Go Back   vb.org Archive > vBulletin Modifications > Archive > Modification Graveyard
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
LDAP Authentication Details »»
LDAP Authentication
Version: 1.5, by Haqa Haqa is offline
Developer Last Online: Jun 2010 Show Printable Version Email this Page

Category: Miscellaneous Hacks - Version: 3.7.x Rating:
Released: 11-17-2008 Last Update: 03-18-2009 Installs: 65
Uses Plugins
Re-useable Code Additional Files Translations  
No support by the author.

I've only recently started using vBulletin, and this is my first mod so if you use this, please click Installed!

This mod (which builds on the fine work from malcomx and zemic) is intended to lower the barriers to using and LDAP directory as an external authentication source for your board. The idea is simple; capture a login attempt before authentication and test it against LDAP first, if that succeeds, see if there is already a matching user in vBulletin. If there is not, create one, using data from the LDAP to fill in the required fields, if there is already a matching user (Determined by comparing email addresses) then update the user.

You might be asking why this mod is better than the two mods I've mentioned above? Well firstly the only additional file is the XML file for the new hooks (See below), and no changes to vBulletin code so installation is simple, and upgrades to vBulletin don't get over complicated by re-applying changes. Secondly, all the settings are controlled from the admincp rather than an external config file. Thirdly (as if two wasn't enough) I've added some hook points so this mod can be extended, for example to get additional data from the LDAP and put it in user profile fields.

One important similarity with the two earlier mods is that in the admincp and modcp no LDAP authentication is performed, this is a safety feature, so even if the mod or an extending to it, breaks your board, you shouldn't ever get locked out of the admincp so you'll be able to turn if off quickly.

Additional Hooks

The mod is essentially a single plugin (plus options and help) which runs at global_complete which is before most other things have happened, but just after all the global setup has occurred.

To enable the additional hooks, you need to upload the file hooks_ldap_auth.xml to /includes/xml under your forum.

The following new hooks are created by this mod:
  • ldap_auth_start - After the list of attributes to fetch has been created, this list is in $ldapAttrs. You can simply add your own attributes to this array here.
  • ldap_auth_all_user - After a new user has been added to vBulletin or existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData. This happens before ldap_auth_new_user or ldap_auth_existing_user.
  • ldap_auth_new_user - After a new user has been added to vBulletin, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.
  • ldap_auth_existing_user - After an existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.

By requesting new attributes at ldap_auth_start and then applying them at either ldap_auth_all_user, ldap_auth_new_user or ldap_auth_existing_user you can setup your users easily without having to write all the LDAP code yourself!

AdminCP Settings

This mod creates a new options group called LDAP Authentication between email options and user registration options where you set the host name and port number of the LDAP server, the initial authentication type (Anonymous or authenticated), optionally the BindDN and Password for the LDAP server. You also set which attribute matches the vBulletin username (The default is cn which works well for inetOrgPerson based entries). You can set additional attributes to retrieve (If you want to quickly knock up a simple plugin which uses them at one of the hook points above). There is also the facility to disable (or rather make unavailable) accounts which exist in vBulletin but not in LDAP. Given that your initial admin may fall into this group, there is also a list of userids who should be allowed to log in anyway.

Requirements
  • PHP 4.3+ with LDAP support.

I'll try to provide support to users of my mod, but please bear in mind I fairly new to all this, so I may not be able to solve all problems immediately. Support will only be provided via this thread (Don't PM or email me unless I ask you to). Priority will be given to users who have clicked Installed.

Release Notes
  • 1.0 - Initial release
  • 1.1 - Corrected SQL queries to use TABLE_PREFIX
  • 1.2 - Corrected a bug which prevented the settings page from being created correctly
  • 1.3 - Corrected where the existing, new and all user hooks are called (Before, not after the user profile fields are set) to support dependant plugins
  • 1.4 - Added the ability to set a search base for directories which do not permit searching from the root
  • 1.5 - Fixed reported bug where hooks were called in the wrong order

Installation
  1. Add the command define('DISABLE_PASSWORD_CLEARING', 1); to your includes/config.php - This will NOT be overwritten by upgrades, so only needs doing once.
  2. Upload the file hooks_ldap_auth.xml to includes/xml under your forum.
  3. Install the latest product file (below) using the Add/Import Product link on the Manage Products page under Plugins & Products in your AdminCP.

Haqa...

Download Now

File Type: (21.4 KB, 0 views)

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.
Благодарность от:
Jimbot

Comments
  #62  
Old 04-24-2009, 05:47 AM
Haqa Haqa is offline
 
Join Date: Jul 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by warhau View Post
Excellent. Good to know that it's possible without modifying the vb code (login.php or global.php). I'm still completely stuck with the failed login message on new account creation.

Interestingly I was having your problem of password changes not updating from the external source. I added some debug code and found that without

define('DISABLE_PASSWORD_CLEARING', 1);

in config.php, the first test in the plugin was failing

$vbulletin->GPC['vb_login_password'] == '' was true
That is because as you hit the login button the javascript in the page encrypts your password and deletes the unencypted copy (in the field) - Ever noticed that the field goes blank as you hit login? That's why. This is a sort of security feature so no one snooping on the wire can see the plain text password, however a plugin of this sort needs the plain text password to work, so if my plugin see the field empty it just gives up early because there is nothing it can do.

Quote:
Originally Posted by jaikumarm View Post
Okay looks like I got lucky.. here's what I did to fix the first time login failure..

edit the product-ldap_auth-1.5.xml either in notepad and reimport or edit the plugin in admin panel->plugin manager

Find:
Code:
 
} else {
  $newuserid = $newuser->save();
at the very end of the product xml file

Add:
Code:
verify_authentication($vbulletin->GPC['vb_login_username'], $vbulletin->GPC['vb_login_password'], $vbulletin->GPC['vb_login_md5password'], $vbulletin->GPC['vb_login_md5password_utf'], $vbulletin->GPC['cookieuser'], true);
  exec_unstrike_user($vbulletin->GPC['vb_login_username']);
  process_new_login($vbulletin->GPC['logintype'], $vbulletin->GPC['cookieuser'], $vbulletin->GPC['cssprefs']);
  do_login_redirect();
So you are basically re-running the login logic (It's also called earlier in the plugin), and this solves the problem? Cool.

May I include your patch in the next release?

H.
Reply With Quote
  #63  
Old 04-24-2009, 10:51 AM
Blinker Blinker is offline
 
Join Date: Apr 2009
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I tried jaikumarms code: it works perfect, new users become no error message ! Thanks for that.

And special thanks to Haqa for this Mod !!!
Reply With Quote
  #64  
Old 04-24-2009, 02:02 PM
n0manarmy n0manarmy is offline
 
Join Date: Apr 2009
Location: Baltimore
Posts: 11
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by warhau View Post
Excellent. Good to know that it's possible without modifying the vb code (login.php or global.php). I'm still completely stuck with the failed login message on new account creation.

Interestingly I was having your problem of password changes not updating from the external source. I added some debug code and found that without

define('DISABLE_PASSWORD_CLEARING', 1);

in config.php, the first test in the plugin was failing

$vbulletin->GPC['vb_login_password'] == '' was true

so the plugin was exiting. I re-added the line to config.php, and password changes work. However, I did notice that, because of the way my plugin is written, the old VB password will continue to work until the new external password is entered. This is because my plugin fails over to internal users if external auth fails.

Unforunately when the new external password for an existing user is set in VB upon login, I still get the failed login error message, even though the new password gets set, and you can log in using the new password by refreshing the page.

There's obviously something missing from my plugin that should be setting some cookies and/or session stuff correctly. Can't figure it out.
[s]I can't seem to get this working. I've got everything up and going with being able to log in and authenticating against LDAP. It immediately processes the login and the user's away and posting.

I can't get password changes working though. I tested it with an account, as soon as the password changes, they can't log in with the new password, they can only log in with the old password.

Also,

If someone changes their password through their CP, it not only breaks their old password from working, but the new one doesn't work as well.

Also Also,

It appears that by changing my password through the CP it has broken my ability to create new users....?[/s]

EDIT For follow up:

I edited the line
$show['nopasswordempty'] = defined('DISABLE_PASSWORD_CLEARING') ? 1 : 0; // this nees to be an int for the templates
To appear like above

I was able to log in again with accounts. I don't know if this was somehow reset during my monkeying or not. Everything appears to be working now, including password changes.
Reply With Quote
  #65  
Old 04-24-2009, 04:27 PM
Haqa Haqa is offline
 
Join Date: Jul 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Ohh... hmmm
You probably want the "Disable vBulletin Users" turned on. That should (might) make it prefer the LDAP users.

What you are describing with the passwords not changing is that the user update isn't working correctly. This puzzles me because it's relatively simple code, and it's working for some people.

What kind of LDAP server are you reading from? Do you have access to the query logs to ensure that the user is validating and querying their entry correctly?

H.
Reply With Quote
  #66  
Old 04-24-2009, 07:16 PM
jaikumarm jaikumarm is offline
 
Join Date: Apr 2009
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Haqa View Post
So you are basically re-running the login logic (It's also called earlier in the plugin), and this solves the problem? Cool.

May I include your patch in the next release?

H.
Yes, that's was the idea, to trigger the re-login in-code, so that the user does not have to.

Sure, go ahead and include my patch. Thanks much for plugin, it has for sure saved me tons time.

J.
Reply With Quote
  #67  
Old 04-27-2009, 08:28 PM
warhau warhau is offline
 
Join Date: Mar 2009
Posts: 8
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks everyone. With the new redirect code, I can got straight in via our SOAP authentication.

I did have a problem with jaikumarm's patch code, when retaining client-side MD5 encoding. The last line "do_login_redirect()" was causing a loop and eventual PHP memory crash. This appears to be due to the global_complete hook being called in print_output in functions.php, which was looping back into the login process. In the original code, there was a line:

$vbulletin->GPC['vb_login_password'] = '';

This kept the plugin from firing when global_complete was called. Without vb_login_md5password being cleared, the plugin was firing everytime it would reach "do_login_redirect()", resulting in the loop.

I also notice that in jaikumarm's code, he is still using

$vbulletin->GPC['vb_login_password']

in his call to verify_authentication. Theoretically, as part of the original code, isn't vb_login_password empty at this point? I'm not sure how verify_authentication would work there with a blank password. Anyway, I didn't have problem with that, but I did have to clear vb_login_md5password just prior to calling do_login_redirect, since my opening logic in the plugin prevents firing if md5 password is empty.

Finally, in the original code, I noticed:

$vbulletin->GPC['cookieuser'] = $vbulletin->GPC['vb_login_username'];

As I was going through login.php, I noticed that it looks like cookieuser is supposed to be BOOL. Not sure this would cause any problems, but I just removed the line completely and everything works fine.

Thanks to Haqa for a good example, that allowed me to write exactly what I needed, and to jaikumarm for helping to complete the puzzle!
Reply With Quote
  #68  
Old 04-30-2009, 12:31 PM
paul41598's Avatar
paul41598 paul41598 is offline
 
Join Date: Jun 2004
Location: MI
Posts: 732
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Code:
Fatal error: Call to undefined function ldap_connect() in C:\RFCUweb\vbulletin\includes\functions.php(5721) : eval()'d code on line 15
???
Reply With Quote
  #69  
Old 04-30-2009, 12:54 PM
Haqa Haqa is offline
 
Join Date: Jul 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Ahh... You haven't installed LDAP support for PHP.

Quote:
Requirements

* PHP 4.3+ with LDAP support.
It can't work without it, sorry.

H.
Reply With Quote
  #70  
Old 04-30-2009, 01:12 PM
paul41598's Avatar
paul41598 paul41598 is offline
 
Join Date: Jun 2004
Location: MI
Posts: 732
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yah I've enabled it now. Still doesnt work when trying to log in as a test AD user. Just keeps saying invalid username /password.

I've read every page of this thread and cannot get this to work. I've follow the instructions completely, put that DEFINE piece of code in my config.php, uploaded the XML to the includes/xml dir. NOTHING.

Running Win2k 2003 with AD
Reply With Quote
  #71  
Old 04-30-2009, 02:04 PM
warhau warhau is offline
 
Join Date: Mar 2009
Posts: 8
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by paul41598 View Post
Yah I've enabled it now. Still doesnt work when trying to log in as a test AD user. Just keeps saying invalid username /password.

I've read every page of this thread and cannot get this to work. I've follow the instructions completely, put that DEFINE piece of code in my config.php, uploaded the XML to the includes/xml dir. NOTHING.

Running Win2k 2003 with AD
I'm not sure about Windows, but the Centos RPM distro of PHP does not come with ldap support built in. I needed to install the php-ldap library.

Looks like there is a thread at http://forums.devshed.com/showthread.php?p=1173879 which covers installing PHP LDAP support for Windows, just in case.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:18 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.09119 seconds
  • Memory Usage 2,355KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (3)bbcode_code
  • (6)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (11)post_thanks_box
  • (1)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (1)postbit_attachment
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete