Register Members List Search Today's Posts Mark Forums Read

Reply
 
Mod Options
LDAP Authentication Details »
LDAP Authentication
Mod Version: 1.5, by Haqa (Member) Haqa is offline
Developer Last Online: Jun 2010 I like it Show Printable Version Email this Page

This modification is currently quarantined.
vB Version: 3.7.x Rating: (18 votes - 4.61 average) Installs: 65
Released: 18 Nov 2008 Last Update: 19 Mar 2009 Downloads: 802
Not Supported Uses Plugins Additional Files Re-usable Code Translations External Content  

I've only recently started using vBulletin, and this is my first mod so if you use this, please click Installed!

This mod (which builds on the fine work from malcomx and zemic) is intended to lower the barriers to using and LDAP directory as an external authentication source for your board. The idea is simple; capture a login attempt before authentication and test it against LDAP first, if that succeeds, see if there is already a matching user in vBulletin. If there is not, create one, using data from the LDAP to fill in the required fields, if there is already a matching user (Determined by comparing email addresses) then update the user.

You might be asking why this mod is better than the two mods I've mentioned above? Well firstly the only additional file is the XML file for the new hooks (See below), and no changes to vBulletin code so installation is simple, and upgrades to vBulletin don't get over complicated by re-applying changes. Secondly, all the settings are controlled from the admincp rather than an external config file. Thirdly (as if two wasn't enough) I've added some hook points so this mod can be extended, for example to get additional data from the LDAP and put it in user profile fields.

One important similarity with the two earlier mods is that in the admincp and modcp no LDAP authentication is performed, this is a safety feature, so even if the mod or an extending to it, breaks your board, you shouldn't ever get locked out of the admincp so you'll be able to turn if off quickly.

Additional Hooks

The mod is essentially a single plugin (plus options and help) which runs at global_complete which is before most other things have happened, but just after all the global setup has occurred.

To enable the additional hooks, you need to upload the file hooks_ldap_auth.xml to /includes/xml under your forum.

The following new hooks are created by this mod:
  • ldap_auth_start - After the list of attributes to fetch has been created, this list is in $ldapAttrs. You can simply add your own attributes to this array here.
  • ldap_auth_all_user - After a new user has been added to vBulletin or existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData. This happens before ldap_auth_new_user or ldap_auth_existing_user.
  • ldap_auth_new_user - After a new user has been added to vBulletin, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.
  • ldap_auth_existing_user - After an existing user has been updated, but before the user has been saved. The new user is in $newuser and the LDAP data is in $userData.

By requesting new attributes at ldap_auth_start and then applying them at either ldap_auth_all_user, ldap_auth_new_user or ldap_auth_existing_user you can setup your users easily without having to write all the LDAP code yourself!

AdminCP Settings

This mod creates a new options group called LDAP Authentication between email options and user registration options where you set the host name and port number of the LDAP server, the initial authentication type (Anonymous or authenticated), optionally the BindDN and Password for the LDAP server. You also set which attribute matches the vBulletin username (The default is cn which works well for inetOrgPerson based entries). You can set additional attributes to retrieve (If you want to quickly knock up a simple plugin which uses them at one of the hook points above). There is also the facility to disable (or rather make unavailable) accounts which exist in vBulletin but not in LDAP. Given that your initial admin may fall into this group, there is also a list of userids who should be allowed to log in anyway.

Requirements
  • PHP 4.3+ with LDAP support.

I'll try to provide support to users of my mod, but please bear in mind I fairly new to all this, so I may not be able to solve all problems immediately. Support will only be provided via this thread (Don't PM or email me unless I ask you to). Priority will be given to users who have clicked Installed.

Release Notes
  • 1.0 - Initial release
  • 1.1 - Corrected SQL queries to use TABLE_PREFIX
  • 1.2 - Corrected a bug which prevented the settings page from being created correctly
  • 1.3 - Corrected where the existing, new and all user hooks are called (Before, not after the user profile fields are set) to support dependant plugins
  • 1.4 - Added the ability to set a search base for directories which do not permit searching from the root
  • 1.5 - Fixed reported bug where hooks were called in the wrong order

Installation
  1. Add the command define('DISABLE_PASSWORD_CLEARING', 1); to your includes/config.php - This will NOT be overwritten by upgrades, so only needs doing once.
  2. Upload the file hooks_ldap_auth.xml to includes/xml under your forum.
  3. Install the latest product file (below) using the Add/Import Product link on the Manage Products page under Plugins & Products in your AdminCP.

Haqa...

Download Now

Only licensed members can download files, Click Here for more information.

Addons

Screenshots

Click image for larger version

Name:	product-ldap_auth_admincp.jpg
Views:	1042
Size:	93.3 KB
ID:	89509  

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.
Similar Mod
Mod Developer Type Replies Last Post
Integration with vBulletin vBulletin Ldap Authentication Plugin malcolmx vBulletin 3.6 Add-ons 117 19 Jun 2013 13:18
Integration with vBulletin LDAP Authentication zemic vBulletin 3.6 Add-ons 61 08 Mar 2010 23:18

Comments
  #2  
Old 18 Nov 2008, 08:43
Haqa Haqa is offline
 
Join Date: Jul 2008
Ok, so how do you use the hooks to make a mod which can use and extend ldap_auth?

Roughly like this:
  1. Set a plugin on hook ldap_auth_start which adds the additional LDAP attributes you'll be using to the array $ldapAttrs.
  2. Choose when you want to use the attributes:
    • If you want to use them every time a user logs in, plug in at hook ldap_auth_all_user
    • If you only want to use them if the user has never logged in before choose ldap_auth_new_user
    • If you want to use them only if the user HAS logged in before, choose ldap_auth_existing_user
  3. Whichever hook (or hooks) you choose the process is the same:
    • If you want to add data to the user, you'll find the users datamanager object in the variable $newuser
    • If you want to set a value into the users profile fields, then you just need to set that value into the array $userFields with the key being the field name

There are, of course, many other things you could choose to do in your plugin, for example if you call the standard_error function, you'll display a nice error message page (For example if the user has a flag denoting the account is disabled) HOWEVER you need to call process_logout() first as the user will be partly logged in (If their account already exists in vBulletin).

Examples of this can be found in the LDAP Authentication plugin in this mod, or in the Full Name Support for LDAP Auth and Location Support for LDAP Auth mods (Coming soon).

Hope this helps

Haqa...

Last edited by Haqa; 21 Nov 2008 at 15:14.
Reply With Quote
  #3  
Old 18 Nov 2008, 08:56
codershark codershark is offline
 
Join Date: Feb 2008
---

Last edited by codershark; 11 Jan 2009 at 10:00.
Reply With Quote
  #4  
Old 18 Nov 2008, 08:59
Haqa Haqa is offline
 
Join Date: Jul 2008
Originally Posted by codershark View Post
Absolutly Great Timepoint where you post it, because I need it for my exam !

Thanks !
Well be careful, I don't claim that the code is perfect, only that it works for me - There may well be hidden bugs, or aspects of vBulletin that I don't understand properly yet.

Good luck with your exam!

H.
Reply With Quote
  #5  
Old 18 Nov 2008, 09:08
codershark codershark is offline
 
Join Date: Feb 2008
---

Last edited by codershark; 11 Jan 2009 at 10:00.
Reply With Quote
  #6  
Old 18 Nov 2008, 09:21
Lionel Lionel is offline
 
Join Date: Dec 2001
Real name: Lionel
You should use TABLE_PREFIX for vbulletin :-)
Reply With Quote
  #7  
Old 18 Nov 2008, 09:46
daFish's Avatar
daFish daFish is offline
 
Join Date: Nov 2002
Real name: Marcus
Great to see this addon and I have one single question as of now: What if I use this with an empty directory? Does this addon automatically inserts the users to the LDAP?
Reply With Quote
  #8  
Old 18 Nov 2008, 14:41
Haqa Haqa is offline
 
Join Date: Jul 2008
Originally Posted by Lionel View Post
You should use TABLE_PREFIX for vbulletin :-)
You are right, I should (And I though I did...). I'll fix this and release an update.

Originally Posted by daFish View Post
Great to see this addon and I have one single question as of now: What if I use this with an empty directory? Does this addon automatically inserts the users to the LDAP?
No, the way it works is it takes users from the directory and creates them in vBulletin as they log in. It doesn't work the other way round.

There are a number of good tools for LDAP management, I use yala, though this does open a potential security hole unless you are VERY careful (It exposes your LDAP to the internet via the web).

H.
Reply With Quote
  #9  
Old 18 Nov 2008, 15:30
daFish's Avatar
daFish daFish is offline
 
Join Date: Nov 2002
Real name: Marcus
Originally Posted by Haqa View Post
No, the way it works is it takes users from the directory and creates them in vBulletin as they log in. It doesn't work the other way round.

There are a number of good tools for LDAP management, I use yala, though this does open a potential security hole unless you are VERY careful (It exposes your LDAP to the internet via the web).
I don't know if this is achievable, but it would be great if there would be an tool for synchronize the user databases, especially if you try to connect your forum to an backend with LDAP as the authentification service.
Reply With Quote
  #10  
Old 18 Nov 2008, 15:54
Freezerator Freezerator is offline
 
Join Date: Dec 2001
Real name: Bas
Nice hack, planning on using this in the future to have only one userdatabase
Reply With Quote
  #11  
Old 18 Nov 2008, 20:48
Haqa Haqa is offline
 
Join Date: Jul 2008
Originally Posted by Lionel View Post
You should use TABLE_PREFIX for vbulletin :-)
Thanks for the pointer, this is fixed. Also I noticed I'd forgotten the hook definition file, this is now available above...

H.
Reply With Quote
  #12  
Old 20 Nov 2008, 08:49
codershark codershark is offline
 
Join Date: Feb 2008
---

Last edited by codershark; 11 Jan 2009 at 10:00.
Reply With Quote
  #13  
Old 20 Nov 2008, 09:56
Haqa Haqa is offline
 
Join Date: Jul 2008
Originally Posted by codershark View Post
Is it possible to make a SingleSignOn ??? When someone logIn into Windows he is also logIn in forum ????
In theory, yes that should be possible, but it would require so pretty extensive changes to the VB login pages, which would pretty much break upgradability. The problem is that windows login sso works using a version of HTTP Digest auth (AFAIK) which is normally only supported by IIS - This would need to be faked by the login system, and is probably beyond my current level of experience with VB.

The other point is that I'm trying to make my mods so that they don't break upgradability of VB (or any other products).

Anyone else know of a simpler way to do Windows SSO?

H.
Reply With Quote
  #14  
Old 24 Nov 2008, 17:11
Haqa Haqa is offline
 
Join Date: Jul 2008
Originally Posted by codershark View Post
Is it possible to make a SingleSignOn ??? When someone logIn into Windows he is also logIn in forum ????
I've been doing some reasearch, and if you have control over your webserver (and the modules installed) you could try playing with mod_auth_vas which implements SPNEGO - The basis for windows domain login support for IIS/IE.

You'd still need some fairly significant mods to vB, (or perhaps a plug somewhere near global_start???) to tell it to use and trust the external username supplied by SPNEGO.

H.
Reply With Quote
  #15  
Old 27 Nov 2008, 12:12
anybodytech anybodytech is offline
 
Join Date: Nov 2008
Very nice mod - installed with no fuss.

I though had the problem that my LDAP server was containing a new user where the username was not used in vB, but the email was already taken by another username in vB.

This means that your plugin tries to create the new user when a correct username/password is issued (seen from the LDAP server). But due to that the email already exists i vB with another username then the creation of the new user fails. This is properly okay, as two different users can not have the same email. But the error messages indicates that a wrong password/username is issued.

My suggestion for improvement is to give better response to this case.

Best regards
Tom
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Mod Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 04:12.

Layout Options | Width: Wide Color: