Go Back   vb.org Archive > vBulletin Modifications > Archive > Modification Graveyard
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
LDAP Authentication Details »»
LDAP Authentication
Version: 1.5, by Haqa Haqa is offline
Developer Last Online: Jun 2010 Show Printable Version Email this Page

Category: Miscellaneous Hacks - Version: 3.7.x Rating:
Released: 11-17-2008 Last Update: 03-18-2009 Installs: 65
Uses Plugins
Re-useable Code Additional Files Translations  
No support by the author.

I've only recently started using vBulletin, and this is my first mod so if you use this, please click Installed!

This mod (which builds on the fine work from malcomx and zemic) is intended to lower the barriers to using and LDAP directory as an external authentication source for your board. The idea is simple; capture a login attempt before authentication and test it against LDAP first, if that succeeds, see if there is already a matching user in vBulletin. If there is not, create one, using data from the LDAP to fill in the required fields, if there is already a matching user (Determined by comparing email addresses) then update the user.

You might be asking why this mod is better than the two mods I've mentioned above? Well firstly the only additional file is the XML file for the new hooks (See below), and no changes to vBulletin code so installation is simple, and upgrades to vBulletin don't get over complicated by re-applying changes. Secondly, all the settings are controlled from the admincp rather than an external config file. Thirdly (as if two wasn't enough) I've added some hook points so this mod can be extended, for example to get additional data from the LDAP and put it in user profile fields.

One important similarity with the two earlier mods is that in the admincp and modcp no LDAP authentication is performed, this is a safety feature, so even if the mod or an extending to it, breaks your board, you shouldn't ever get locked out of the admincp so you'll be able to turn if off quickly.

Additional Hooks

The mod is essentially a single plugin (plus options and help) which runs at global_complete which is before most other things have happened, but just after all the global setup has occurred.

To enable the additional hooks, you need to upload the file hooks_ldap_auth.xml to /includes/xml under your forum.

The following new hooks are created by this mod:
  • ldap_auth_start - After the list of attributes to fetch has been created, this list is in $ldapAttrs. You can simply add your own attributes to this array here.
  • ldap_auth_all_user - After a new user has been added to vBulletin or existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData. This happens before ldap_auth_new_user or ldap_auth_existing_user.
  • ldap_auth_new_user - After a new user has been added to vBulletin, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.
  • ldap_auth_existing_user - After an existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.

By requesting new attributes at ldap_auth_start and then applying them at either ldap_auth_all_user, ldap_auth_new_user or ldap_auth_existing_user you can setup your users easily without having to write all the LDAP code yourself!

AdminCP Settings

This mod creates a new options group called LDAP Authentication between email options and user registration options where you set the host name and port number of the LDAP server, the initial authentication type (Anonymous or authenticated), optionally the BindDN and Password for the LDAP server. You also set which attribute matches the vBulletin username (The default is cn which works well for inetOrgPerson based entries). You can set additional attributes to retrieve (If you want to quickly knock up a simple plugin which uses them at one of the hook points above). There is also the facility to disable (or rather make unavailable) accounts which exist in vBulletin but not in LDAP. Given that your initial admin may fall into this group, there is also a list of userids who should be allowed to log in anyway.

Requirements
  • PHP 4.3+ with LDAP support.

I'll try to provide support to users of my mod, but please bear in mind I fairly new to all this, so I may not be able to solve all problems immediately. Support will only be provided via this thread (Don't PM or email me unless I ask you to). Priority will be given to users who have clicked Installed.

Release Notes
  • 1.0 - Initial release
  • 1.1 - Corrected SQL queries to use TABLE_PREFIX
  • 1.2 - Corrected a bug which prevented the settings page from being created correctly
  • 1.3 - Corrected where the existing, new and all user hooks are called (Before, not after the user profile fields are set) to support dependant plugins
  • 1.4 - Added the ability to set a search base for directories which do not permit searching from the root
  • 1.5 - Fixed reported bug where hooks were called in the wrong order

Installation
  1. Add the command define('DISABLE_PASSWORD_CLEARING', 1); to your includes/config.php - This will NOT be overwritten by upgrades, so only needs doing once.
  2. Upload the file hooks_ldap_auth.xml to includes/xml under your forum.
  3. Install the latest product file (below) using the Add/Import Product link on the Manage Products page under Plugins & Products in your AdminCP.

Haqa...

Download Now

File Type: (21.4 KB, 0 views)

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.
Благодарность от:
Jimbot

Comments
  #72  
Old 04-30-2009, 02:14 PM
Haqa Haqa is offline
 
Join Date: Jul 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

When I get the next release of this out attached to a better hook point I think the experience will be better. Can you put a screenshot of your settings up (Or pm me your settings) so I can take a look? It sounds like you are either not querying the correct branch of the AD's LDAP or you aren't pulling the correct attributes out.

H.
Reply With Quote
  #73  
Old 05-12-2009, 12:13 AM
warrentr2 warrentr2 is offline
 
Join Date: May 2009
Posts: 4
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks for this mod Haga,

I seem to be stuck when I hit any error cases. Specifically using the vB standard_error function from within the global_complete hook causes browsers to hang when they hit this error. As a test I tried the following from the forumhome_start hook, and it was successful:

PHP Code:
eval(standard_error"Test error" )); 
But it just wont work from global_complete...

