Ldap Authentication Mod

Started by psa, July 02, 2008, 05:53:13 AM

Previous topic - Next topic

psa

I have an Ldap Authentication Mod which works for SMF 1.1.5.  I'm currently using it successfully with MS Active Directory on a live corporate site.

I have attached the most recent version of the package, but I could really use some feedback.

From the included readme.txt:
Quote
LdapAuth (0.6.1) is tested with MS Active Directory and OpenLDAP, and should provide authentication from other LDAP directories if you adjust the settings accordingly.  It is currently only tested against SMF 1.1.5 and 1.1.6.  You will need to uninstall previous versions prior to installing new versions (your settings will be retained since they are permanently stored in the database, but you will have to reenable LDAP after checking for any changed options).

You will need to visit the Admin Configuration screen for "Features and Options" to find the tab in which to enable Ldap Authentication and set the various options to actually connect to your LDAP server, authenticate, and auto-register new users.  Pay attention to the widely differing hints for MSAD and other LDAP servers.

Existing users should continue to be able to login after this mod is installed, and new user registrations to the board which don't use LDAP should still be possible.  All user logins will make an attempt via LDAP before "falling through" to the normal SMF database authentication.  The standard smf install provides an option for disabling registrations, if desired, under Registration->Settings->"Method of registration employed for new members".

By default, uninstalling this package will leave all of the ldap-authenticated users in your local database, with working passwords in the database as of the last time the users logged in.  If this is not desired you can un-check the option to "Store LDAP passwords in the database" when you first set up the connector, otherwise you will have to manually remove users after uninstallation.  Note that not storing passwords in the database will prevent users from logging in when the directory is unavailable, but it will also automatically remove users' rights to login when they are removed from the LDAP directory or disabled there.  Additionally, if you also have "Update on login" checked, together with the "Store LDAP passwords in the database" unchecked, the users' passwords will be cleared in the database whenever they login via LDAP (this is a "feature", migrating users to full ldap control).

This mod also provides a tool under Registration->Ldap Registration to register new users directly from your ldap repository, but it requires storing a username and password to use for binding to the directory.  If your LDAP directory allows looking up user information anonymously (password not needed), leave the username and password blank to attempt an anonymous bind.

In this mod, LDAP is authoritative, so blank (or invalid or unparseable) email addresses in LDAP will lead to blank email addresses in SMF, locations and realnames will be pulled in as is (except for a filter to disable html, which could otherwise lead to unexpected problems), passwords from LDAP will be accepted regardless of any requirements otherwise made by SMF, etc.  The only other option in these cases would be to simply not allow logins from users whose data doesn't meet all of SMF's requirements.  If there is demand for this, it could be added as an option in the future.

I am actively maintaining 0.6.1 for a live site (as of 10/2008) and am interested in widening this mod's applications, so please send me any feedback, problems, or requests.  TODO and change history can be found in this package under changes.txt.

(Updated to 0.6.1 on 1 October 2008)

psa

#1
From the changes.txt:
Quote
Future todo:
Enhance LDAP Registration with username lookup from ldap directory
Add Password lookup (instead of authenticate on bind) for login checks
Error handling for ldap issues in both LdapAuth (during login and auto-registration) and the LDAP Registration screen
General audit for (SQL, HTML, LDAP) injection issues -- most issues are handled now, but I can't say 100% that there aren't any remaining

Open questions:
Should we have an option under LDAP Auth settings to suppress user self-registration (redundant with the builtin screen)?
Should we have a feature to disable password changes, or is that another mod?
Is there anything lost, and not already addressed, by not calling registerMember instead of updating the database directly?
Password must be stored in the clear in the database to do binding for ldap lookups--other options?
--storing admin's password at login in the session or something for later ldap queries (what if admin is local and not ldap?)
--asking for the password each time a lookup is done (tedious)
--already added anonymously-bound lookups where available

History

v 0.6
Fixed a bug where admin-registered ldap users had a known password until first login
Added html escaping to location and realname fields
Added email validation, ripped from Subs-Members.php
(We don't use the Subs-Members registration function directly because we don't want to
return registration errors to a user trying to log in...)

Added explicit anonymous bind option for ldap user registration screen when username is blank
Added option to not store passwords in database

v 0.5
Fixed a bug where the real name option failed when not set to 'cn'
Fixed tab display bug on Ldap Authentication Mod Options screen
Added magic variables __FILE__, __LINE__ to db_query in install scripts to suppress errors in log...
   (why aren't these in the package sdk?)

Added Ldap Registration Screen, requiring several new files and a couple new settings

v 0.4
Fixed database settings uninstall, and file removal

Did away with the integration hook and called the authentication directly
--the hook required the 'retry hack' and an include to operate, so this is neater
--the wrong password is sent to the hook, requiring a direct run to the $_REQUEST variable
--there is an unresolvable incompatibility with any other service which requires the hook
  (ie downstream integration is broken by this upstream integration)
Added option to change ldap attribute from which real name is extracted
Added option to allow/disallow authentication of reserved login names
Added option to allow/disallow auto-registration of reserved login names
Added TODO and history info to changes.txt
Moved admin control panel settings into their own tab under Features and Options

v 0.3
Added option to update info on every login
Cleaned up files
Added description to readme.txt

v 0.2
Added settings to Admin Basic Options to adjust for non-MSAD and set required connection information
Moved authentication routine into its own file

v 0.1
Initial Mod
MS Active Directory only

psa

Just hearing crickets so far, here and in response to the code I posted last week, so I'm assuming the demand is not really there, or those that would use this functionality do not frequent this forum.

With a couple heavy rounds of testing we've deployed v 0.4 on our servers, so I consider this mod stable and solid, if not feature complete.  When I finish building out all of the features that I need for my application I'll mark it 1.0.  Hopefully there will be others who have tried it by then.

In light of its stability I've submitted it as a new mod.

vbgamer45

I would also add a link to  the topics on ldap in the mod requests and feature requests forum to this topic so people have an idea that this has been developed.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

psa

Ah, good suggestion, thank you.  I wasn't aware of these threads.

psa

#5
It appears that they "do not allow mods which require 3rd party applications to run".  At this point the next version (0.6) is already in progress, and is moving toward a more pluggable authentication model, but I'm not sure if there's any point in working on it, or any connectors for 2.x.  I've had no downloads of any of the versions I've uploaded here, no inquiries, and there doesn't seem to be any chance that anything I produce on this will ever be accepted anyway.

The 3rd party restriction, with all of its implications for integrations and authentication methods, should really be listed in the Modification Approval Guidelines.  At any rate, now others thinking about doing this in the future will be able to find this information, hopefully.

(Edited to fix URL tag)

vbgamer45

You can add to my download site  at http://www.smfhacks.com  The hard part is finding the people who have a use for it. Every couple months or so I see like a post asking for it.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Caesonia

Quote from: psa on July 02, 2008, 08:57:07 PM
Just hearing crickets so far, here and in response to the code I posted last week, so I'm assuming the demand is not really there, or those that would use this functionality do not frequent this forum.

With a couple heavy rounds of testing we've deployed v 0.4 on our servers, so I consider this mod stable and solid, if not feature complete.  When I finish building out all of the features that I need for my application I'll mark it 1.0.  Hopefully there will be others who have tried it by then.

In light of its stability I've submitted it as a new mod.

Its there. I read your posts, and I started looking at your code. I saw you were doing some of the things I had been heading towards. I just hand;t had the chance to get back to you with a thoughtful well written reply and my own ideas.  :) I also was willing to wait until you had competed your mod to see where you had ended up in your code.

I think the demand is there, but I see it more actively approached in some other CMS forums. The problem is I think that Simple Machines has about the best out of the box OS Forum out there, bar none, and this is what I really want to integrate into some other sites.

Thanks for doing the work, and I will looking at this this morning and afternoon, to see if I can work with it some for OpenLDAP and how we can improve it.

Caesonia

Quote from: psa on July 05, 2008, 08:58:30 PM
It appears that they "do not allow mods which require 3rd party applications to run".  At this point the next version (0.6) is already in progress, and is moving toward a more pluggable authentication model, but I'm not sure if there's any point in working on it, or any connectors for 2.x.  I've had no downloads of any of the versions I've uploaded here, no inquiries, and there doesn't seem to be any chance that anything I produce on this will ever be accepted anyway.

The 3rd party restriction, with all of its implications for integrations and authentication methods, should really be listed in the Modification Approval Guidelines.  At any rate, now others thinking about doing this in the future will be able to find this information, hopefully.

(Edited to fix URL tag)

I am downloading it now, and I will be keeping in better touch with you now.

Remember, it WAS a holiday week, so people probably who work in the heavy weren;t out there to chat. I have a big demand for LDAP integration right now.

Caesonia

Quote from: psa on July 02, 2008, 05:53:13 AM
I have an Ldap Authentication Mod which works for SMF 1.1.5.  I'm currently using it successfully with MS Active Directory on a live corporate site.

I have attached the most recent version of the package, but I could really use some feedback.

From the included readme.txt:
Quote
LdapAuth (0.5) is tested with MS Active Directory, and should provide authentication from other LDAP directories if you adjust the settings accordingly.  It is currently only tested against SMF 1.1.5, so I have no idea whether it will work with any other version.  You will need to uninstall previous versions prior to installing new versions (your settings will be retained, but you will have to reenable LDAP after checking for any changed options).  Note uninstalling this package will leave all of the ldap-authenticated users in your local database, with working passwords in the database as of the last time the users logged in.  If this is not desired you will have to manually remove them after uninstallation.

You will need to visit the Admin Configuration screen for "Features and Options" to find the tab in which to enable Ldap Authentication and set the various options to actually connect to your LDAP server, authenticate, and auto-register new users.

Existing users should continue to be able to login, and new user registrations to the board which don't use LDAP should still be possible.  All user logins will make an attempt via LDAP before "falling through" to the normal SMF database authentication.  The standard smf install provides an option for disabling registrations, if desired, under Registration->Settings->Method of registration employed for new members.

This mod also provides a tool under Registration->Ldap Registration to register new users directly from your ldap repository, but it requires storing a username and password to use for binding to the repository.

(Updated to 0.5 on 5 July 2008)

Hi. I have some questions as I look at your code and attempt to install your mod manually. It works on one location that I have FTP set up on, but that one didn;t have any security conflicts. However, I have the same settings on my development server, just without FTP, and I don't seem to be getting anywhere.

So I am doing it manually.

Um....

Register.template.php. Where is this file? It doesn't exist. There is a register.php It calles a 'register' template. Trying to see if its in the same file.

Can't find it anywhere, especially not under the Themes directory. There is only index.template.php.

Can't wait to try it, because I know I have some settings to change.

psa

#10
Register.template.php is in the default theme, and is used by all registration-related screens, admin and otherwise.  I'm adding a new screen to it to handle direct administrative registration of LDAP users (we use it to add new users as mods, before they first log in).  On a default install of SMF this will be in Themes/default/Register.template.php

edit: 0.6 uploaded, readme and changelog updated above

Caesonia

Quote from: psa on July 07, 2008, 06:34:17 PM
Register.template.php is in the default theme, and is used by all registration-related screens, admin and otherwise.  I'm adding a new screen to it to handle direct administrative registration of LDAP users (we use it to add new users as mods, before they first log in).  On a default install of SMF this will be in Themes/default/Register.template.php

edit: 0.6 uploaded, readme and changelog updated above

OK, I have made all those changes manually. Um, the question is, how do I find these check boxes you are talking about, and add in the settings. Am I supposed to go to the code on the Ldap__add_settings.php, or where? I have this installed now on 2 different SMF forums, one done with the installer, one done manually. The one done manually doesn't even recognize it as installed. 

So, where do I go from here? Sorry to sound ignorant. If I haven't been at the core of the code writing, I often find myself unsure in certain ways. I also have never really done a manual install on SMF- haven't used many mods- and any subtle changes I have written into the code myself.

I would really like to have this chatting with y LDAP server today.

Thanks for all your hard work and help in advance. :)

psa

From the Readme quoted above:
Quote
You will need to visit the Admin Configuration screen for "Features and Options" to find the tab in which to enable Ldap Authentication and set the various options to actually connect to your LDAP server, authenticate, and auto-register new users.
When you go into the admin console you'll see the "Features and Options" link on the left below the "Configuration" heading.  Click on it and you'll see a series of tabs above the Basic Options, one of which will be "LDAP Authentication".  All the settings are on that panel.

psa

The number of changes in this mod is growing, and I'd hate to have to manage all of them by hand on a manual install, especially with the bugfixes and security updates in each new release.  Are you getting conflicts on the install, or just trying to understand all of the parts?  Transferring the package doesn't require ftp on the server since you can just upload it through the package manager (in the section perversely named "Download Packages").

Caesonia

Quote from: psa on July 08, 2008, 12:36:53 PM
From the Readme quoted above:
Quote
You will need to visit the Admin Configuration screen for "Features and Options" to find the tab in which to enable Ldap Authentication and set the various options to actually connect to your LDAP server, authenticate, and auto-register new users.
When you go into the admin console you'll see the "Features and Options" link on the left below the "Configuration" heading.  Click on it and you'll see a series of tabs above the Basic Options, one of which will be "LDAP Authentication".  All the settings are on that panel.

Yes, I finally found that on the one that did the automatic install. Then I managed to do a manual install, and the files all passed, but when installed the Features and Options page is blank. So we have a query or some such that is blocking even the ajax.

psa

I'd check the error log, and carefully review the changes in ModSettings.php which controls that panel.  You might want to compare your manually-edited files with the files from the automatically installed package on the other system.

Caesonia

Quote from: psa on July 08, 2008, 03:53:05 PM
I'd check the error log, and carefully review the changes in ModSettings.php which controls that panel.  You might want to compare your manually-edited files with the files from the automatically installed package on the other system.

Thanks PSA. I got it all working as far as installed. By doing it manually, I really got a much more in depth look at the code, which is something I really needed if I am going to do some tweaking.

Unfortunately the storms took down my LDAP server, and I am working hard to get that up and going. Fortunately, as I am in the development stage, it hasn't caused any major internal glitches for me, but it sure was a downer. I am fairly new to LDAP, but I can see more and more demand out there.


psa

0.6 changed a few things in the way the mod works so that passwords no longer have to be stored in the database (but can optionally be). 

I hope you don't have too much trouble getting your LDAP server back online.  I've run a number of OpenLDAP servers in the past, but don't have any in production at the moment.

Caesonia

Quote from: psa on July 09, 2008, 06:21:49 PM
0.6 changed a few things in the way the mod works so that passwords no longer have to be stored in the database (but can optionally be). 

I hope you don't have too much trouble getting your LDAP server back online.  I've run a number of OpenLDAP servers in the past, but don't have any in production at the moment.

Well, it has all been running hunky dory, but then I had a catastrophic authentication failure. Though the config files remain unchanged, and everything is as it should be, I cannot log in. Not as admin, nothing. I had developed a lot of interfaces with my custom code. All were fine, now nothing. And the applications that I had using the LDAP also no longer can authenticate.

Its a Debian configuration running on Ubuntu server, unlike my last one on CentOS.

I see nothing under the syslogs, but I also know I would recognize everything either. I have been using phpLDAPadmin for a lot of the schemas I was building.

All I know is a complete authetication failure has occured, and slapd is no longer function quite right. Any attempts to modify it get me slapd broken or not completely installed.

evil1dwk

I'm new to smf and the mods in particular. I just set up a site for a client. They had an existing AD they wanted all their users to access a forum with health benefits information, a company hand book and other general information. They also added a forum for general queries to HR and other departments. SMF is great and I love the ldap authentication.

smf 1.1.5 on rpath linux VM
AD is windows 2003 enterprise SP2 plus exchange 2003 SP2 server and primary DNS server (I did not set this up).

I installed the mod which went fine using the interface. I haven't tried manually yet. The default theme is the only theme with the ldap auth tab in features and options. Like I said I'm new to smf and mods so it might be normal or I might have screwed myself somehow. Not a big deal I leave the admin at the default and changed the overall forum default to the theme requested by the client.

A few feature requests;
the ability to register AD groups rather than just users.
no registration required for ldap users. I can't login as an AD user unless the user is registered. I wouldn't mind this if I could register groups.

bug (I noticed)
I can't seem to log a user in unless the password is stored in the local database. I'm told the password is incorrect.

Awesome mod though. Big help in this case saved me from having to hear complaints about people forgetting how to log in to the forum.

Advertisement: