News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Ldap Authentication Mod

Started by psa, July 02, 2008, 05:53:13 AM

Previous topic - Next topic

psa

Wow, you added all of the user attributes to the register line.  These shouldn't all need to be set (even the regular SMF functions for registering a user don't set most of them), but if it makes it work for you, I'm not going to argue with it.

Let me know if you have trouble with the title.

Dark//Virus

#61
Yeah i am having problems with the title, nothing is being updated, all the settings we are currently using are in that file

I had to add all those attribs because they caused errors when they werent writing the null values to the file so it complained
(15:10) <@DV> !ban Ard-Choille
(15:10) -ChanServ- Banned Ard-Choille from #deluxe.
(15:10) <@DV> Man that felt good

psa

You'll need to use the patches I gave above to get the title populating.

All of this data gets added to the database, and mysql won't normally complain about missing values in the standard tables because it uses the default values instead.

Dark//Virus

#63
Ok, it works on first login, but the whole part about updating on login isnt processing, i logged in a test account for the first time, then changed its password in AD, next time i went to login it didnt work, incorrect password. Tried the old password and it worked.

Ideas?
(15:10) <@DV> !ban Ard-Choille
(15:10) -ChanServ- Banned Ard-Choille from #deluxe.
(15:10) <@DV> Man that felt good

psa

Quote from: ~Dark//Virus`x *! on October 02, 2008, 09:56:54 PM
Ok, it works on first login, but the whole part about updating on login isnt processing

Are you talking about the mods to add the title, or just with the file you posted earlier?  If it's the title mods, post your updated file so I can take a look.

Dark//Virus

Its everything. If i changed my password after logging into the forum, it still only recognises the old password.

Attached is the auth file
(15:10) <@DV> !ban Ard-Choille
(15:10) -ChanServ- Banned Ard-Choille from #deluxe.
(15:10) <@DV> Man that felt good

klim

#66
how install this module on smf version 1.1.6?
then i upload *.zip file on page install packages, i get error:
you package is not package modificatoin or corrupt.

sorry, i am from rus :)

chewie71

This is awesome!

The easiest WebBB/LDAP integration I've found....thanks!!!

I'm at a university and we are syncing with our primary LDAP server.  Here's a feature request...

We would like to build forum groups from objectClass or attribute values.

objectClass:  univEmployee  (all employees have this)
objectClass:  univStudent  (all students have this)

OR

department:  University Technology
department:  Department of English


That way we could easily give all students or faculty or employees access to certain forums or categories.  Or even just give access to a single department.  Is it possible to add something like this to your module?

Thanks for an awesome piece of work...

Matt

psa

Quote from: ~Dark//Virus`x *! on October 02, 2008, 11:07:17 PM
Its everything. If i changed my password after logging into the forum, it still only recognises the old password.

That is really odd.  Unless the LdapAuth has been disabled it should be checking the password first, and then updating it (or clearing it if you have it set to not keep passwords in the database).  Autoregistering the first time and logging in again later use the same authentication code, though I suppose if something went wrong it might bail out of the function altogether.  Still no errors generated?  LDAP failures are often in the forum error log.

Quote
Attached is the auth file

I don't see anything really wrong here, but that doesn't mean I'm not missing anything.  I wonder what the description of a job title of "bob" would be?  :)

psa

Quote from: klim on October 03, 2008, 04:12:25 AM
how install this module on smf version 1.1.6?
then i upload *.zip file on page install packages, i get error:
you package is not package modificatoin or corrupt.

The package attached to the first post in this thread is a .tgz file, not a .zip.  Uploading the unopened file should work without any issues.  Try downloading it from the link in the first post again in case the file got corrupted or cut short the first time.

Quote
sorry, i am from rus :)

And I am in the US.  Welcome!

I'm impressed by people who make such an effort and do so well learning and using others' languages.

psa

Quote from: chewie71 on October 03, 2008, 05:58:58 PM
This is awesome!

The easiest WebBB/LDAP integration I've found....thanks!!!

Great!  I was hoping others would find it useful when I posted it.  Open Source is a great model.

Quote
I'm at a university and we are syncing with our primary LDAP server.  Here's a feature request...

We would like to build forum groups from objectClass or attribute values.

objectClass:  univEmployee  (all employees have this)
objectClass:  univStudent  (all students have this)

OR

department:  University Technology
department:  Department of English


That way we could easily give all students or faculty or employees access to certain forums or categories.  Or even just give access to a single department.  Is it possible to add something like this to your module?

I was just responding to that question yesterday.  I think it would be helpful for a lot of people to have this kind of integration, but I haven't worked out yet how best to do it.  I'm tempted to wait on it until the SMF 2.0 version, but if there's enough interested people using the mod I may be persuaded to do it sooner.

Dark//Virus

#71
Well for me my job description is "PC Technician" and it doesnt work. I see in the ldap auth file it is saying that there are 2x options, 1x for user already exists, and 1x for user doesnt exist.

Could it be that the user already exists part isnt working? as it pulls the name and title etc. when first logging in

/EDIT :

This is the only error in the forum log

Guest   October 03, 2008, 03:52:54 pm 
172.16.17.40     082b99088a3d5aba7e4f77e7673b60e8 
http://tstiis03/forums/index.php?action=login2 
8: Undefined index: title
File: D:\Apache\htdocs\forums\Sources\LdapAuth.php
Line: 146
(15:10) <@DV> !ban Ard-Choille
(15:10) -ChanServ- Banned Ard-Choille from #deluxe.
(15:10) <@DV> Man that felt good

Dark//Virus

OK its fixed!

I read through it again, and the bit which says

Quote
// User does exist (or it's reserved and we've set the option not to update data for reserved names,
// but we'll update the password in case it's changed

Told me what was wrong. the option to auth via ldap for reseved members wasnt ticked, and once you have logged in for the first time your no longer a new member, but a reserved login for some reason.

I am now 100% fixed
(15:10) <@DV> !ban Ard-Choille
(15:10) -ChanServ- Banned Ard-Choille from #deluxe.
(15:10) <@DV> Man that felt good

Dark//Virus

Ok, now password etc. are sync'd on login, but the title feild still only gets pulled the first time you login
(15:10) <@DV> !ban Ard-Choille
(15:10) -ChanServ- Banned Ard-Choille from #deluxe.
(15:10) <@DV> Man that felt good

isix

#74
Quote from: psa on July 02, 2008, 05:53:13 AM
You will need to visit the Admin Configuration screen for "Features and Options" to find the tab in which to enable Ldap
The package installed, but I don't find this tab. What I'm missed?

And I get an error message, every time when I klick the "Features and Options":
http://myserver/forum/index.php?action=featuresettings
8: Undefined index: mods_cat_ldapauth
File: /webdata/wwwroot/forum/Sources/ModSettings.php
Line: 137

Thanks

kmbarr

Thanks for the great work on this Mod. I'm in the process of getting a forum set-up, and went with SMF 2.0beta4 to hopefully minimize changes later. I went through your LDAP Authentication Mod and converted it over so it would work with the new SMF version. I've attached the result. I'm very new to SMF so there might be some rough edges in this and it could probably use some tweaking [e.g. setting-up the install to work with both 1.x and 2.x SMF versions], but hopefully someone else will find this useful. I've tested automatic registration on login with LDAP credentials and also the Admin registration functions and they seem to be working correctly.

Major changes from 1.x to 2.x where changes in the database functions and field names, a few file locations, and differences in creating the new administration menu options.

I also made a change to the bind/authenticate process. Your original code used ldapauth_userprefix and ldapauth_usersuffix to construct the search DN for the user. That's probably a perfectly good way to do it 99.9% of the time, but I believe theoretically it could change which would break your code [until userprefix/suffix were updated]. I've added code to both the authentication and registration routines to do this in a little more standard [but cumbersome] way of using an anonymous bind, retrieving the application id's DN if provided and rebinding, then searching for the user's DN [and rebinding to authenticate]. Here's a modified code snippet from LdapAuth.php:

{
// these next two are required for recent versions of MSAD,
// but may need tweak options for other ldap servers
ldap_set_option($lds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($lds, LDAP_OPT_REFERRALS, 0);