I am running vB 3.8.2. Have you come across anything like this? Thanks
Reply With Quote
  #74  
Old 05-21-2009, 05:34 PM
kamalrij kamalrij is offline
 
Join Date: May 2009
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Worked for me as well.

Thanks
Kamal
Reply With Quote
  #75  
Old 05-26-2009, 11:53 PM
kamalrij kamalrij is offline
 
Join Date: May 2009
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by jaikumarm View Post
Okay looks like I got lucky.. here's what I did to fix the first time login failure..

edit the product-ldap_auth-1.5.xml either in notepad and reimport or edit the plugin in admin panel->plugin manager

Find:
Code:
 
} else {
  $newuserid = $newuser->save();
at the very end of the product xml file

Add:
Code:
verify_authentication($vbulletin->GPC['vb_login_username'], $vbulletin->GPC['vb_login_password'], $vbulletin->GPC['vb_login_md5password'], $vbulletin->GPC['vb_login_md5password_utf'], $vbulletin->GPC['cookieuser'], true);
  exec_unstrike_user($vbulletin->GPC['vb_login_username']);
  process_new_login($vbulletin->GPC['logintype'], $vbulletin->GPC['cookieuser'], $vbulletin->GPC['cssprefs']);
  do_login_redirect();
This is basically the std login code for vb. I have just ended up re-logging the user with the login credentials provided earlier.

So here is the quick retrace of steps.
Installation
1. Add the command define('DISABLE_PASSWORD_CLEARING', 1); to your includes/config.php - This will NOT be overwritten by upgrades, so only needs doing once.
2. Upload the file hooks_ldap_auth.xml to includes/xml under your forum.
3a. Edit product-ldap_auth-1.5.xml with the changes as above
3b. Install the modified product file using the Add/Import Product link on the Manage Products page under Plugins & Products in your AdminCP.
4. Edit LDAP Authentication Options and fill in your ldap details
5. Done.
This quick fix resolved the issue related to the error around first login for the user.
Reply With Quote
  #76  
Old 05-27-2009, 10:57 AM
Haqa Haqa is offline
 
Join Date: Jul 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The odd thing is that I am using this on a 3.8.2 without this alteration and it appears to be working properly. Odd...

As for the errors not working, I've not experienced that either. Due to a fault in the AD replica I rely on a number of users password didn't get updated last time they changed them (It's still got their previous password), so they get login errors if they forget and use their current password.

I think the best (though not necessarily the easiest) solution is to persuade Jellsoft to add a hook in the login process, as IMHO that would solve almost all the problems being reported here.

I'll ask them and see what they say.

H.
Reply With Quote
  #77  
Old 06-03-2009, 08:26 PM
kamalrij kamalrij is offline
 
Join Date: May 2009
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

One odd behaviour I've seen with this plugin is that the Option Receive Email from Other Users under the user profile is off when the user logs in with their LDAP credentials for the first time.

As we are using LDAP, new registration is turned Off under User Registration Options but Display Email is checked under Default Registration Options.
Is there some other option that I need to turn on for Receive Email from Other Users to be ON for all users by default.

Thanks
Reply With Quote
  #78  
Old 06-08-2009, 04:58 PM
jondrnek jondrnek is offline
 
Join Date: Apr 2008
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Do you deal with password changes at all? If a user who logged in via LDAP changes their password via vBulletin what happens?
Reply With Quote
  #79  
Old 06-08-2009, 08:27 PM
Haqa Haqa is offline
 
Join Date: Jul 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by jondrnek View Post
Do you deal with password changes at all? If a user who logged in via LDAP changes their password via vBulletin what happens?
The next time they log in (Not by cookies but actually enter a username and password) their password is changed back.

Unless you permit VB users (i.e. Don't turn on disable vb only users). If you allow vb only users then an LDAP user might be allowed to log in with the vb password rather than the LDAP password (if they are different). To be honest, I've never tried becuase I either use LDAP or I use vb (Without LDAP) never both.

H.
Reply With Quote
  #80  
Old 06-11-2009, 11:55 PM
J29194132705 J29194132705 is offline
 
Join Date: May 2009
Posts: 1
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

using Anthonym16's advice here I was able to get the plugin functioning to register new users. In 3.8.2, returning users couldn't get in, so I changed the lines,

Code:
$userid = $vbulletin->db->query_first_slave("
  SELECT userid
  FROM ".TABLE_PREFIX."user 
  WHERE LOWER(email) = LOWER('".mysql_real_escape_string($userData[0]['mail'][0])."')");
and removed the mysql_real_escape_string() function call. It works!
Reply With Quote
  #81  
Old 06-12-2009, 05:17 AM
Haqa Haqa is offline
 
Join Date: Jul 2008
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Removing that is not a good idea. I discovered how important it was the first time someone with a single quote (Apostrophe) in their surname registered... i.e. fred.o'flintstone@somewhere.org will never be able to log in.

I very much doubt that is stopping people logging in... Certainly I've seen it working under 3.8.2 with that code in place.

H.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:31 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05418 seconds
  • Memory Usage 2,348KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (3)bbcode_code
  • (1)bbcode_php
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (11)post_thanks_box
  • (1)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (1)postbit_attachment
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete