Simple Machines Community Forum

Customizing SMF => SMF Coding Discussion => Topic started by: psa on July 02, 2008, 05:53:13 AM

Title: Ldap Authentication Mod
Post by: psa on July 02, 2008, 05:53:13 AM
I have an Ldap Authentication Mod which works for SMF 1.1.5.  I'm currently using it successfully with MS Active Directory on a live corporate site.

I have attached the most recent version of the package, but I could really use some feedback.

From the included readme.txt:
Quote
LdapAuth (0.6.1) is tested with MS Active Directory and OpenLDAP, and should provide authentication from other LDAP directories if you adjust the settings accordingly.  It is currently only tested against SMF 1.1.5 and 1.1.6.  You will need to uninstall previous versions prior to installing new versions (your settings will be retained since they are permanently stored in the database, but you will have to reenable LDAP after checking for any changed options).

You will need to visit the Admin Configuration screen for "Features and Options" to find the tab in which to enable Ldap Authentication and set the various options to actually connect to your LDAP server, authenticate, and auto-register new users.  Pay attention to the widely differing hints for MSAD and other LDAP servers.

Existing users should continue to be able to login after this mod is installed, and new user registrations to the board which don't use LDAP should still be possible.  All user logins will make an attempt via LDAP before "falling through" to the normal SMF database authentication.  The standard smf install provides an option for disabling registrations, if desired, under Registration->Settings->"Method of registration employed for new members".

By default, uninstalling this package will leave all of the ldap-authenticated users in your local database, with working passwords in the database as of the last time the users logged in.  If this is not desired you can un-check the option to "Store LDAP passwords in the database" when you first set up the connector, otherwise you will have to manually remove users after uninstallation.  Note that not storing passwords in the database will prevent users from logging in when the directory is unavailable, but it will also automatically remove users' rights to login when they are removed from the LDAP directory or disabled there.  Additionally, if you also have "Update on login" checked, together with the "Store LDAP passwords in the database" unchecked, the users' passwords will be cleared in the database whenever they login via LDAP (this is a "feature", migrating users to full ldap control).

This mod also provides a tool under Registration->Ldap Registration to register new users directly from your ldap repository, but it requires storing a username and password to use for binding to the directory.  If your LDAP directory allows looking up user information anonymously (password not needed), leave the username and password blank to attempt an anonymous bind.

In this mod, LDAP is authoritative, so blank (or invalid or unparseable) email addresses in LDAP will lead to blank email addresses in SMF, locations and realnames will be pulled in as is (except for a filter to disable html, which could otherwise lead to unexpected problems), passwords from LDAP will be accepted regardless of any requirements otherwise made by SMF, etc.  The only other option in these cases would be to simply not allow logins from users whose data doesn't meet all of SMF's requirements.  If there is demand for this, it could be added as an option in the future.

I am actively maintaining 0.6.1 for a live site (as of 10/2008) and am interested in widening this mod's applications, so please send me any feedback, problems, or requests.  TODO and change history can be found in this package under changes.txt.

(Updated to 0.6.1 on 1 October 2008)
Title: Re: Ldap Authentication Mod
Post by: psa on July 02, 2008, 06:23:43 AM
From the changes.txt:
Quote
Future todo:
Enhance LDAP Registration with username lookup from ldap directory
Add Password lookup (instead of authenticate on bind) for login checks
Error handling for ldap issues in both LdapAuth (during login and auto-registration) and the LDAP Registration screen
General audit for (SQL, HTML, LDAP) injection issues -- most issues are handled now, but I can't say 100% that there aren't any remaining

Open questions:
Should we have an option under LDAP Auth settings to suppress user self-registration (redundant with the builtin screen)?
Should we have a feature to disable password changes, or is that another mod?
Is there anything lost, and not already addressed, by not calling registerMember instead of updating the database directly?
Password must be stored in the clear in the database to do binding for ldap lookups--other options?
--storing admin's password at login in the session or something for later ldap queries (what if admin is local and not ldap?)
--asking for the password each time a lookup is done (tedious)
--already added anonymously-bound lookups where available

History

v 0.6
Fixed a bug where admin-registered ldap users had a known password until first login
Added html escaping to location and realname fields
Added email validation, ripped from Subs-Members.php
(We don't use the Subs-Members registration function directly because we don't want to
return registration errors to a user trying to log in...)

Added explicit anonymous bind option for ldap user registration screen when username is blank
Added option to not store passwords in database

v 0.5
Fixed a bug where the real name option failed when not set to 'cn'
Fixed tab display bug on Ldap Authentication Mod Options screen
Added magic variables __FILE__, __LINE__ to db_query in install scripts to suppress errors in log...
   (why aren't these in the package sdk?)

Added Ldap Registration Screen, requiring several new files and a couple new settings

v 0.4
Fixed database settings uninstall, and file removal

Did away with the integration hook and called the authentication directly
--the hook required the 'retry hack' and an include to operate, so this is neater
--the wrong password is sent to the hook, requiring a direct run to the $_REQUEST variable
--there is an unresolvable incompatibility with any other service which requires the hook
  (ie downstream integration is broken by this upstream integration)
Added option to change ldap attribute from which real name is extracted
Added option to allow/disallow authentication of reserved login names
Added option to allow/disallow auto-registration of reserved login names
Added TODO and history info to changes.txt
Moved admin control panel settings into their own tab under Features and Options

v 0.3
Added option to update info on every login
Cleaned up files
Added description to readme.txt

v 0.2
Added settings to Admin Basic Options to adjust for non-MSAD and set required connection information
Moved authentication routine into its own file

v 0.1
Initial Mod
MS Active Directory only
Title: Re: Ldap Authentication Mod
Post by: psa on July 02, 2008, 08:57:07 PM
Just hearing crickets so far, here and in response to the code I posted last week, so I'm assuming the demand is not really there, or those that would use this functionality do not frequent this forum.

With a couple heavy rounds of testing we've deployed v 0.4 on our servers, so I consider this mod stable and solid, if not feature complete.  When I finish building out all of the features that I need for my application I'll mark it 1.0.  Hopefully there will be others who have tried it by then.

In light of its stability I've submitted it as a new mod.
Title: Re: Ldap Authentication Mod
Post by: vbgamer45 on July 02, 2008, 10:15:39 PM
I would also add a link to  the topics on ldap in the mod requests and feature requests forum to this topic so people have an idea that this has been developed.
Title: Re: Ldap Authentication Mod
Post by: psa on July 02, 2008, 10:21:26 PM
Ah, good suggestion, thank you.  I wasn't aware of these threads.
Title: Re: Ldap Authentication Mod
Post by: psa on July 05, 2008, 08:58:30 PM
It appears that they "do not allow mods which require 3rd party applications to run".  At this point the next version (0.6) is already in progress, and is moving toward a more pluggable authentication model, but I'm not sure if there's any point in working on it, or any connectors for 2.x.  I've had no downloads of any of the versions I've uploaded here, no inquiries, and there doesn't seem to be any chance that anything I produce on this will ever be accepted anyway.

The 3rd party restriction, with all of its implications for integrations and authentication methods, should really be listed in the Modification Approval Guidelines (http://www.simplemachines.org/community/index.php?topic=117819).  At any rate, now others thinking about doing this in the future will be able to find this information, hopefully.

(Edited to fix URL tag)
Title: Re: Ldap Authentication Mod
Post by: vbgamer45 on July 05, 2008, 09:08:40 PM
You can add to my download site  at http://www.smfhacks.com  The hard part is finding the people who have a use for it. Every couple months or so I see like a post asking for it.
Title: Re: Ldap Authentication Mod
Post by: Caesonia on July 07, 2008, 11:01:13 AM
Quote from: psa on July 02, 2008, 08:57:07 PM
Just hearing crickets so far, here and in response to the code I posted last week, so I'm assuming the demand is not really there, or those that would use this functionality do not frequent this forum.

With a couple heavy rounds of testing we've deployed v 0.4 on our servers, so I consider this mod stable and solid, if not feature complete.  When I finish building out all of the features that I need for my application I'll mark it 1.0.  Hopefully there will be others who have tried it by then.

In light of its stability I've submitted it as a new mod.

Its there. I read your posts, and I started looking at your code. I saw you were doing some of the things I had been heading towards. I just hand;t had the chance to get back to you with a thoughtful well written reply and my own ideas.  :) I also was willing to wait until you had competed your mod to see where you had ended up in your code.

I think the demand is there, but I see it more actively approached in some other CMS forums. The problem is I think that Simple Machines has about the best out of the box OS Forum out there, bar none, and this is what I really want to integrate into some other sites.

Thanks for doing the work, and I will looking at this this morning and afternoon, to see if I can work with it some for OpenLDAP and how we can improve it.
Title: Re: Ldap Authentication Mod
Post by: Caesonia on July 07, 2008, 11:04:09 AM
Quote from: psa on July 05, 2008, 08:58:30 PM
It appears that they "do not allow mods which require 3rd party applications to run".  At this point the next version (0.6) is already in progress, and is moving toward a more pluggable authentication model, but I'm not sure if there's any point in working on it, or any connectors for 2.x.  I've had no downloads of any of the versions I've uploaded here, no inquiries, and there doesn't seem to be any chance that anything I produce on this will ever be accepted anyway.

The 3rd party restriction, with all of its implications for integrations and authentication methods, should really be listed in the Modification Approval Guidelines (http://www.simplemachines.org/community/index.php?topic=117819).  At any rate, now others thinking about doing this in the future will be able to find this information, hopefully.

(Edited to fix URL tag)

I am downloading it now, and I will be keeping in better touch with you now.

Remember, it WAS a holiday week, so people probably who work in the heavy weren;t out there to chat. I have a big demand for LDAP integration right now.
Title: Re: Ldap Authentication Mod
Post by: Caesonia on July 07, 2008, 05:48:35 PM
Quote from: psa on July 02, 2008, 05:53:13 AM
I have an Ldap Authentication Mod which works for SMF 1.1.5.  I'm currently using it successfully with MS Active Directory on a live corporate site.

I have attached the most recent version of the package, but I could really use some feedback.

From the included readme.txt:
Quote
LdapAuth (0.5) is tested with MS Active Directory, and should provide authentication from other LDAP directories if you adjust the settings accordingly.  It is currently only tested against SMF 1.1.5, so I have no idea whether it will work with any other version.  You will need to uninstall previous versions prior to installing new versions (your settings will be retained, but you will have to reenable LDAP after checking for any changed options).  Note uninstalling this package will leave all of the ldap-authenticated users in your local database, with working passwords in the database as of the last time the users logged in.  If this is not desired you will have to manually remove them after uninstallation.

You will need to visit the Admin Configuration screen for "Features and Options" to find the tab in which to enable Ldap Authentication and set the various options to actually connect to your LDAP server, authenticate, and auto-register new users.

Existing users should continue to be able to login, and new user registrations to the board which don't use LDAP should still be possible.  All user logins will make an attempt via LDAP before "falling through" to the normal SMF database authentication.  The standard smf install provides an option for disabling registrations, if desired, under Registration->Settings->Method of registration employed for new members.

This mod also provides a tool under Registration->Ldap Registration to register new users directly from your ldap repository, but it requires storing a username and password to use for binding to the repository.

(Updated to 0.5 on 5 July 2008)

Hi. I have some questions as I look at your code and attempt to install your mod manually. It works on one location that I have FTP set up on, but that one didn;t have any security conflicts. However, I have the same settings on my development server, just without FTP, and I don't seem to be getting anywhere.

So I am doing it manually.

Um....

Register.template.php. Where is this file? It doesn't exist. There is a register.php It calles a 'register' template. Trying to see if its in the same file.

Can't find it anywhere, especially not under the Themes directory. There is only index.template.php.

Can't wait to try it, because I know I have some settings to change.
Title: Re: Ldap Authentication Mod
Post by: psa on July 07, 2008, 06:34:17 PM
Register.template.php is in the default theme, and is used by all registration-related screens, admin and otherwise.  I'm adding a new screen to it to handle direct administrative registration of LDAP users (we use it to add new users as mods, before they first log in).  On a default install of SMF this will be in Themes/default/Register.template.php

edit: 0.6 uploaded, readme and changelog updated above
Title: Re: Ldap Authentication Mod
Post by: Caesonia on July 08, 2008, 12:07:25 PM
Quote from: psa on July 07, 2008, 06:34:17 PM
Register.template.php is in the default theme, and is used by all registration-related screens, admin and otherwise.  I'm adding a new screen to it to handle direct administrative registration of LDAP users (we use it to add new users as mods, before they first log in).  On a default install of SMF this will be in Themes/default/Register.template.php

edit: 0.6 uploaded, readme and changelog updated above

OK, I have made all those changes manually. Um, the question is, how do I find these check boxes you are talking about, and add in the settings. Am I supposed to go to the code on the Ldap__add_settings.php, or where? I have this installed now on 2 different SMF forums, one done with the installer, one done manually. The one done manually doesn't even recognize it as installed. 

So, where do I go from here? Sorry to sound ignorant. If I haven't been at the core of the code writing, I often find myself unsure in certain ways. I also have never really done a manual install on SMF- haven't used many mods- and any subtle changes I have written into the code myself.

I would really like to have this chatting with y LDAP server today.

Thanks for all your hard work and help in advance. :)
Title: Re: Ldap Authentication Mod
Post by: psa on July 08, 2008, 12:36:53 PM
From the Readme quoted above:
Quote
You will need to visit the Admin Configuration screen for "Features and Options" to find the tab in which to enable Ldap Authentication and set the various options to actually connect to your LDAP server, authenticate, and auto-register new users.
When you go into the admin console you'll see the "Features and Options" link on the left below the "Configuration" heading.  Click on it and you'll see a series of tabs above the Basic Options, one of which will be "LDAP Authentication".  All the settings are on that panel.
Title: Re: Ldap Authentication Mod
Post by: psa on July 08, 2008, 01:56:30 PM
The number of changes in this mod is growing, and I'd hate to have to manage all of them by hand on a manual install, especially with the bugfixes and security updates in each new release.  Are you getting conflicts on the install, or just trying to understand all of the parts?  Transferring the package doesn't require ftp on the server since you can just upload it through the package manager (in the section perversely named "Download Packages").
Title: Re: Ldap Authentication Mod
Post by: Caesonia on July 08, 2008, 03:34:28 PM
Quote from: psa on July 08, 2008, 12:36:53 PM
From the Readme quoted above:
Quote
You will need to visit the Admin Configuration screen for "Features and Options" to find the tab in which to enable Ldap Authentication and set the various options to actually connect to your LDAP server, authenticate, and auto-register new users.
When you go into the admin console you'll see the "Features and Options" link on the left below the "Configuration" heading.  Click on it and you'll see a series of tabs above the Basic Options, one of which will be "LDAP Authentication".  All the settings are on that panel.

Yes, I finally found that on the one that did the automatic install. Then I managed to do a manual install, and the files all passed, but when installed the Features and Options page is blank. So we have a query or some such that is blocking even the ajax.
Title: Re: Ldap Authentication Mod
Post by: psa on July 08, 2008, 03:53:05 PM
I'd check the error log, and carefully review the changes in ModSettings.php which controls that panel.  You might want to compare your manually-edited files with the files from the automatically installed package on the other system.
Title: Re: Ldap Authentication Mod
Post by: Caesonia on July 09, 2008, 04:55:53 PM
Quote from: psa on July 08, 2008, 03:53:05 PM
I'd check the error log, and carefully review the changes in ModSettings.php which controls that panel.  You might want to compare your manually-edited files with the files from the automatically installed package on the other system.

Thanks PSA. I got it all working as far as installed. By doing it manually, I really got a much more in depth look at the code, which is something I really needed if I am going to do some tweaking.

Unfortunately the storms took down my LDAP server, and I am working hard to get that up and going. Fortunately, as I am in the development stage, it hasn't caused any major internal glitches for me, but it sure was a downer. I am fairly new to LDAP, but I can see more and more demand out there.

Title: Re: Ldap Authentication Mod
Post by: psa on July 09, 2008, 06:21:49 PM
0.6 changed a few things in the way the mod works so that passwords no longer have to be stored in the database (but can optionally be). 

I hope you don't have too much trouble getting your LDAP server back online.  I've run a number of OpenLDAP servers in the past, but don't have any in production at the moment.
Title: Re: Ldap Authentication Mod
Post by: Caesonia on July 09, 2008, 07:00:34 PM
Quote from: psa on July 09, 2008, 06:21:49 PM
0.6 changed a few things in the way the mod works so that passwords no longer have to be stored in the database (but can optionally be). 

I hope you don't have too much trouble getting your LDAP server back online.  I've run a number of OpenLDAP servers in the past, but don't have any in production at the moment.

Well, it has all been running hunky dory, but then I had a catastrophic authentication failure. Though the config files remain unchanged, and everything is as it should be, I cannot log in. Not as admin, nothing. I had developed a lot of interfaces with my custom code. All were fine, now nothing. And the applications that I had using the LDAP also no longer can authenticate.

Its a Debian configuration running on Ubuntu server, unlike my last one on CentOS.

I see nothing under the syslogs, but I also know I would recognize everything either. I have been using phpLDAPadmin for a lot of the schemas I was building.

All I know is a complete authetication failure has occured, and slapd is no longer function quite right. Any attempts to modify it get me slapd broken or not completely installed.
Title: Re: Ldap Authentication Mod
Post by: evil1dwk on July 30, 2008, 08:57:11 PM
I'm new to smf and the mods in particular. I just set up a site for a client. They had an existing AD they wanted all their users to access a forum with health benefits information, a company hand book and other general information. They also added a forum for general queries to HR and other departments. SMF is great and I love the ldap authentication.

smf 1.1.5 on rpath linux VM
AD is windows 2003 enterprise SP2 plus exchange 2003 SP2 server and primary DNS server (I did not set this up).

I installed the mod which went fine using the interface. I haven't tried manually yet. The default theme is the only theme with the ldap auth tab in features and options. Like I said I'm new to smf and mods so it might be normal or I might have screwed myself somehow. Not a big deal I leave the admin at the default and changed the overall forum default to the theme requested by the client.

A few feature requests;
the ability to register AD groups rather than just users.
no registration required for ldap users. I can't login as an AD user unless the user is registered. I wouldn't mind this if I could register groups.

bug (I noticed)
I can't seem to log a user in unless the password is stored in the local database. I'm told the password is incorrect.

Awesome mod though. Big help in this case saved me from having to hear complaints about people forgetting how to log in to the forum.
Title: Re: Ldap Authentication Mod
Post by: psa on July 31, 2008, 05:46:07 AM
Quote from: evil1dwk on July 30, 2008, 08:57:11 PM
I'm new to smf and the mods in particular. I just set up a site for a client. They had an existing AD they wanted all their users to access a forum with health benefits information, a company hand book and other general information. They also added a forum for general queries to HR and other departments. SMF is great and I love the ldap authentication.

Welcome to SMF!

Quote
smf 1.1.5 on rpath linux VM
AD is windows 2003 enterprise SP2 plus exchange 2003 SP2 server and primary DNS server (I did not set this up).

This is the same as the setup I'm primarily testing against.

Quote
I installed the mod which went fine using the interface. I haven't tried manually yet. The default theme is the only theme with the ldap auth tab in features and options. Like I said I'm new to smf and mods so it might be normal or I might have screwed myself somehow. Not a big deal I leave the admin at the default and changed the overall forum default to the theme requested by the client.

Hmm.  I thought that the changes for the configuration tab in particular would work across different themes when they were changed; nothing is changed in the theme except to add the Admin LDAP User Registration component, and that's a pretty straightforward addition of a function which should apply cleanly even if the theme in question did provide its own version of the file.  I guess I'll have to look into that.  In my production setup the theme was chosen and set before the mod was installed, and all worked as expected.

Quote
A few feature requests;
the ability to register AD groups rather than just users.

Are you looking to be able to register users by AD group, or somehow tie AD groups into SMF?

Quote
no registration required for ldap users. I can't login as an AD user unless the user is registered. I wouldn't mind this if I could register groups.

Registration shouldn't ever be required.  I only added the Admin Ldap Registration screen to allow adding users with specific group membership.  If users aren't being autoregistered, this is a bug or a misconfiguration.

Quote
bug (I noticed)
I can't seem to log a user in unless the password is stored in the local database. I'm told the password is incorrect.

Are you saying that you can't make it work with the configuration setting specifying that passwords shouldn't be stored in the database, or that you need to have already saved the users' password in the database, or ?

Quote
Awesome mod though. Big help in this case saved me from having to hear complaints about people forgetting how to log in to the forum.

Thank you.  I'm glad you found it useful.  Are you using the 0.6 version currently posted at the top of this thread?  Which settings are you using?  There's a lot of configuration switches, and the better I understand how you've got them set, the better I'll be able to figure out what's wrong and what you're looking for.  Also, do you get any error messages in the Forum Error Log (Under Maintenance in the Admin Control Panel)?
Title: Re: Ldap Authentication Mod
Post by: evil1dwk on August 05, 2008, 01:21:47 PM
I'm posting two screen shots of the features and options page. One with the default theme the other using IG-OH for 1.1.5. It is not the only theme does not include the LDAP auth menu item. All themes were installed pre-mod.

I would like to register AD groups as local users and possibly groups. I want to take all domain admins and make them SMF admins. I don't really need group integration more group registration. Possibly allow future registration based on someone being added to a group in AD without changes in SMF. I only need this because I can't seem to log a user in until they are registered.

If I disable Store LDAP passwords in the database I always receive Password incorrect. As soon as I re-enable store LDAP passwords it works fine. Not really a big deal as this instance is only accessible internally. I also noticed that the passwords are stored encrypted so again not deal breaker. Although I'm wondering how this will work come password change time. I do have Update User information from Ldap on every login enabled though but I noticed the note says name, location, email, etc.

I don't always have access to this server so I can't get the error logs. I'm building a local DC and rpath SMF on vmware locally to see if I can recreate the problems and get you the log files.
Title: Re: Ldap Authentication Mod
Post by: evil1dwk on August 05, 2008, 01:22:47 PM
Yes I am using 0.6 posted here.
Title: Re: Ldap Authentication Mod
Post by: psa on August 05, 2008, 03:23:26 PM
Quote from: evil1dwk on August 05, 2008, 01:21:47 PM
I'm posting two screen shots of the features and options page. One with the default theme the other using IG-OH for 1.1.5. It is not the only theme does not include the LDAP auth menu item. All themes were installed pre-mod.

One of the things I see right off the bat is that the theme is overriding the languages/Modifications.english.php file which is necessary to add all written text in the mod, including the menu item itself.  You'll need to add the required strings from the ldap mod back to this file to get it to work.

Quote
I would like to register AD groups as local users and possibly groups. I want to take all domain admins and make them SMF admins. I don't really need group integration more group registration. Possibly allow future registration based on someone being added to a group in AD without changes in SMF. I only need this because I can't seem to log a user in until they are registered.
The failure of auto-registration is a pretty serious problem, and I'd like to fix it rather than workarounds.  See below for comments on errors.

There are a number of ways to handle groups--
We can add a group autoregistration function to the current Admin LDAP User Registration screen, which takes a group name rather than a user name and autoregisters all members of that LDAP group with the chosen group membership.  The problem with this is that it won't track changes in the LDAP directory, and so will get out of date.

A more robust solution would be mapping local groups to groups within the directory, so that when a user logs in each of the mappings is checked and group memberships are assigned or removed as necessary.

An added complication with both of these is that group membership is handled differently in different directories, and even different versions of MSAD handle them differently.  MSAD doesn't even make the primary group membership of a user visible to LDAP, for some dark reason known only to Redmond.

Quote
If I disable Store LDAP passwords in the database I always receive Password incorrect. As soon as I re-enable store LDAP passwords it works fine. Not really a big deal as this instance is only accessible internally. I also noticed that the passwords are stored encrypted so again not deal breaker. Although I'm wondering how this will work come password change time. I do have Update User information from Ldap on every login enabled though but I noticed the note says name, location, email, etc.

I wonder if this problem is related to the autoregistration error.
Note that if you store passwords in the database, they will be updated every time the user logs in, regardless of the Update User Information setting.  Password changes made in the directory will work automatically in the forum.

Yes, these passwords are encrypted.  Keeping them there is secure and even provides the ability for users to continue logging into your forum when the directory is unavailable.  We use the "don't store" setting so that when a user is deactivated in the directory they are also unable to log in to the forum.

Quote
I don't always have access to this server so I can't get the error logs. I'm building a local DC and rpath SMF on vmware locally to see if I can recreate the problems and get you the log files.

As I tried to make clear in my last post, you should be able to find SMF errors from the Admin console.  They are in the Forum Error Log under Maintenance in the Admin Control Panel.  Without these errors it is very difficult for me to see what is going wrong.
Title: Re: Ldap Authentication Mod
Post by: evil1dwk on August 06, 2008, 10:31:56 AM
I'm doing this for a company that deals with health insurance information. So there are strict guidelines on what I can and can't access and what can and can't be accessed from the outside world. Believe me I've thought about tunneling a socks proxy over SSH so I could work remotely. They won't even allow me SSH. I came in here to setup a SAN and VMware. Then they asked me if I could set up a forum and possibly a CMS. I'm familiar with rpath and linux appliances so I downloaded the smf 1.1.4 rpath appliance and updated to 1.1.5.

I added a new domain user (test.smf). Unregistered in SMF I get user does not exist. I've registered the user with store ldap password in database disabled. I get password incorrect. I'm attaching a screen shot of the ldap settings. Here's any errors I can see that might be related to the mod. They don't look like they are related to my problem though. They look like errors with the theme.

http://forum.companyname.com/forum/index.php?action=login2
Password incorrect - test.smf

http://forum.companyname.com/forum/index.php?action=featuresettings
8: Undefined index: mods_cat_ldapauth
File: /srv/smf/Sources/ModSettings.php
Line: 137

http://forum.companyname.com/forum/index.php?action=regcenter
8: Undefined index: ldapregister_description
File: /srv/smf/Sources/ManageRegistration.php
Line: 110

http://forum.companyname.com/forum/index.php?action=regcenter
8: Undefined index: ldapregister_title
File: /srv/smf/Sources/ManageRegistration.php
Line: 109
Title: Re: Ldap Authentication Mod
Post by: psa on August 06, 2008, 12:42:28 PM
Most of those errors are from not having the Ldap Auth strings in the languages/Modifications.english.php of the theme, as you said, but they are errors which will entirely prevent the ldap mod from working, since it bails when it encounters a string error.

I assume your working configuration has the first four or so fields filled out (including the enable setting checked) unlike the one you posted.  I'll try to replicate your other settings with your theme and see where that gets me in trying to reproduce the error.
Title: Re: Ldap Authentication Mod
Post by: Caesonia on August 07, 2008, 02:46:57 PM
Quote from: psa on July 09, 2008, 06:21:49 PM
0.6 changed a few things in the way the mod works so that passwords no longer have to be stored in the database (but can optionally be). 

I hope you don't have too much trouble getting your LDAP server back online.  I've run a number of OpenLDAP servers in the past, but don't have any in production at the moment.

Yes,the LDAP server is back online, on a new box. I am having to replace a lot of machines, and I usually do some basic testing on older machines, but that was a bit too old. It gets to a point where you wonder what you did. I think the machine actually was a bit to handle even the LAMP that was on it. I had a laugh when my older laptop- which works fine with the new HD, actually collapsed in Ubtunu 7.10, when it ran XP OK. A shock actually, but its a  6 year old laptop, what can I say? Anyways, I have your mod installed, and everything back up and humming, so I will be able to test and see the differences.

It installed fine, so now its actually hooking up to the dummy sets of users.

Thanks for the great work, you sure are saving me a lot of time.
Title: Re: Ldap Authentication Mod
Post by: evil1dwk on August 09, 2008, 12:54:28 AM
Quote from: psa on August 06, 2008, 12:42:28 PM
Most of those errors are from not having the Ldap Auth strings in the languages/Modifications.english.php of the theme, as you said, but they are errors which will entirely prevent the ldap mod from working, since it bails when it encounters a string error.

I assume your working configuration has the first four or so fields filled out (including the enable setting checked) unlike the one you posted.  I'll try to replicate your other settings with your theme and see where that gets me in trying to reproduce the error.

Yeah sorry I took a screen shot of a test build. Test build is windows 2000 advanced server sp4 vm. Same smf setup rpath smf 1.1.4 vm appliance updated to 1.1.5. Enabled ldap authentication I get a blank screen AD or local user. I can't log in at all. Had to run an update query to disable ldap auth. I can register ldap users and they can log in password stored in mysql. I don't know what to tell you. I can't keep helping though I have to move on with another project. I appreciate the mod and the help.
Title: Re: Ldap Authentication Mod
Post by: obat on August 26, 2008, 07:45:31 AM
I've just installed and tested the mod on my smf-1.1.5. First error which I've seen was:
"Fatal error: Call to undefined function isReservedName() in /var/www/phobos.romance.iki.rssi.ru/htdocs/forum/Sources/LdapAuth.php on line 29"

I fixed this by modifying  LdapAuth.php:
I changed
<       global $db_prefix, $user_info, $modSettings, $func, $txt;

to
>       global $db_prefix, $user_info, $modSettings, $func, $txt, $sourcedir;
>       require_once($sourcedir . '/Subs-Members.php');

Next change in the code was made because I'm using OpenLDAP server, not MSAD
I changed
<                if ($bd = ldap_bind($lds, $modSettings['ldapauth_userprefix'] . $username . $modSettings['ldapauth_usersuffix'], $thepasswrd))
to
>               if ($bd = ldap_bind($lds, "uid=" . $username . "," . $modSettings['ldapauth_usersuffix'], $thepasswrd))'], $thepasswrd))

and in ldapauth_usersuffix I put "ou=organization,dc=...,dc=..."

Now it's work. FYI, smf is running on Centos box with openldap 2.3.27

Thanks for great work!
Title: Re: Ldap Authentication Mod
Post by: psa on August 26, 2008, 07:38:15 PM
Quote from: obat on August 26, 2008, 07:45:31 AM
I've just installed and tested the mod on my smf-1.1.5. First error which I've seen was:
"Fatal error: Call to undefined function isReservedName() in /var/www/phobos.romance.iki.rssi.ru/htdocs/forum/Sources/LdapAuth.php on line 29"

I fixed this by modifying  LdapAuth.php:
I changed
<       global $db_prefix, $user_info, $modSettings, $func, $txt;

to
>       global $db_prefix, $user_info, $modSettings, $func, $txt, $sourcedir;
>       require_once($sourcedir . '/Subs-Members.php');
Hmm, I wonder why this worked for me if I was calling a function which had not been loaded.  I'll flag this for further investigation and possible inclusion in a bugfix release.

Thanks for the information.

Quote
Next change in the code was made because I'm using OpenLDAP server, not MSAD
I changed
<                if ($bd = ldap_bind($lds, $modSettings['ldapauth_userprefix'] . $username . $modSettings['ldapauth_usersuffix'], $thepasswrd))
to
>               if ($bd = ldap_bind($lds, "uid=" . $username . "," . $modSettings['ldapauth_usersuffix'], $thepasswrd))'], $thepasswrd))

and in ldapauth_usersuffix I put "ou=organization,dc=...,dc=..."
Is this different than leaving the code as is and setting the prefix to "uid=" and the suffix to ",ou=organization,dc=...,dc=..."?  (Your code doesn't parse--I think you got an extra "$thepasswrd))'], " in there somehow when pasting the code.)

The idea was that with the prefix and suffix settings these could be adjusted for use with other LDAP servers without requiring code changes.

Quote
Now it's work. FYI, smf is running on Centos box with openldap 2.3.27

Thanks for great work!
I'm glad it's working for you.  The code is currently doing everything required for us where we've installed it, so I don't have any planned upgrades, but I do plan to revisit it at some point and address requests/bug fixes, along with the items in the TODO section.

Thanks for the feedback.
Title: Re: Ldap Authentication Mod
Post by: obat on September 02, 2008, 08:37:31 AM
Quote from: psa on August 26, 2008, 07:38:15 PM
Quote
Next change in the code was made because I'm using OpenLDAP server, not MSAD
I changed
<                if ($bd = ldap_bind($lds, $modSettings['ldapauth_userprefix'] . $username . $modSettings['ldapauth_usersuffix'], $thepasswrd))
to
>               if ($bd = ldap_bind($lds, "uid=" . $username . "," . $modSettings['ldapauth_usersuffix'], $thepasswrd))'], $thepasswrd))
and in ldapauth_usersuffix I put "ou=organization,dc=...,dc=..."
Is this different than leaving the code as is and setting the prefix to "uid=" and the suffix to ",ou=organization,dc=...,dc=..."?  (Your code doesn't parse--I think you got an extra "$thepasswrd))'], " in there somehow when pasting the code.)

The idea was that with the prefix and suffix settings these could be adjusted for use with other LDAP servers without requiring code changes.
Actually I didn't understand exactly what do you mean about "suffix" and "prefix". Now I did.:) ... and changed it back. Thanks again.
Title: Re: Ldap Authentication Mod
Post by: emacias on September 29, 2008, 03:49:01 PM
Hi friends!!
I downloaded ldap module and installed in version 1.1.6 using "Download Packages" all success!!! but i'm looking for an option LDAP Authentication into "Features and Options" to active LDAP but doesn't  exists. 
I was finding LDAP option Registration->Settings->"Method of registration employed for new members" and doesn't show nothing.
Can you help me please
Title: Re: Ldap Authentication Mod
Post by: emacias on September 29, 2008, 04:09:52 PM
Hi again!!! I was checking forum and the problem can be spanish language that I'm using actually, I'm going to ckeck this but if you guys can help, better!!!
Title: Re: Ldap Authentication Mod
Post by: psa on September 29, 2008, 06:01:55 PM
Yes, language would definitely keep it from working right.

Normally your language files are stored in [smf install directory]/Themes/default/languages/
The mod tries to modify a file in this directory called Modifications.english.php and add a bunch of English text for everything from the menu titles to the option explanations.  Without these the mod will not work.

I haven't worked with the any other language versions of SMF, but I imagine you could place the entries in your install under Modifications.spanish.php to make it work.  If you paste the lines below into your file it will probably work, but everything will be in English.  If you end up translating any of it, send it back to me and I'll include the translation in another version of the mod.  I suppose I'll admit to the fact that I am fluent in Spanish, but haven't run any Spanish language boards (and without a Spanish language keyboard the lack of accents drives me nuts so I don't like typing in it :-[).

$txt['mods_cat_ldapauth'] = 'Ldap Auth';
$txt['ldapauth_Title'] = 'Ldap Authentication Mod Options';
$txt['ldapauth_enable'] = 'Enable Ldap Authentication';
$txt['ldapauth_serverurl'] = 'URL for ldap server<div class="smalltext">(eg ldap://yourldapserver.tld)</div>'
$txt['ldapauth_usersuffix'] = 'Text to append to login for binding to ldap server<div class="smalltext">(eg for MSAD: @yourdomain.forest.tld)</div>';
$txt['ldapauth_userprefix'] = 'Text to prepend to login for binding to ldap server';
$txt['ldapauth_searchdn'] = 'Ldap search dn for your users<div class="smalltext">(eg OU=Your Users,DC=yourdomain,DC=yourtld)</div>';
$txt['ldapauth_searchkey'] = 'Ldap search key for locating user<div class="smalltext">(often cn, but for MSAD, sAMAccountName)</div>';
$txt['ldapauth_fullnameattr'] = 'Ldap Attribute from which to extract the real name<div class="smalltext">(cn for MSAD, name or fullname for others)</div>';
$txt['ldapauth_emailuselogin'] = 'Use login username to construct email address';
$txt['ldapauth_emailsuffix'] = '&nbsp; &nbsp; Suffix to add to login for email address<div class="smalltext">(eg @domain.tld, above must be checked)</div>';
$txt['ldapauth_emailattr'] = 'Ldap Attribute from which to extract email address<div class="smalltext">(if above is not checked)</div>';
$txt['ldapauth_locationuseou'] = 'Use the top level ldap OU to extract the users location';
$txt['ldapauth_locationattr'] = 'Ldap Attribute from which to extract location<div class="smalltext">(if above is not checked)</div>';
$txt['ldapauth_updateonlogin'] = 'Update User information from Ldap on every login<div class="smalltext">(e.g. Name, Location, Email)</div>';
$txt['ldapauth_passwdindb'] = 'Store LDAP passwords in the database';
$txt['ldapauth_regresnames'] = 'Allow reserved login names to be autoregistered by Ldap Auth<div class="smalltext">May be a security risk with some ldap directories</div>';
$txt['ldapauth_authresnames'] = 'Allow reserved login names to be authenticated by Ldap Auth<div class="smalltext">Useful to disable to enforce local accounts for e.g. admin</div>';
$txt['ldapauth_bindusername'] = 'Username to use for binding to Ldap directory to query for new user registrations';
$txt['ldapauth_bindpassword'] = 'Password to use for binding to Ldap directory';
$txt['ldapregister_title'] = 'Register Ldap Member';
$txt['ldapregister_description'] = 'Here you can register members from your LDAP directory who haven\'t logged into SMF yet.  This is especially useful if you need to grant group membership or edit their profile prior to their first use of the board.';
Title: Re: Ldap Authentication Mod
Post by: emacias on September 30, 2008, 06:21:53 PM
Hi SPA: i did some changes but ldap not working, I'm using a OpenLDAP server. At the begining of configuration i can register users but only fill address mail, when i checked table smf_members smf save a password but i don't know which, when the user start autentication showed error, checked logs and show this error: smf: ldap_bind() [<a href='function.ldap-bind'>function.ldap-bind</a>]: Unable to bind to server: Invalid DN syntax             

Next:   i puted disable not storage password into database and other option but when start autentication, smf show blank page. Now I need to know where is the configuration save? I think is in a table but i don't know.

I need your help, now i can't do nothing
Title: Re: Ldap Authentication Mod
Post by: emacias on September 30, 2008, 06:57:34 PM
Hi again SPA:
I need start session with ldap authentication because in this moment, i can't start session and show blank page. Where i disable option "LDAP AUTH ENABLE", these options ldap_auth are in a file or a table from a database?
I really appreciate your help
Title: Re: Ldap Authentication Mod
Post by: psa on September 30, 2008, 07:34:54 PM
Quote from: emacias on September 30, 2008, 06:21:53 PM
Hi SPA: i did some changes but ldap not working, I'm using a OpenLDAP server. At the begining of configuration i can register users but only fill address mail, when i checked table smf_members smf save a password but i don't know which

You shouldn't need to register users in advance, since this mod will auto-register them.

Quotewhen the user start autentication showed error, checked logs and show this error: smf: ldap_bind() [<a href='function.ldap-bind'>function.ldap-bind</a>]: Unable to bind to server: Invalid DN syntax

It will throw this error if in the options page the "Ldap search dn for your users" isn't properly filled out.  It needs to have something like
OU=Users,DC=yourdomain,DC=com

If the DN doesn't exist then it will also throw an error.

Quote
Next:   i puted disable not storage password into database and other option but when start autentication, smf show blank page. Now I need to know where is the configuration save? I think is in a table but i don't know.

A blank page usually means there is a PHP syntax error which you can find in the web server logs.  This means there is a code problem in one of the files--possibly the language file that you had to modify and which gets loaded by each PHP page.
Title: Re: Ldap Authentication Mod
Post by: psa on September 30, 2008, 07:46:03 PM
Quote from: emacias on September 30, 2008, 06:57:34 PM
Hi again SPA:
I need start session with ldap authentication because in this moment, i can't start session and show blank page. Where i disable option "LDAP AUTH ENABLE", these options ldap_auth are in a file or a table from a database?
I really appreciate your help
Looks like you posted while I was responding--sorry about that.
The values are in the settings table of the database, usually named something like 'smf_settings'.  Set it to 0 to disable.
Title: Re: Ldap Authentication Mod
Post by: emacias on September 30, 2008, 07:49:30 PM
Hello SPA:  i haven't modifications in languages file yet. I just need deactive option "LDAP AUTH ENABLE" manually because i can't start session with any user.

For otherside: dn ldap that i use is right because i probe with other applications like horde, joomla, etc.
my dn is ou=People,dc=usb,dc=ve and my server is ldap.usb.ve

In fact if you run ldapsearch command in linux you can get queries ldap usb.ve
e.g: ldapsearch -x -h ldap.usb.ve -b 'ou=People,dc=usb,dc=ve'

Thanks again for your help
Title: Re: Ldap Authentication Mod
Post by: psa on September 30, 2008, 07:58:28 PM
Quote from: emacias on September 30, 2008, 07:49:30 PM
Hello SPA:  i haven't modifications in languages file yet. I just need deactive option "LDAP AUTH ENABLE" manually because i can't start session with any user.

I guess I was just confused because you said you didn't have the configuration settings available before, and the mod installs in a deactivated mode so that it doesn't cause problems before it has been configured.  Is this on a different install, or did you get it working?

Quote
For otherside: dn ldap that i use is right because i probe with other applications like horde, joomla, etc.
my dn is ou=People,dc=usb,dc=ve and my server is ldap.usb.ve

In fact if you run ldapsearch command in linux you can get queries ldap usb.ve
e.g: ldapsearch -x -h ldap.usb.ve -b 'ou=People,dc=usb,dc=ve'
Well, that dn does look right, and the success with ldapsearch does argue persuasively that you have the right information.

What are you using in the "Text to append to login" and "Text to prepend to login" fields?
Title: Re: Ldap Authentication Mod
Post by: psa on September 30, 2008, 08:04:59 PM
I should note that I've heard from multiple people now that you need to set prepend to "uid=" and append to ",ou=People,dc=usb,dc=ve" (to get a fully qualified name) for authenticating with their ldap servers.  Don't forget the first comma on the "append" string.

Even so, you shouldn't be getting blank pages (PHP syntax/processing errors).
Title: Re: Ldap Authentication Mod
Post by: Dark//Virus on September 30, 2008, 10:09:59 PM
Any hope in making this work with the new beta version of SMF?

/EDIT

Im testing this on 1.1.5 to see what its like, and it install quite fine via the installer. i configured the ldap settings, but i keep getting and internal 500 error when trying to login using ldap.

I have attached a screenshot of the ldap settings page
Title: Re: Ldap Authentication Mod
Post by: emacias on September 30, 2008, 11:17:57 PM
Quote
I guess I was just confused because you said you didn't have the configuration settings available before, and the mod installs in a deactivated mode so that it doesn't cause problems before it has been configured.  Is this on a different install, or did you get it working?

everything worked good!!!

Quote
Well, that dn does look right, and the success with ldapsearch does argue persuasively that you have the right information.

What are you using in the "Text to append to login" and "Text to prepend to login" fields?

with error blank page i had this configuration:

ldapauth_emailuselogin       | 1                                   |
| ldapauth_emailattr           |                                     |
| ldapauth_serverurl           | ldap://ldap.usb.ve                  |
| ldapauth_usersuffix          |                                     |
| ldapauth_userprefix          |                                     |
| ldapauth_searchdn            | ou=People,dc=usb,dc=ve              |
| ldapauth_searchkey           |                                     |
| ldapauth_emailsuffix         | @usb.ve                             |
| ldapauth_locationuseou       | 0                                   |
| ldapauth_locationattr        |                                     |
| ldapauth_updateonlogin       | 1                                   |
| ldapauth_fullnameattr        | cn                                  |
| ldapauth_regresnames         | 1                                   |
| ldapauth_authresnames        | 0                                   |
| ldapauth_bindusername        |                                     |
| ldapauth_bindpassword        |                                     |
| ldapauth_passwdindb          | 0                                   |
| disableHashTime              | 1                                   |
| ldapauth_enable              | 1   


Now that i can start to my forum, settings are:

| ldapauth_emailattr           | mail                                |
| ldapauth_serverurl           | ldap://ldap.usb.ve                  |
| ldapauth_usersuffix          |                                     |
| ldapauth_userprefix          |                                     |
| ldapauth_searchdn            | ,ou=People,dc=usb,dc=ve             |
| ldapauth_searchkey           |                                     |
| ldapauth_emailsuffix         | @usb.ve                             |
| ldapauth_locationuseou       | 0                                   |
| ldapauth_locationattr        |                                     |
| ldapauth_updateonlogin       | 1                                   |
| ldapauth_fullnameattr        | cn                                  |
| ldapauth_regresnames         | 1                                   |
| ldapauth_authresnames        | 1                                   |
| ldapauth_bindusername        |                                     |
| ldapauth_bindpassword        |                                     |
| ldapauth_passwdindb          | 0                                   |
| disableHashTime              | 1                                   |
| ldapauth_enable              | 1

But LDAP Authentication not working yet  :(

What can be?
Title: Re: Ldap Authentication Mod
Post by: psa on September 30, 2008, 11:26:50 PM
I think you need to add the prefix and suffix settings I listed before (and not put the first comma in the dn), so that your settings are more like this:

ldapauth_emailuselogin         1
| ldapauth_emailattr
| ldapauth_serverurl           | ldap://ldap.usb.ve                  |
| ldapauth_usersuffix          |  ,ou=People,dc=usb,dc=ve            |
| ldapauth_userprefix          |  uid=                                   |
| ldapauth_searchdn            | ou=People,dc=usb,dc=ve              |
| ldapauth_searchkey           |  cn                                   |
| ldapauth_emailsuffix         | @usb.ve                             |
| ldapauth_locationuseou       | 0                                   |
| ldapauth_locationattr        |                                     |
| ldapauth_updateonlogin       | 1                                   |
| ldapauth_fullnameattr        | cn                                  |
| ldapauth_regresnames         | 1                                   |
| ldapauth_authresnames        | 0                                   |
| ldapauth_bindusername        |                                     |
| ldapauth_bindpassword        |                                     |
| ldapauth_passwdindb          | 0                                   |
| disableHashTime              | 1                                   |
| ldapauth_enable              | 1   

Title: Re: Ldap Authentication Mod
Post by: psa on September 30, 2008, 11:32:24 PM
Quote from: virus.cs on September 30, 2008, 10:09:59 PM
Any hope in making this work with the new beta version of SMF?

I hope so.  I'm not running SMF 2.0 anywhere, though, so I haven't really dug into it.  In particular, my sites running this mod are using TinyPortal, so they can't be tested with SMF 2 until TinyPortal supports it.

Quote
Im testing this on 1.1.5 to see what its like, and it install quite fine via the installer. i configured the ldap settings, but i keep getting and internal 500 error when trying to login using ldap.

I have attached a screenshot of the ldap settings page
Well, this is annoying.  A 500 error should also give you an error in your web server logs (the actual "internal error").  Can you see what it says?

I wonder if this is related to the problem an earlier poster listed with a missing function import.  I'll poke at that tomorrow and test and release a bugfix version if I can see that it is actually a bug.

Having your error from the server would be very helpful, though.  Thanks for trying the mod out.
Title: Re: Ldap Authentication Mod
Post by: emacias on October 01, 2008, 02:57:48 PM
Quote from: psa on September 30, 2008, 11:26:50 PM
I think you need to add the prefix and suffix settings I listed before (and not put the first comma in the dn), so that your settings are more like this:

ldapauth_emailuselogin         1
| ldapauth_emailattr
| ldapauth_serverurl           | ldap://ldap.usb.ve                  |
| ldapauth_usersuffix          |  ,ou=People,dc=usb,dc=ve            |
| ldapauth_userprefix          |  uid=                                   |
| ldapauth_searchdn            | ou=People,dc=usb,dc=ve              |
| ldapauth_searchkey           |  cn                                   |
| ldapauth_emailsuffix         | @usb.ve                             |
| ldapauth_locationuseou       | 0                                   |
| ldapauth_locationattr        |                                     |
| ldapauth_updateonlogin       | 1                                   |
| ldapauth_fullnameattr        | cn                                  |
| ldapauth_regresnames         | 1                                   |
| ldapauth_authresnames        | 0                                   |
| ldapauth_bindusername        |                                     |
| ldapauth_bindpassword        |                                     |
| ldapauth_passwdindb          | 0                                   |
| disableHashTime              | 1                                   |
| ldapauth_enable              | 1

Hi psa thanks for your big help!!! i did only one change because your preferences not worked, smf showed blank page, So I changed field:

| ldapauth_authresnames        | 1                                   | 

that is: " Allow reserved login names to be authenticated by Ldap Auth
Useful to disable to enforce local accounts for e.g. admin"

AND IT`S Working!!!

By the way, add text configuration from .../Themes/default/languages/Modifications.english.php to .../Modifications.spanish_es.php and worked!!!, My next job will be traslate to spanish language, I promise it!!!

Mil gracias amigo desde Venezuela!!!
Title: Re: Ldap Authentication Mod
Post by: Dark//Virus on October 01, 2008, 03:55:55 PM
Well thats good to hear about v2.0

I have check the iis server and there is nothing in the event logs under app, security or system. I have also enabled IIS logging on the site and the log is attached to this post

If i log out and try to login for the first time as domain user bob it says 500 internal server error, and the path string ends with login2

If i try and register a ldap user it gives me the same 500 internal server error page, but with this path http://tstiis02/test-forums/index.php?action=regcenter

Did anything look strange on the screenshot of settings i sent you?

FYI - I purposely installed SMF version 1.1.5 to test this, so it is a 100% fresh install with nothing other than this mod uploaded, installed sucessfully, configured.

Thank you

PS : Also attached is my /Themes/default/languages/modifications.english.php file - Where do the settings that you define for these properties go? into mysql or into a file?
Title: Re: Ldap Authentication Mod
Post by: psa on October 01, 2008, 06:43:11 PM
Looks like obat had it right with the bug in reserved name handling.  I'm testing a fix for it right now.  emacias had the work around right to select "allow reserved names to be authenticated".  This bug is probably the cause of everyone's blank pages and 500 errors.

Bug fix will be up in a moment, with some additional hints in the settings for non-MSAD users.  Then I'll go back and answer the last couple of messages here.
Title: Re: Ldap Authentication Mod
Post by: Dark//Virus on October 01, 2008, 07:28:30 PM
Well, just to add to the confusion, here is the current settings i have set / tried and i still get the 500 error
Title: Re: Ldap Authentication Mod
Post by: psa on October 01, 2008, 07:34:32 PM
New version has been uploaded and attached to the first post.  I can verify the bug in my local test environments and verify that it is fixed in the new version.

Anyone trying the mod should upgrade to the latest version before posting errors or issues to the board so that I know that this bug isn't causing you trouble.  Please uninstall the old version and then install the new one.

Thank you.
Title: Re: Ldap Authentication Mod
Post by: psa on October 01, 2008, 07:42:33 PM
Quote from: emacias on October 01, 2008, 02:57:48 PM
Hi psa thanks for your big help!!! i did only one change because your preferences not worked, smf showed blank page, So I changed field:

| ldapauth_authresnames        | 1                                   | 

that is: " Allow reserved login names to be authenticated by Ldap Auth
Useful to disable to enforce local accounts for e.g. admin"

AND IT`S Working!!!

Great, I'm glad it's working for you now.  With the version I just uploaded you shouldn't need to make that one setting change to avoid the blank pages, but if you don't want to redo any customizations you've made keeping the setting you pointed out should avoid the bug.

Quote
By the way, add text configuration from .../Themes/default/languages/Modifications.english.php to .../Modifications.spanish_es.php and worked!!!, My next job will be traslate to spanish language, I promise it!!!

Mil gracias amigo desde Venezuela!!!

Watch out in your translations that you don't leave any apostrophe characters ' in there unless they have a backward slash before them: \'

De nada, y buena suerte!
Title: Re: Ldap Authentication Mod
Post by: Dark//Virus on October 01, 2008, 07:49:57 PM
Ok, i have just uninstalled then reinstalled a fresh copy of SMF 1.1.5.

Then installed the mod

Configured the options (in screenshot)

and same 500 internal server error, we are going through our php.ini if you would like to see it i can post that also if you like.

Title: Re: Ldap Authentication Mod
Post by: psa on October 01, 2008, 08:20:55 PM
I can see from your configuration screenshot that you've loaded 0.6.1 because of the embarrasingly misplaced hints.  I've uploaded a new version of 0.6.1 with the correct setting hints, and rearranged it so that the prepend segment comes before the append segment, as would be more intuitive.

This shouldn't make any difference to your problem however, since there is no functional change here.

If you are still getting the 500 error, then we're back to square one.  The only 500 errors in the log you attached were right at the beginning, and this being an access log instead of an error log, it doesn't say anything more.

When PHP encounters an error it responds back to the server with some text explaining what went wrong.  The server usually places this in an error log before responding back to the client with a 500 error.  Since I don't work with IIS at all, I don't know where IIS would put these errors, or if there's a futher setting to turn it on somewhere.

Without any kind of error, either from the application in "Forum Error Log" or from the web server in its error log, I don't know where to begin looking for a problem.

Does this error come up when you enter a username and password and press the button to log in?  Or on some of the other screens (such as the login page itself)?
Title: Re: Ldap Authentication Mod
Post by: Dark//Virus on October 01, 2008, 10:24:38 PM
Ok, so i downloaded it again, and made sure i got the right version, installed it, attached is a screenshot of the settings section.

I have also attached the php.ini file so we can look into that, perhaps i can turn on logging in here to find more info.

Same issue is happening, and once i make the settings, i log out, then attempt to login using domain credentials when the 500 error occurs

Also we are using MSAD
Title: Re: Ldap Authentication Mod
Post by: psa on October 02, 2008, 02:05:04 AM
I'm still kind of stuck without being able to see any errors on your server.

I did notice a couple of things in your php.ini that I wondered about:

You appear to have the ldap extension disabled (commented out with a semicolon).  Without the standard ldap extension you can't do ldap queries.  I don't run Microsoft Windows, so perhaps I'm missing something, but it seems like you ought to try enabling the extension.  I know it is required on my servers.

You also have not specified a location for php errors to go.

; Log errors to specified file.
;error_log = D:\Intranet\Logs\PHP\log

; Log errors to syslog (Event Log on NT, not valid in Windows 95).
;error_log = syslog

If you uncomment one of these you should be able to see the errors produced by PHP in the specified file or in your event log (in addition to whatever IIS does or does not do with them), and then perhaps we could find the description of your 500 error.

Title: Re: Ldap Authentication Mod
Post by: Dark//Virus on October 02, 2008, 03:36:30 PM
Well, 2 steps forward.

We enabled those options in the php file and it works!

i am able to register ldap people, which is great, but i cannot log in as a member who isnt already registered manually via ldap.

and once a member is registered manually with ldap their network password doesnt work. they type it wrong 3 times, and get the password reset email, and then it gets reset by the user.


/EDIT

Fixed a few things, ldap users couldnt login for the first time, so we edited the values in ldapauth.php to put blank fields into the db for stuff like buddy_list because it wouldnt auto create them.

Now everything is working 100%, apart from if an ldap user doesnt have an email address assigned it wont log them in. but that isnt a big issue.

That you very much PSA. This is awesome.
Title: Re: Ldap Authentication Mod
Post by: Dark//Virus on October 02, 2008, 04:06:26 PM
I have a couple of requests

I would like to take the 'title' field from AD and put it in the Users Personal Text catagorey so it will show their position in the business etc, i know what to edit in ldapauth.php so it puts the info into the table, but i dont know what to edit to get that information from AD and assign it to a variable

Also, i would like to know (this may be out of your scope) if we could modify board permissions to use groups from the domain.

eg: have a board called senior management, and users who are a member of the group called "Management" in ad, were able to see that board. So basically embed domain groups into SMF forums member groups

If the later is too difficult that is fine, but the first would really help

Title: Re: Ldap Authentication Mod
Post by: psa on October 02, 2008, 04:50:08 PM
I'm glad you got it working.

I don't know why you had to put blank values in the database for some elements--I thought I had picked up everything required.  When you get done making changes I would be interested in seeing your version of LdapAuth.php for reference and testing.

Technically, it's possible to put in nonexistent or static email addresses (all the same) automatically for users who don't have one in your directory and thus enable them to login, but many parts of SMF assume that the user has a valid email address, so I'm not sure that is a good idea.  We found that the email information in the directory was inconsistent, which is why we have the option to construct one automatically from the username and domain, since everyone has one of those by default with our system.

Making custom changes to the LdapAuth to populate other fields from your LDAP directory isn't too hard if you know any PHP.
Around line 42, after $lattributes has been set and expanded, add the field you are looking for to the array so that it will be queried in the directory:

$lattributes[] = 'title';

You can add others after it with the same syntax.

There's two places where this information will be used.  The first is in the code that updates users' attributes everytime they login, even if they're already registered.  If you don't have this option checked (to update user info on each login) you can skip this part.
Add the attribute into the database query:

db_query("UPDATE {$db_prefix}members SET
personalText='" . addslashes($lentries[0]['title'][0]) .",    // replace SMF Personal Text with Ldap title field
emailAddress='$lmail',

Only the middle line here is new; the other two are supplied as context so you know where to place it.

In order to add this field when a new user is registered in the system (i.e. logs into SMF with LDAP credentials for the first time), you need to modify the personalText line further down (on line 147 in the unmodified 0.6.1 LdapAuth).
Original line:

'personalText' => '\'' . addslashes($modSettings['default_personalText']) . '\'',

New version:

'personalText' => '\'' . addslashes($lentries[0]['title'][0]) . '\'',


And that should do it, provided that I haven't made any typos...
Title: Re: Ldap Authentication Mod
Post by: psa on October 02, 2008, 04:57:34 PM
As I mentioned to an earlier poster, bringing group authorities across would be significantly more difficult.  I've considered it, and different ways to implement it, but most would either be error-prone or require significant new synchronization code to implement.

I'm still considering it.
Title: Re: Ldap Authentication Mod
Post by: Dark//Virus on October 02, 2008, 05:46:50 PM
Thats cool.
Attached is the ldapauth.php file as requested in its current state, which is working for everything except the title, even with the changes sugessted
Title: Re: Ldap Authentication Mod
Post by: psa on October 02, 2008, 07:45:14 PM
Wow, you added all of the user attributes to the register line.  These shouldn't all need to be set (even the regular SMF functions for registering a user don't set most of them), but if it makes it work for you, I'm not going to argue with it.

Let me know if you have trouble with the title.
Title: Re: Ldap Authentication Mod
Post by: Dark//Virus on October 02, 2008, 08:29:00 PM
Yeah i am having problems with the title, nothing is being updated, all the settings we are currently using are in that file

I had to add all those attribs because they caused errors when they werent writing the null values to the file so it complained
Title: Re: Ldap Authentication Mod
Post by: psa on October 02, 2008, 09:08:11 PM
You'll need to use the patches I gave above to get the title populating.

All of this data gets added to the database, and mysql won't normally complain about missing values in the standard tables because it uses the default values instead.
Title: Re: Ldap Authentication Mod
Post by: Dark//Virus on October 02, 2008, 09:56:54 PM
Ok, it works on first login, but the whole part about updating on login isnt processing, i logged in a test account for the first time, then changed its password in AD, next time i went to login it didnt work, incorrect password. Tried the old password and it worked.

Ideas?
Title: Re: Ldap Authentication Mod
Post by: psa on October 02, 2008, 10:02:11 PM
Quote from: ~Dark//Virus`x *! on October 02, 2008, 09:56:54 PM
Ok, it works on first login, but the whole part about updating on login isnt processing

Are you talking about the mods to add the title, or just with the file you posted earlier?  If it's the title mods, post your updated file so I can take a look.
Title: Re: Ldap Authentication Mod
Post by: Dark//Virus on October 02, 2008, 11:07:17 PM
Its everything. If i changed my password after logging into the forum, it still only recognises the old password.

Attached is the auth file
Title: Re: Ldap Authentication Mod
Post by: klim on October 03, 2008, 04:12:25 AM
how install this module on smf version 1.1.6?
then i upload *.zip file on page install packages, i get error:
you package is not package modificatoin or corrupt.

sorry, i am from rus :)
Title: Re: Ldap Authentication Mod
Post by: chewie71 on October 03, 2008, 05:58:58 PM
This is awesome!

The easiest WebBB/LDAP integration I've found....thanks!!!

I'm at a university and we are syncing with our primary LDAP server.  Here's a feature request...

We would like to build forum groups from objectClass or attribute values.

objectClass:  univEmployee  (all employees have this)
objectClass:  univStudent  (all students have this)

OR

department:  University Technology
department:  Department of English


That way we could easily give all students or faculty or employees access to certain forums or categories.  Or even just give access to a single department.  Is it possible to add something like this to your module?

Thanks for an awesome piece of work...

Matt
Title: Re: Ldap Authentication Mod
Post by: psa on October 03, 2008, 06:55:08 PM
Quote from: ~Dark//Virus`x *! on October 02, 2008, 11:07:17 PM
Its everything. If i changed my password after logging into the forum, it still only recognises the old password.

That is really odd.  Unless the LdapAuth has been disabled it should be checking the password first, and then updating it (or clearing it if you have it set to not keep passwords in the database).  Autoregistering the first time and logging in again later use the same authentication code, though I suppose if something went wrong it might bail out of the function altogether.  Still no errors generated?  LDAP failures are often in the forum error log.

Quote
Attached is the auth file

I don't see anything really wrong here, but that doesn't mean I'm not missing anything.  I wonder what the description of a job title of "bob" would be?  :)
Title: Re: Ldap Authentication Mod
Post by: psa on October 03, 2008, 07:00:07 PM
Quote from: klim on October 03, 2008, 04:12:25 AM
how install this module on smf version 1.1.6?
then i upload *.zip file on page install packages, i get error:
you package is not package modificatoin or corrupt.

The package attached to the first post in this thread is a .tgz file, not a .zip.  Uploading the unopened file should work without any issues.  Try downloading it from the link in the first post again in case the file got corrupted or cut short the first time.

Quote
sorry, i am from rus :)

And I am in the US.  Welcome!

I'm impressed by people who make such an effort and do so well learning and using others' languages.
Title: Re: Ldap Authentication Mod
Post by: psa on October 03, 2008, 07:04:34 PM
Quote from: chewie71 on October 03, 2008, 05:58:58 PM
This is awesome!

The easiest WebBB/LDAP integration I've found....thanks!!!

Great!  I was hoping others would find it useful when I posted it.  Open Source is a great model.

Quote
I'm at a university and we are syncing with our primary LDAP server.  Here's a feature request...

We would like to build forum groups from objectClass or attribute values.

objectClass:  univEmployee  (all employees have this)
objectClass:  univStudent  (all students have this)

OR

department:  University Technology
department:  Department of English


That way we could easily give all students or faculty or employees access to certain forums or categories.  Or even just give access to a single department.  Is it possible to add something like this to your module?

I was just responding to that question yesterday.  I think it would be helpful for a lot of people to have this kind of integration, but I haven't worked out yet how best to do it.  I'm tempted to wait on it until the SMF 2.0 version, but if there's enough interested people using the mod I may be persuaded to do it sooner.
Title: Re: Ldap Authentication Mod
Post by: Dark//Virus on October 05, 2008, 03:28:34 PM
Well for me my job description is "PC Technician" and it doesnt work. I see in the ldap auth file it is saying that there are 2x options, 1x for user already exists, and 1x for user doesnt exist.

Could it be that the user already exists part isnt working? as it pulls the name and title etc. when first logging in

/EDIT :

This is the only error in the forum log

Guest   October 03, 2008, 03:52:54 pm 
172.16.17.40     082b99088a3d5aba7e4f77e7673b60e8 
http://tstiis03/forums/index.php?action=login2 
8: Undefined index: title
File: D:\Apache\htdocs\forums\Sources\LdapAuth.php
Line: 146
Title: Re: Ldap Authentication Mod
Post by: Dark//Virus on October 05, 2008, 05:46:24 PM
OK its fixed!

I read through it again, and the bit which says

Quote
// User does exist (or it's reserved and we've set the option not to update data for reserved names,
// but we'll update the password in case it's changed

Told me what was wrong. the option to auth via ldap for reseved members wasnt ticked, and once you have logged in for the first time your no longer a new member, but a reserved login for some reason.

I am now 100% fixed
Title: Re: Ldap Authentication Mod
Post by: Dark//Virus on October 05, 2008, 06:41:41 PM
Ok, now password etc. are sync'd on login, but the title feild still only gets pulled the first time you login
Title: Re: Ldap Authentication Mod
Post by: isix on October 09, 2008, 04:20:29 AM
Quote from: psa on July 02, 2008, 05:53:13 AM
You will need to visit the Admin Configuration screen for "Features and Options" to find the tab in which to enable Ldap
The package installed, but I don't find this tab. What I'm missed?

And I get an error message, every time when I klick the "Features and Options":
http://myserver/forum/index.php?action=featuresettings
8: Undefined index: mods_cat_ldapauth
File: /webdata/wwwroot/forum/Sources/ModSettings.php
Line: 137

Thanks
Title: Re: Ldap Authentication Mod
Post by: kmbarr on October 17, 2008, 03:53:12 PM
Thanks for the great work on this Mod. I'm in the process of getting a forum set-up, and went with SMF 2.0beta4 to hopefully minimize changes later. I went through your LDAP Authentication Mod and converted it over so it would work with the new SMF version. I've attached the result. I'm very new to SMF so there might be some rough edges in this and it could probably use some tweaking [e.g. setting-up the install to work with both 1.x and 2.x SMF versions], but hopefully someone else will find this useful. I've tested automatic registration on login with LDAP credentials and also the Admin registration functions and they seem to be working correctly.

Major changes from 1.x to 2.x where changes in the database functions and field names, a few file locations, and differences in creating the new administration menu options.

I also made a change to the bind/authenticate process. Your original code used ldapauth_userprefix and ldapauth_usersuffix to construct the search DN for the user. That's probably a perfectly good way to do it 99.9% of the time, but I believe theoretically it could change which would break your code [until userprefix/suffix were updated]. I've added code to both the authentication and registration routines to do this in a little more standard [but cumbersome] way of using an anonymous bind, retrieving the application id's DN if provided and rebinding, then searching for the user's DN [and rebinding to authenticate]. Here's a modified code snippet from LdapAuth.php:

{
// these next two are required for recent versions of MSAD,
// but may need tweak options for other ldap servers
ldap_set_option($lds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($lds, LDAP_OPT_REFERRALS, 0);

// [BEGIN CHANGES]
// Bind anonymously [rebind using bindusername if provided] and
// locate user DN to validate password.
do {
// Anonymous bind
if ( [email protected]_bind($lds) ) break;
if ( isset($modSettings['ldapauth_bindusername']) && $modSettings['ldapauth_bindusername'] ) {
// Re-bind using bindusername DN
$lsearch = @ldap_search($lds,$modSettings['ldapauth_searchdn'],"({$modSettings['ldapauth_searchkey']}={$modSettings['ldapauth_bindusername']})",array('dn'));
if ( ldap_count_entries($lds, $lsearch)!=1 ) break;
$lentries = ldap_get_entries($lds,$lsearch);
if ( [email protected]_bind($lds,$lentries[0]['dn'],$modSettings['ldapauth_bindpassword']) ) break;
}

// Locate user DN
$lsearch = @ldap_search($lds,$modSettings['ldapauth_searchdn'],"({$modSettings['ldapauth_searchkey']}={$username})",array('dn'));
if ( ldap_count_entries($lds, $lsearch)!=1 ) break;
$lentries = ldap_get_entries($lds,$lsearch);
if ( [email protected]_bind($lds,$lentries[0]['dn'],$thepasswrd) ) break;
// [END CHANGES (also add while(0); to close DO-WHILE loop)]

//clear passwd if we're not going to store it in the db
if (isset($modSettings['ldapauth_passwdindb']) && !$modSettings['ldapauth_passwdindb'])
$sha_passwrd = "LDAPOnly";


With this change, and a similar change in ManageRegistration.php, the ldapauth_userprefix and ldapauth_usersuffix fields are no longer necessary, so I've remove them.
Title: Re: Ldap Authentication Mod
Post by: Joshua Dickerson on October 17, 2008, 08:53:29 PM
Quote from: psa on October 03, 2008, 07:04:34 PM
Quote
I'm at a university and we are syncing with our primary LDAP server.  Here's a feature request...

We would like to build forum groups from objectClass or attribute values.

objectClass:  univEmployee  (all employees have this)
objectClass:  univStudent  (all students have this)

OR

department:  University Technology
department:  Department of English


That way we could easily give all students or faculty or employees access to certain forums or categories.  Or even just give access to a single department.  Is it possible to add something like this to your module?

I was just responding to that question yesterday.  I think it would be helpful for a lot of people to have this kind of integration, but I haven't worked out yet how best to do it.  I'm tempted to wait on it until the SMF 2.0 version, but if there's enough interested people using the mod I may be persuaded to do it sooner.
Hey, I know of quite a few people that have looked for a good LDAP integration with SMF. I know I have been approached a handful of times for a paid mod to do it. So, there is definitely demand. Thankfully, you have finally done it. And for free, no less.

Not sure how the LDAP side of this problem would be done, but everyone with that object would be assigned that membergroup. I am going to take a look at your mod. Looks like you have/are put(ting) a lot of work in to it.
Title: Re: Ldap Authentication Mod
Post by: zofrecz on November 11, 2008, 09:57:44 AM
Hi.

Please help me. If I log in with real MS AD user and password, I get this error:

Field 'Ingfile' doesn't have a default value
File:.....\ldapauth.php
Line:154

With imaginative password I get user not exist.

Any suggestion, please?

EDIT: I find solution. I edit database table "members" and delete column options not null (column name Ingfile).
Title: Re: Ldap Authentication Mod
Post by: jcwatson11 on November 22, 2008, 09:39:49 PM
I took the mod from the original post in this thread, noted "(Updated to 0.6.1 on 1 October 2008)", and tweaked it to work with our LDAP servers. My changes should actually make the mod more standardized for any implementation. The mod will actually search sub-trees for users from the BaseDN. This was not the case in the original mod.

I'm providing a patch file for the author and the community. Only the LdapAuth.php file was changed.
Title: Re: Ldap Authentication Mod
Post by: armstroc on November 24, 2008, 11:34:19 AM
jcwatson11, how do I actually apply your patch?

This is exactly what I am looking for. I have users in several containers and would like them all to authenticate. I was just about to reply to the post asking how to do that when I saw your patch. However, I am new to SMF and am unsure how to add your patch file to the mod. Can you help me out?

Thanks

EDIT: I just manually edited the file and it worked! Thanks!
Title: Re: Ldap Authentication Mod
Post by: psa on November 25, 2008, 02:54:18 PM
Hey everyone, sorry I haven't been around lately.  Thanks for the patch jcwatson.  You're right that I haven't had the code doing an ldap query to find the principal to bind to, because I mostly try to avoid that approach with my authentication systems due to the extra overhead of the authentication request and the necessity of storing up to date querying credentials in the endpoint systems.

That said, I know that many people don't have the luxury of setting up their directories as they would like them, so this is valuable functionality.  I'll review your code when I get a moment and see about adding it with new configuration options to the mod.

Thanks!
Title: Re: Ldap Authentication Mod
Post by: cbhank on January 22, 2009, 07:51:05 AM
Hello,

I am running SMF 1.17 on Debian Etch and the module seems to work OK here.

To get it working, however, in my particular case I had to reinstall apache and php from source and compile in LDAP to php ... but that was another can of worms.

If anyone were interested, I used these instructions:

http://dan.drydog.com/apache2php.html

then I made sure I had the LDAP libraries, then added --with-ldap to the configure flags.

Thank you very much, without LDAP support we wouldn't be able to use SMF.
// Mark
Title: Re: Ldap Authentication Mod
Post by: cbhank on January 28, 2009, 07:15:43 AM
We are soon going to start allowing our existing customers log into our Forum. These users are currently in an AD, but they will be migrated to OpenLDAP at a later date.

Two custom mods I did myself:

.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..

1) We wish for newly-created accounts (auto-created per this mod) to have the option "Hide your email address" to be SET when the account is created. Most of our customers will not want to be identified by their email addresses.  So, I added this line to the module:

                              'hideEmail' => 1,

righh after the other line

                            'validation_code' => "''",

around line 145. That did the trick.

2) I didn't like the fact that the LDAP password was plain text, so I changed in
Sources/ModSettings.php:

            //array('text', 'ldapauth_bindpassword')
              array('password', 'ldapauth_bindpassword')

.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..

One problem I need to resolve:

We are on 1.1.7 - and although it seems the basic functions of the mod work well, some of the additional info in the AD is not getting pulled in, for example the dn for the real name (a similar problem exists for extracting email addresses). The error received in the log is:

8: Undefined offset: 0
File: /home/www/forum/Sources/LdapAuth.php
Line: 146

which is this line:
'realName' => '\'' . $func['htmlspecialchars']($lentries[0][$modSettings['ldapauth_fullnameattr']][0]) . '\'',

If anyone can help with this as well, I'd appreciate it.

// Mark
Title: Re: Ldap Authentication Mod
Post by: inrforum on February 16, 2009, 03:07:44 AM
From looking at the code, it seems the ldap password is saved in the sql database.
For my organisation this is a complete no-no.

Why is it saved in the first place?
And how can I auth SMF vs. LDAP / AD without having the password saved?
(got that - rtfm, duh)

Still - I would prefer ApacheAuth:
I do have other sites up which authenticate vs. ldap with Apache mod_ldap, which works fine. Is there a way to setup SMF with ApacheAuth?

thanks in advance,
best regards
Title: Re: Ldap Authentication Mod
Post by: Vaѕh on February 23, 2009, 02:56:05 AM
We're currently running  0.6.1-2BETA4 on SMF RC1, with mild-success.

Everything seems to work, but the following:

-  Update User information from Ldap on every login - when this box is checked SMF does not update user information on each login.
- Store LDAP passwords in the database - When this is unchecked SMF continues to store ldap password's locally.

Are there any resolutions for this? -- We're in the process of tying in all of our stuff via ldap to bridge our services through one authentication process.

inrforum: http://www.simplemachines.org/community/index.php?topic=294254.0 -- I was shown this module earlier. mod_ldap won't work for what we're trying to do, but perhaps it can assist you.
Title: Re: Ldap Authentication Mod
Post by: inrforum on March 02, 2009, 03:59:53 AM
the LDAP-Authentication part with the mod works fine, with the exception of display name:

Display name is set to an empty string on logon.
Even if the user enters a display name in his account settings, it will be reset on next logon.
How would I get display name to be set like user name?

Title: Re: Ldap Authentication Mod
Post by: NeonXL on March 03, 2009, 04:47:02 AM
Hello,

I need LDAP Authentication too and so I found this thread. I installed a fresh 1.1.8, didn´t make it authenticate via LDAP, deleted it, installed 2.0RC1 and installed the Mod here, too. Had to do little modifications on my own, but seems to run.

Thank you for the great work so far, even if it is not running. But that is because I am absolutely not familiar with LDAP and so I have to wait for our administrators here to give me the correct data for the ldap-servers etc.

My questions will come then... ;-)

Edit: No questions, runs perfectly with 2.0RC1!  :)
Title: Re: Ldap Authentication Mod
Post by: jsivak on March 24, 2009, 01:46:32 PM
Quote from: Vaѕh on February 23, 2009, 02:56:05 AM
We're currently running  0.6.1-2BETA4 on SMF RC1, with mild-success.

Everything seems to work, but the following:

-  Update User information from Ldap on every login - when this box is checked SMF does not update user information on each login.
- Store LDAP passwords in the database - When this is unchecked SMF continues to store ldap password's locally.

Are there any resolutions for this? -- We're in the process of tying in all of our stuff via ldap to bridge our services through one authentication process.

inrforum: http://www.simplemachines.org/community/index.php?topic=294254.0 -- I was shown this module earlier. mod_ldap won't work for what we're trying to do, but perhaps it can assist you.

There's a typo on line 76 in LdapAuth.php: $sha_passwrd needs to be changed to $sha_passwd
Title: Re: Ldap Authentication Mod
Post by: sDuck on April 14, 2009, 01:13:46 PM
psa, you're a life saver!  This mod is EXACTLY what I needed to sell SMF as a fully functional forum.   :D

Is the file on the beginning of this thread the most up to date one?  I didn't have time to troll through the 5 pages of posts. 

Thanks again for your hard work! 
Title: Re: Ldap Authentication Mod
Post by: ysmdm1 on April 17, 2009, 03:33:34 AM
After upgrade from 1.1.6 to 1.1.8 this Mod cannot working I try to re-install but not success

please help  :'(
Title: Re: Ldap Authentication Mod
Post by: sDuck on April 22, 2009, 09:33:09 AM
To add an avatar when the user registers via LDAP.  This is assuming that all pictures are stored with the persons user name in a directory with the JPG extension.  I've left a wildcard in there incase the username is not the only defining factor for the file (IE, Date it was taken UserXYZ_010100.JPG):

LDAPAuth.php
Line137: 
<search>// User does not exist in SMF database - create</search>

<Add After>
foreach (glob("/Pictures/" . $username . "*.jpg") as $userPic){
$userPic1 = "http://www.example.com" . $userPic . "";
}
</add after>

Line 146:

<search> 'location' => "'" . $func['htmlspecialchars']($llocation) . "'",</search>

<Add After>
'avatar' => "'" . $userPic1 . "'",
</add after>

Title: Re: Ldap Authentication Mod
Post by: carnac on July 03, 2009, 06:02:46 AM
Hi,

is there a modified package which works with smf 2.0 RC 1 ?

Title: Re: Ldap Authentication Mod
Post by: discogravy on August 12, 2009, 04:39:54 PM
perhaps I'm doing someting wrong -- I downloaded the zip and unzipped it in Packages/ dir and chown'd it to apache, but when I try to install it via admin panel I get this error:


Error in Package Installation
At least one error was encountered during a test installation of this package. It is strongly recommended that you do not continue with installation unless you know what you are doing, and have made a backup very recently. This error may be caused by a conflict between the package you're trying to install and another package you have already installed, an error in the package, a package which requires another package that you don't have installed yet, or a package designed for another version of SMF.


it then shows the README and these failed tests;


Install Actions
Installations actions for "Ldap Authentication":
Installing this package will perform the following actions:
Type Action Description
1. Execute Modification ./Sources/LogInOut.php Test failed
2. Execute Modification ./Themes/default/languages/Modifications.english.php Test successful
3. Execute Modification ./Sources/Admin.php Test failed
4. Execute Modification ./Sources/ManageSettings.php File not found
5. Execute Modification ./Sources/ManageRegistration.php Test failed
6. Execute Modification ./Themes/default/Register.template.php Test successful
7. Execute Code ldap_add_settings.php
8. Execute Code ldap_force_settings.php
9. Extract File ./Sources/LdapAuth.php


Is there a package that I'm missing? I have tried this with the 2.0 RC and 1.1.10 and have gotten the same error; the ManageSettings.php file completely missing leads me to think I'm missing another package, but if it's mentioned, I've missed it...can anyone help?
Title: Re: Ldap Authentication Mod
Post by: bakxs on October 20, 2009, 04:10:20 AM
i would like to know how many people are currently succesfully running a reasonable uptodate version of SMF with LDAP integration?? We would like to run SMF with LDAP, where users registering in SMF, actually register in LDAP.. Other sites (Gallery, Wiki and Joomla) will only authenticate users in LDAP.
Title: Re: Ldap Authentication Mod
Post by: forethought on October 22, 2009, 04:23:42 PM
I just got done installing the latest SMF (1.1.10) and using this LDAP authentication package. I had to do some customizing of the code (our LDAP server is listening on a non-standard port), but other than that, I can login as a user established in LDAP with no problems.

Only real snags I ran into were problems with SMF, not the mod itself  >:(
Title: Re: Ldap Authentication Mod
Post by: mrojas73 on November 29, 2009, 10:54:44 PM
Very nice mod...downloaded it installed it, changed my ldap settings and logged right in using my MSAD account.

Thank you psa, this is a very nice addition to SMF.

Marco
Title: Re: Ldap Authentication Mod
Post by: Mr. Jinx on April 28, 2010, 12:53:13 PM
Is this mod still being developed?
I'm looking for forum software that we can use for our corporate intranet. If SMF has a good working LDAP/AD integration, then SMF it will be :)
Does it work ok with SMF 2.0 RC3?
Title: Re: Ldap Authentication Mod
Post by: Arantor on April 28, 2010, 01:26:45 PM
As it predates 2.0 RC2, I suspect it doesn't work properly with RC3.
Title: Re: Ldap Authentication Mod
Post by: psa on April 28, 2010, 02:45:25 PM
Arantor is right; it does not work with 2.0.  I've recently started using 2.0RC3, though, so I may look into porting it over if there is interest.
Title: Re: Ldap Authentication Mod
Post by: Mr. Jinx on April 28, 2010, 03:55:42 PM
You have my interest, and there must be more people that like to run this on 2.0!
Title: Re: Ldap Authentication Mod
Post by: ziycon on April 30, 2010, 05:26:10 AM
Yup, you have my interest, I've been looking for a proper LDAP mod that's actively supported. I know of a lot of people that would like this mod also.
Title: Re: Ldap Authentication Mod
Post by: psa on April 30, 2010, 08:25:18 AM
So far as I know, this mod still works on current versions of 1.1.x.  I tried to make it as upgradable as I could.

For SMF 2 it looks like all the database calls will need to be rewritten, and the configuration screens will need to be entirely redone.  I'm not even sure how to do this second part in SMF 2, so I'll have to do some research.
Title: Re: Ldap Authentication Mod
Post by: Mr. Jinx on May 01, 2010, 02:54:18 PM
I have recently installed this on a SMF 1.1.11 install with AD. Works perfect.
Now I hope development of this mod continues to SMF 2!
Shouldn't this mod be submitted as an official ldap mod in the modification-section?
Title: Re: Ldap Authentication Mod
Post by: psa on May 01, 2010, 03:22:35 PM
There's an explanation in one of the first few pages that they rejected this mod because it depends on third party systems (the LDAP server).  While I disagree very strongly with this assessment both of the situation (an LDAP server is no more an external dependency than the webserver, PHP engine, or the browsers that users access SMF with) and with the small mindedness of discouraging larger systems integration like this, SMF is not an open source project and has no obligation to the community.  I respect their right to make these decisions for themselves, even when they shoot themselves in the foot.

I pursued it further than that, but they were very clear that this was considered an unsupported "bridge", and they wouldn't discuss it further.

Still researching SMF 2 mods.
Title: Re: Ldap Authentication Mod
Post by: Arantor on May 01, 2010, 03:31:02 PM
Note that that was 2 years ago, times and attitudes can and do change.

There are mods that rely on third party services currently available; most of the anti spam ones do, so there is definitely precedent for it.
Title: Re: Ldap Authentication Mod
Post by: psa on May 01, 2010, 03:35:25 PM
Arantor-
Yes, and there was a previous, less-thorough ldap mod accepted, which was still available on the mod site when I submitted, so I don't expect any particular level of consistency in these decisions.

If you think it is worth resubmitting this mod, I will do so.
Title: Re: Ldap Authentication Mod
Post by: Arantor on May 01, 2010, 03:38:05 PM
I would, folks can make use of it.

Certainly when I was on the cust team I wouldn't have thrown it out on the basis of a third party requirement, and if there's an argument I can find you multiple mods that have dependencies outside of the basic SMF+server environment.

The one problem is that it is harder to test and validate the mod for security and performance because few team members (if any) will have an LDAP environment to test against.
Title: Re: Ldap Authentication Mod
Post by: psa on May 01, 2010, 04:23:15 PM
There is still a mod entry for it, number 1283: "Warning: This mod has been removed from the approval queue".  Should I make a new one, or somehow ask that the old one get reviewed?

I notice that the very old (2005) mod for SMF 1.0 is still present, even now.
Title: Re: Ldap Authentication Mod
Post by: Arantor on May 01, 2010, 04:30:21 PM
You can send the SMF Customization Team (account #1) a PM and they can reopen the mod, including you updating it if you wanted to.
Title: Re: Ldap Authentication Mod
Post by: Dark//Virus on May 03, 2010, 07:09:54 PM
Just would like to add, i have been running this mod for about 18 months now, and i havent had to touch it since, once setup does everything we could ever want
Title: Re: Ldap Authentication Mod
Post by: Mr. Jinx on May 10, 2010, 05:25:37 AM
Some extra input for the (possible) next vesion.

First I tried LDAP with AD, this worked without problems.
Then I tried to connect to our global LDAP server which doesn't run AD. This time it couldn't bind to the server.
After modifying the code with this patch from jcwatson11 : http://www.simplemachines.org/community/index.php?topic=247449.msg1810973#msg1810973 everything works smooth!
So it might be worth to take a look at that.

Finally we have a corporate forum thanks to this mod 8)
Title: Re: Ldap Authentication Mod
Post by: sibobbler on May 17, 2010, 07:18:05 AM
First time here. Just started using SMF as a staff community forum at an Educational establishment here in the UK. We really want this to talk to AD so that our teachers don't have to remember yet another username and password!

I have a budget waiting if somebody wants to get this working in 2 RC3. It will be shared with the community if done.  :)

Please PM me if you are interested in undertaking this work.

Thanks,
S.
Title: Re: Ldap Authentication Mod
Post by: psa on May 17, 2010, 01:25:28 PM
You have a PM.
Title: Re: Ldap Authentication Mod
Post by: elsim04 on June 14, 2010, 02:51:04 PM
Hello, where I can download the latest version of your algorithm LdapAuth?
Mr. Jinx
Title: Re: Ldap Authentication Mod
Post by: Mr. Jinx on June 16, 2010, 11:01:47 AM
First of all, I didn't make it (read this post: http://www.simplemachines.org/community/index.php?topic=247449.msg1810973#msg1810973)
But here is the modified file I use to get LDAP (non AD) working. It contains all the changes from jcwatson11's post.
Title: Re: Ldap Authentication Mod
Post by: ysmdm1 on June 22, 2010, 09:02:24 PM
Quote from: Mr. Jinx on June 16, 2010, 11:01:47 AM
First of all, I didn't make it (read this post: http://www.simplemachines.org/community/index.php?topic=247449.msg1810973#msg1810973)
But here is the modified file I use to get LDAP (non AD) working. It contains all the changes from jcwatson11's post.

This LDAP working on latest version right ??

Thank youi
Title: Re: Ldap Authentication Mod
Post by: Mr. Jinx on June 23, 2010, 02:14:51 AM
No, this is for latest smf 1.x.x
Title: Re: Ldap Authentication Mod
Post by: asko on August 19, 2010, 11:45:32 AM
Hello,

I used it on smf 1.1.11/Linux mandriva 2010.1 and OpenLdap
It works fine !
But, manually installed because package seems corrupted by package manager

Before (smf 1.0.5) I used another mod, but it doesn't work with 1.1.11

So thanks for this great job !
Title: Re: Ldap Authentication Mod
Post by: lmsdefense on October 11, 2010, 10:41:45 PM
Anyone make any progress with the port to 2.x?
Title: Re: Ldap Authentication Mod
Post by: lewism on February 06, 2011, 10:32:03 AM
I definitely have use for LDAP integrations.

I think one reason that you were hearing crickets is because most users have small one man sites or fairly simple sites, perhaps using a bridge, what ever. Not many would want to run a separate LDAP server is my guess.

Also, something even more important is that there are so many products which come to light, people start using them then the dev gives up on it and now that we are depending on this, are SOL for security and other updates.

I myself prefer to pay for these types of things and have some sort of promise that it'll be around for a while.

So, we're using SMF 2.0 RC4 I believe, what's the status on your product?

Thanks.
Title: Re: Ldap Authentication Mod
Post by: Halsey on February 11, 2011, 04:29:33 AM
Quote from: evil1dwk on August 06, 2008, 10:31:56 AM
I'm doing this for a company that deals with health insurance information. So there are strict guidelines on what I can and can't access and what can and can't be accessed from the outside world. Believe me I've thought about tunneling a socks proxy over SSH so I could work remotely. They won't even allow me SSH. I came in here to setup a SAN and VMware. Then they asked me if I could set up a forum and possibly a CMS. I'm familiar with rpath and linux appliances so I downloaded the smf 1.1.4 rpath appliance and updated to 1.1.5.

I added a new domain user (test.smf). Unregistered in SMF I get user does not exist. I've registered the user with store ldap password in database disabled. I get password incorrect. I'm attaching a screen shot of the ldap settings. Here's any errors I can see that might be related to the mod. They don't look like they are related to my problem though. They look like errors with the theme.

As you stated that you are working in a health insurance information.
I hope this web would guide you in a better way to solve  Ldap Authentication Mod.
sourceforge
Thanks
Title: Re: Ldap Authentication Mod
Post by: dinopontino on July 13, 2011, 06:49:52 PM
Quote from: asko on August 19, 2010, 11:45:32 AM
Hello,

I used it on smf 1.1.11/Linux mandriva 2010.1 and OpenLdap
It works fine !
But, manually installed because package seems corrupted by package manager

Before (smf 1.0.5) I used another mod, but it doesn't work with 1.1.11

So thanks for this great job !

Hi,
I'm running SMF 1.1.14 and I get the following when I try to install the package:
"The package you tried to upload either is not a valid package or has become corrupted. "

What are the instructions to manually install?

Thanks!
Title: Re: Ldap Authentication Mod
Post by: Mr. Jinx on August 01, 2011, 09:30:30 AM
Quote from: dinopontino on July 13, 2011, 06:49:52 PM
Hi,
I'm running SMF 1.1.14 and I get the following when I try to install the package:
"The package you tried to upload either is not a valid package or has become corrupted. "

What are the instructions to manually install?
This mod was made for SMF 1.1.11, but you can put your packagemanager in emulation mode. Then it should install without problems.
Anyone working on a SMF 2.0 version?
Title: Re: Ldap Authentication Mod
Post by: TVsEgon on January 09, 2012, 04:46:23 PM
Quote from: Mr. Jinx on August 01, 2011, 09:30:30 AM
Quote from: dinopontino on July 13, 2011, 06:49:52 PM
Hi,
I'm running SMF 1.1.14 and I get the following when I try to install the package:
"The package you tried to upload either is not a valid package or has become corrupted. "

What are the instructions to manually install?
This mod was made for SMF 1.1.11, but you can put your packagemanager in emulation mode. Then it should install without problems.
Anyone working on a SMF 2.0 version?


I'm curious about this too!   I've used SMF for a couple years at work, and our management is looking to expand the use of the software,
and AD integration would be a bit plus.


Thanks!

Title: Re: Ldap Authentication Mod
Post by: ops2012 on January 31, 2012, 09:09:20 AM
Hello.
I made two hacks for smf 2.0.2: ldap (MSAD supported), kerberos with MSAD. 10x psa for original code.
Someone interested in this code(Need some clean: logging and dirty code)? And have any chance to integrate this in core of smf?

Cast developers of smf.
Title: Re: Ldap Authentication Mod
Post by: gunnymcduck on December 16, 2012, 12:32:32 PM
I was looking for SMF integration with AD/LDAP, and I'm very glad that I found this.

I'm hoping that the thread is not so old that none of this stuff works anymore.

Me or one of my guys will give this a shot soon and maybe I'll resurrect this discussion thread.
:o :)
Title: Re: Ldap Authentication Mod
Post by: Mr. Jinx on December 20, 2012, 02:34:19 AM
I've been using this mod for my company but because the lack of support/development we looked for something different.
Phpbb has ldab/ad integration buildin and works great for us.
Still using smf for my own forum though!
Title: Re: Ldap Authentication Mod
Post by: zzion on January 21, 2013, 02:03:48 AM
Hope this feature will be implemented in the core soon. I realy need it even as a mod!
Title: Re: Ldap Authentication Mod
Post by: ops2012 on August 22, 2013, 03:12:26 AM
http://www.simplemachines.ru/index.php?topic=14091.0
patches are welcome
Title: Re: Ldap Authentication Mod
Post by: ziycon on August 22, 2013, 04:31:11 AM
For anyone still interested there is a fully tested LDAP mod available that is actively being developed/supported, more information at http://www.simplemachines.org/community/index.php?topic=509819
Title: Re: Ldap Authentication Mod
Post by: Bobolin on November 13, 2013, 05:51:45 AM
Quote from: ziycon on August 22, 2013, 04:31:11 AM
For anyone still interested there is a fully tested LDAP mod available that is actively being developed/supported, more information at http://www.simplemachines.org/community/index.php?topic=509819

The link above said: "This topic doesn't exist on this board."
Title: Re: Ldap Authentication Mod
Post by: ziycon on November 13, 2013, 01:15:42 PM
It's been made available for free through the SMF mod site, just has to be approved for release.
Title: Re: Ldap Authentication Mod
Post by: ochorocho on November 20, 2013, 04:47:50 AM
Quote from: ziycon on November 13, 2013, 01:15:42 PM
It's been made available for free through the SMF mod site, just has to be approved for release.

Great, Thanks! Can't wait to test it :-)
Title: Re: Ldap Authentication Mod
Post by: tood on November 20, 2013, 01:31:11 PM
I'm hoping that the thread is not so old that none of this stuff works anymore
Title: Re: Ldap Authentication Mod
Post by: ochorocho on November 25, 2013, 09:00:01 AM
Quote from: ziycon on November 13, 2013, 01:15:42 PM
It's been made available for free through the SMF mod site, just has to be approved for release.

Would you mind providing a zip file for downloading till it's been released. :-)

Thank you.

Cheers,
ochrocho
Title: Re: Ldap Authentication Mod
Post by: Arantor on November 25, 2013, 09:01:05 AM
We generally do not encourage this.
Title: Re: Ldap Authentication Mod
Post by: ochorocho on November 25, 2013, 09:03:59 AM
Quote from: Arantor on November 25, 2013, 09:01:05 AM
We generally do not encourage this.

is there a date when i can expect to be able to download the new Mod?
Just asking ....

I'm pretty new to smf, so i do not know how you handle the release of mods and such ....

Thanks for the fast response!

Cheers,
ochorocho
Title: Re: Ldap Authentication Mod
Post by: Arantor on November 25, 2013, 09:10:13 AM
When it's been reviewed.

We are a group of volunteers, we do this in our spare time - and we do the reviews to try to ensure there are no major issues with the mods that you guys get to use.

Right now there is an issue with it with respect to getting it set up (we can't seem to get it running :()
Title: Re: Ldap Authentication Mod
Post by: ziycon on November 25, 2013, 09:34:40 AM
Quote from: ochorocho on November 25, 2013, 09:00:01 AM
Quote from: ziycon on November 13, 2013, 01:15:42 PM
It's been made available for free through the SMF mod site, just has to be approved for release.

Would you mind providing a zip file for downloading till it's been released. :-)

Thank you.

Cheers,
ochrocho
I'm sorry but it wont be available until it has been verified by other team members and until I'm happy enough testing has been carried out. This is ultimately for the benefit of anyone that plans to use the modification.
Title: Re: Ldap Authentication Mod
Post by: ochorocho on November 25, 2013, 11:02:14 AM
Quote
I'm sorry but it wont be available until it has been verified by other team members and until I'm happy enough testing has been carried out. This is ultimately for the benefit of anyone that plans to use the modification.

Thanks for the quick response ....
I will wait for the release :-)

Title: Re: Ldap Authentication Mod
Post by: jfederer on January 12, 2015, 01:33:16 PM
Is there a current version of this -- I have searched and search and cant' seem to find it.
Title: Re: Ldap Authentication Mod
Post by: ziycon on January 13, 2015, 04:15:39 AM
Still hasn't been approved due to nothing but my own fault and being busy with RL, I'll see if I can dig it up and get the wheels moving again.
Title: Re: Ldap Authentication Mod
Post by: ispanec on March 04, 2015, 02:25:44 PM
ziycon, is it possible to get a test version?
Title: Re: Ldap Authentication Mod
Post by: ziycon on March 05, 2015, 10:20:02 AM
Quote from: ispanec on March 04, 2015, 02:25:44 PM
ziycon, is it possible to get a test version?
I'm actually talking to another team member about getting this mod cleaned up and available as soon as possible, I'll post back once it's available.

I don't like giving out code until I know it works and has been checked.
Title: Re: Ldap Authentication Mod
Post by: tinoest on June 02, 2015, 02:11:42 PM
Hi,

As I couldn't find anything I made some minor modification to my copy of SMF and got LDAP working in my scenario. The code is attached. It's not got the level of checking I would put in if it was a Modification, but if there is enough interest. I'll look to tidy it up and make it available for that release.

I had to modify Themes/default/scripts/script.js and change the hashLoginPassword to the following;

function hashLoginPassword(doForm, cur_session_id)
{
  // Compatibility.
  if (cur_session_id == null)
    cur_session_id = smf_session_id;

  if (typeof(hex_sha1) == 'undefined')
    return;
  // Are they using an email address?
  if (doForm.user.value.indexOf('@') != -1)
    return;

  // Unless the browser is Opera, the password will not save properly.
  if (!('opera' in window))
    doForm.passwrd.autocomplete = 'off';

  doForm.hash_passwrd.value = hex_sha1(hex_sha1(doForm.user.value.php_to8bit().php_strtolower() + doForm.passwrd.value.php_to8bit()) + cur_session_id);

  // It looks nicer to fill it with asterisks, but Firefox will try to save that.
  //if (is_ff != -1)
  //  doForm.passwrd.value = '';
  //else
  //  doForm.passwrd.value = doForm.passwrd.value.replace(/./g, '*');
}



You also need to modify your Settings.php and add the following, applicable to your domain.

// LDAP Settings
$ldapSettings['host']   = 'ldap.host';
$ldapSettings['pass']   = 'ladp.password';
$ldapSettings['rdn']    = 'cn=admin,dc=domain,dc=lan';
$ldapSettings['dn']     = "dc=domain,dc=lan";


It will query the LDAP server for a login, if one is found it will check against the SMF database and if the user doesn't exist it will create the user. If the LDAP auth fails, it currently doesn't do anything it just checks the SMF database for the user, but I can modify it to fail at this point if required.

It doesn't handle a changing password on the LDAP side for those that have 30 day logins etc. Again if required it can be modified to do so.

I've tried to make the change/check as minimal as possible so a few features could be missing. It assumes you look up the user details and it matches there uid or login name.
Title: Re: Ldap Authentication Mod
Post by: hyrsky on January 19, 2016, 08:23:18 AM
Here is something I wrote for SMF 2.0.7 and used on a small hidden forum I manage. I have updated to SMF 2.0.11 through package manager and it is still working. Buggy as hell but if anyone is interested feel free to build on this. :)

**
Apparently I'm not allowed to post external links but /hyrsky/SMF-Ldap on github(dot)com
Title: Re: Ldap Authentication Mod
Post by: vbgamer45 on January 19, 2016, 08:45:22 AM
Direct link: https://github.com/hyrsky/SMF-Ldap
Title: Re: Ldap Authentication Mod
Post by: it9 on July 29, 2021, 04:58:49 AM
How to use it? The instruction is incomprehensible there, is there a step by step? What do we have to do?
Title: Re: Ldap Authentication Mod
Post by: shadav on July 29, 2021, 10:20:52 AM
Quote from: it9 on July 29, 2021, 04:58:49 AM
How to use it? The instruction is incomprehensible there, is there a step by step? What do we have to do?
well first off, are you using smf 1.1 as that is what this mod was made to work with
and if you are then you really, really should upgrade as you are 43 versions behind. The current stable version is 2.0.18

although it seems hyrsky may have made it work with 2.0.11, which they wrote on their github how to install their updated version....

so which part are you having troubles with?