] != "$nosearch")
      if (($_POST[logintype] != 'cplogin')
      AND ($_POST[logintype] != 'modcplogin')
      AND ($_POST[vb_login_username] != '$nosearch'))
//    ----  End Modifications ----
      { 


PHP Code:

            if($info['count'] == '1')
            {
                //... check if the username and password entered in the login form are correct (in LDAP)
                //by default LDAP stores passwords in CRYPT format, but we'd need to know the plain text
                //password to check against CRYPT. VB converts the password into MD5 on form submission
                //and because we have the password already stored AS MD5 in LDAP, we can do this!
//    ----    Modified by Mark Tomlinson - 10/17/2007 ----
//                if($info[0]["$ldapfield"][0] == $_POST[vb_login_md5password])
                if ($_POST[vb_login_password] AND (@ldap_bind($ds, $info[0]['dn'], $_POST[vb_login_password])))
//    ----    End Modifications    ----
                { 


Also, however, you may find that you use CN for the user name instead of UID. In that case, make the following change and set $ldapuid to "cn".

PHP Code:

            //ldap search using the username entered in the login form
//    ----    Modified by Mark Tomlinson - 10/19/2007 ----                
//            $sr=ldap_search($ds, $ldapdn, "uid=$_POST[vb_login_username]");
            $sr=ldap_search($ds, $ldapdn, "$ldapuid=$_POST[vb_login_username]");
//    ----    End Modifications    ---- 


-- addendum --
And here is something very important that I forgot to mention before. This only works if the login form passes the password. To make that happen, you have to modify global.php (if anyone knows a better way, please let me know). Add the following anywhere near the top.

PHP Code:

// password will be passed in clear text
define('DISABLE_PASSWORD_CLEARING', 1); 


What it says is exactly what it means - the password will be passed in clear text. Not good. I know. Shouldn't be too much of an issue if your forum is SSL, but most aren't. I'm trying to find another way, but this is the only way for now.

[Andy Pace]

Has anyone got this to work with Active Directory? If so, mind lending some insight?

I have also set this module up correctly as far as I can tell, but I'm not seeing anything in the security event log on the domain controller...

[SteveCoppin]

Does this LDAP mod also sit on top of admincp and modcp? Currently using another mod that doesn't and it's causing some headaches..

[oasi]

Great work folks, I've tried the plugin with Mark's modifications to the CRYPT "problem" and it works...

Now, I see a little problem, we want to perform always the login towards the LDAP, so if the user changes his password in the userCP, this password isn't going to be valid.

You know if it's possible to deactivate some UserCP fields (in our case, the password and possibly the e-mail) ?

Thanks in advance