// [BEGIN CHANGES]
// Bind anonymously [rebind using bindusername if provided] and
// locate user DN to validate password.
do {
// Anonymous bind
if ( !@ldap_bind($lds) ) break;
if ( isset($modSettings['ldapauth_bindusername']) && $modSettings['ldapauth_bindusername'] ) {
// Re-bind using bindusername DN
$lsearch = @ldap_search($lds,$modSettings['ldapauth_searchdn'],"({$modSettings['ldapauth_searchkey']}={$modSettings['ldapauth_bindusername']})",array('dn'));
if ( ldap_count_entries($lds, $lsearch)!=1 ) break;
$lentries = ldap_get_entries($lds,$lsearch);
if ( !@ldap_bind($lds,$lentries[0]['dn'],$modSettings['ldapauth_bindpassword']) ) break;
}

// Locate user DN
$lsearch = @ldap_search($lds,$modSettings['ldapauth_searchdn'],"({$modSettings['ldapauth_searchkey']}={$username})",array('dn'));
if ( ldap_count_entries($lds, $lsearch)!=1 ) break;
$lentries = ldap_get_entries($lds,$lsearch);
if ( !@ldap_bind($lds,$lentries[0]['dn'],$thepasswrd) ) break;
// [END CHANGES (also add while(0); to close DO-WHILE loop)]

//clear passwd if we're not going to store it in the db
if (isset($modSettings['ldapauth_passwdindb']) && !$modSettings['ldapauth_passwdindb'])
$sha_passwrd = "LDAPOnly";


With this change, and a similar change in ManageRegistration.php, the ldapauth_userprefix and ldapauth_usersuffix fields are no longer necessary, so I've remove them.

Joshua Dickerson

Quote from: psa on October 03, 2008, 07:04:34 PM
Quote
I'm at a university and we are syncing with our primary LDAP server.  Here's a feature request...

We would like to build forum groups from objectClass or attribute values.

objectClass:  univEmployee  (all employees have this)
objectClass:  univStudent  (all students have this)

OR

department:  University Technology
department:  Department of English


That way we could easily give all students or faculty or employees access to certain forums or categories.  Or even just give access to a single department.  Is it possible to add something like this to your module?

I was just responding to that question yesterday.  I think it would be helpful for a lot of people to have this kind of integration, but I haven't worked out yet how best to do it.  I'm tempted to wait on it until the SMF 2.0 version, but if there's enough interested people using the mod I may be persuaded to do it sooner.
Hey, I know of quite a few people that have looked for a good LDAP integration with SMF. I know I have been approached a handful of times for a paid mod to do it. So, there is definitely demand. Thankfully, you have finally done it. And for free, no less.

Not sure how the LDAP side of this problem would be done, but everyone with that object would be assigned that membergroup. I am going to take a look at your mod. Looks like you have/are put(ting) a lot of work in to it.
Come work with me at Promenade Group



Need help? See the wiki. Want to help SMF? See the wiki!

Did you know you can help develop SMF? See us on Github.

How have you bettered the world today?

zofrecz

#77
Hi.

Please help me. If I log in with real MS AD user and password, I get this error:

Field 'Ingfile' doesn't have a default value
File:.....\ldapauth.php
Line:154

With imaginative password I get user not exist.

Any suggestion, please?

EDIT: I find solution. I edit database table "members" and delete column options not null (column name Ingfile).

jcwatson11

I took the mod from the original post in this thread, noted "(Updated to 0.6.1 on 1 October 2008)", and tweaked it to work with our LDAP servers. My changes should actually make the mod more standardized for any implementation. The mod will actually search sub-trees for users from the BaseDN. This was not the case in the original mod.

I'm providing a patch file for the author and the community. Only the LdapAuth.php file was changed.

armstroc

#79
jcwatson11, how do I actually apply your patch?

This is exactly what I am looking for. I have users in several containers and would like them all to authenticate. I was just about to reply to the post asking how to do that when I saw your patch. However, I am new to SMF and am unsure how to add your patch file to the mod. Can you help me out?

Thanks

EDIT: I just manually edited the file and it worked! Thanks!

Advertisement: