Ldap Authentication Mod

Started by psa, July 02, 2008, 05:53:13 AM

Previous topic - Next topic

psa

Quote from: evil1dwk on July 30, 2008, 08:57:11 PM
I'm new to smf and the mods in particular. I just set up a site for a client. They had an existing AD they wanted all their users to access a forum with health benefits information, a company hand book and other general information. They also added a forum for general queries to HR and other departments. SMF is great and I love the ldap authentication.

Welcome to SMF!

Quote
smf 1.1.5 on rpath linux VM
AD is windows 2003 enterprise SP2 plus exchange 2003 SP2 server and primary DNS server (I did not set this up).

This is the same as the setup I'm primarily testing against.

Quote
I installed the mod which went fine using the interface. I haven't tried manually yet. The default theme is the only theme with the ldap auth tab in features and options. Like I said I'm new to smf and mods so it might be normal or I might have screwed myself somehow. Not a big deal I leave the admin at the default and changed the overall forum default to the theme requested by the client.

Hmm.  I thought that the changes for the configuration tab in particular would work across different themes when they were changed; nothing is changed in the theme except to add the Admin LDAP User Registration component, and that's a pretty straightforward addition of a function which should apply cleanly even if the theme in question did provide its own version of the file.  I guess I'll have to look into that.  In my production setup the theme was chosen and set before the mod was installed, and all worked as expected.

Quote
A few feature requests;
the ability to register AD groups rather than just users.

Are you looking to be able to register users by AD group, or somehow tie AD groups into SMF?

Quote
no registration required for ldap users. I can't login as an AD user unless the user is registered. I wouldn't mind this if I could register groups.

Registration shouldn't ever be required.  I only added the Admin Ldap Registration screen to allow adding users with specific group membership.  If users aren't being autoregistered, this is a bug or a misconfiguration.

Quote
bug (I noticed)
I can't seem to log a user in unless the password is stored in the local database. I'm told the password is incorrect.

Are you saying that you can't make it work with the configuration setting specifying that passwords shouldn't be stored in the database, or that you need to have already saved the users' password in the database, or ?

Quote
Awesome mod though. Big help in this case saved me from having to hear complaints about people forgetting how to log in to the forum.

Thank you.  I'm glad you found it useful.  Are you using the 0.6 version currently posted at the top of this thread?  Which settings are you using?  There's a lot of configuration switches, and the better I understand how you've got them set, the better I'll be able to figure out what's wrong and what you're looking for.  Also, do you get any error messages in the Forum Error Log (Under Maintenance in the Admin Control Panel)?

evil1dwk

I'm posting two screen shots of the features and options page. One with the default theme the other using IG-OH for 1.1.5. It is not the only theme does not include the LDAP auth menu item. All themes were installed pre-mod.

I would like to register AD groups as local users and possibly groups. I want to take all domain admins and make them SMF admins. I don't really need group integration more group registration. Possibly allow future registration based on someone being added to a group in AD without changes in SMF. I only need this because I can't seem to log a user in until they are registered.

If I disable Store LDAP passwords in the database I always receive Password incorrect. As soon as I re-enable store LDAP passwords it works fine. Not really a big deal as this instance is only accessible internally. I also noticed that the passwords are stored encrypted so again not deal breaker. Although I'm wondering how this will work come password change time. I do have Update User information from Ldap on every login enabled though but I noticed the note says name, location, email, etc.

I don't always have access to this server so I can't get the error logs. I'm building a local DC and rpath SMF on vmware locally to see if I can recreate the problems and get you the log files.

evil1dwk

Yes I am using 0.6 posted here.

psa

Quote from: evil1dwk on August 05, 2008, 01:21:47 PM
I'm posting two screen shots of the features and options page. One with the default theme the other using IG-OH for 1.1.5. It is not the only theme does not include the LDAP auth menu item. All themes were installed pre-mod.

One of the things I see right off the bat is that the theme is overriding the languages/Modifications.english.php file which is necessary to add all written text in the mod, including the menu item itself.  You'll need to add the required strings from the ldap mod back to this file to get it to work.

Quote
I would like to register AD groups as local users and possibly groups. I want to take all domain admins and make them SMF admins. I don't really need group integration more group registration. Possibly allow future registration based on someone being added to a group in AD without changes in SMF. I only need this because I can't seem to log a user in until they are registered.
The failure of auto-registration is a pretty serious problem, and I'd like to fix it rather than workarounds.  See below for comments on errors.

There are a number of ways to handle groups--
We can add a group autoregistration function to the current Admin LDAP User Registration screen, which takes a group name rather than a user name and autoregisters all members of that LDAP group with the chosen group membership.  The problem with this is that it won't track changes in the LDAP directory, and so will get out of date.

A more robust solution would be mapping local groups to groups within the directory, so that when a user logs in each of the mappings is checked and group memberships are assigned or removed as necessary.

An added complication with both of these is that group membership is handled differently in different directories, and even different versions of MSAD handle them differently.  MSAD doesn't even make the primary group membership of a user visible to LDAP, for some dark reason known only to Redmond.

Quote
If I disable Store LDAP passwords in the database I always receive Password incorrect. As soon as I re-enable store LDAP passwords it works fine. Not really a big deal as this instance is only accessible internally. I also noticed that the passwords are stored encrypted so again not deal breaker. Although I'm wondering how this will work come password change time. I do have Update User information from Ldap on every login enabled though but I noticed the note says name, location, email, etc.

I wonder if this problem is related to the autoregistration error.
Note that if you store passwords in the database, they will be updated every time the user logs in, regardless of the Update User Information setting.  Password changes made in the directory will work automatically in the forum.

Yes, these passwords are encrypted.  Keeping them there is secure and even provides the ability for users to continue logging into your forum when the directory is unavailable.  We use the "don't store" setting so that when a user is deactivated in the directory they are also unable to log in to the forum.

Quote
I don't always have access to this server so I can't get the error logs. I'm building a local DC and rpath SMF on vmware locally to see if I can recreate the problems and get you the log files.

As I tried to make clear in my last post, you should be able to find SMF errors from the Admin console.  They are in the Forum Error Log under Maintenance in the Admin Control Panel.  Without these errors it is very difficult for me to see what is going wrong.

evil1dwk

I'm doing this for a company that deals with health insurance information. So there are strict guidelines on what I can and can't access and what can and can't be accessed from the outside world. Believe me I've thought about tunneling a socks proxy over SSH so I could work remotely. They won't even allow me SSH. I came in here to setup a SAN and VMware. Then they asked me if I could set up a forum and possibly a CMS. I'm familiar with rpath and linux appliances so I downloaded the smf 1.1.4 rpath appliance and updated to 1.1.5.

I added a new domain user (test.smf). Unregistered in SMF I get user does not exist. I've registered the user with store ldap password in database disabled. I get password incorrect. I'm attaching a screen shot of the ldap settings. Here's any errors I can see that might be related to the mod. They don't look like they are related to my problem though. They look like errors with the theme.

hxxp:forum.companyname.com/forum/index.php?action=login2 [nonactive]
Password incorrect - test.smf

hxxp:forum.companyname.com/forum/index.php?action=featuresettings [nonactive]
8: Undefined index: mods_cat_ldapauth
File: /srv/smf/Sources/ModSettings.php
Line: 137

hxxp:forum.companyname.com/forum/index.php?action=regcenter [nonactive]
8: Undefined index: ldapregister_description
File: /srv/smf/Sources/ManageRegistration.php
Line: 110

hxxp:forum.companyname.com/forum/index.php?action=regcenter [nonactive]
8: Undefined index: ldapregister_title
File: /srv/smf/Sources/ManageRegistration.php
Line: 109

psa

Most of those errors are from not having the Ldap Auth strings in the languages/Modifications.english.php of the theme, as you said, but they are errors which will entirely prevent the ldap mod from working, since it bails when it encounters a string error.

I assume your working configuration has the first four or so fields filled out (including the enable setting checked) unlike the one you posted.  I'll try to replicate your other settings with your theme and see where that gets me in trying to reproduce the error.

Caesonia

Quote from: psa on July 09, 2008, 06:21:49 PM
0.6 changed a few things in the way the mod works so that passwords no longer have to be stored in the database (but can optionally be). 

I hope you don't have too much trouble getting your LDAP server back online.  I've run a number of OpenLDAP servers in the past, but don't have any in production at the moment.

Yes,the LDAP server is back online, on a new box. I am having to replace a lot of machines, and I usually do some basic testing on older machines, but that was a bit too old. It gets to a point where you wonder what you did. I think the machine actually was a bit to handle even the LAMP that was on it. I had a laugh when my older laptop- which works fine with the new HD, actually collapsed in Ubtunu 7.10, when it ran XP OK. A shock actually, but its a  6 year old laptop, what can I say? Anyways, I have your mod installed, and everything back up and humming, so I will be able to test and see the differences.

It installed fine, so now its actually hooking up to the dummy sets of users.

Thanks for the great work, you sure are saving me a lot of time.

evil1dwk

Quote from: psa on August 06, 2008, 12:42:28 PM
Most of those errors are from not having the Ldap Auth strings in the languages/Modifications.english.php of the theme, as you said, but they are errors which will entirely prevent the ldap mod from working, since it bails when it encounters a string error.

I assume your working configuration has the first four or so fields filled out (including the enable setting checked) unlike the one you posted.  I'll try to replicate your other settings with your theme and see where that gets me in trying to reproduce the error.

Yeah sorry I took a screen shot of a test build. Test build is windows 2000 advanced server sp4 vm. Same smf setup rpath smf 1.1.4 vm appliance updated to 1.1.5. Enabled ldap authentication I get a blank screen AD or local user. I can't log in at all. Had to run an update query to disable ldap auth. I can register ldap users and they can log in password stored in mysql. I don't know what to tell you. I can't keep helping though I have to move on with another project. I appreciate the mod and the help.

obat

I've just installed and tested the mod on my smf-1.1.5. First error which I've seen was:
"Fatal error: Call to undefined function isReservedName() in /var/www/phobos.romance.iki.rssi.ru/htdocs/forum/Sources/LdapAuth.php on line 29"

I fixed this by modifying  LdapAuth.php:
I changed
<       global $db_prefix, $user_info, $modSettings, $func, $txt;

to
>       global $db_prefix, $user_info, $modSettings, $func, $txt, $sourcedir;
>       require_once($sourcedir . '/Subs-Members.php');

Next change in the code was made because I'm using OpenLDAP server, not MSAD
I changed
<                if ($bd = ldap_bind($lds, $modSettings['ldapauth_userprefix'] . $username . $modSettings['ldapauth_usersuffix'], $thepasswrd))
to
>               if ($bd = ldap_bind($lds, "uid=" . $username . "," . $modSettings['ldapauth_usersuffix'], $thepasswrd))'], $thepasswrd))

and in ldapauth_usersuffix I put "ou=organization,dc=...,dc=..."

Now it's work. FYI, smf is running on Centos box with openldap 2.3.27

Thanks for great work!

psa

Quote from: obat on August 26, 2008, 07:45:31 AM
I've just installed and tested the mod on my smf-1.1.5. First error which I've seen was:
"Fatal error: Call to undefined function isReservedName() in /var/www/phobos.romance.iki.rssi.ru/htdocs/forum/Sources/LdapAuth.php on line 29"

I fixed this by modifying  LdapAuth.php:
I changed
<       global $db_prefix, $user_info, $modSettings, $func, $txt;

to
>       global $db_prefix, $user_info, $modSettings, $func, $txt, $sourcedir;
>       require_once($sourcedir . '/Subs-Members.php');
Hmm, I wonder why this worked for me if I was calling a function which had not been loaded.  I'll flag this for further investigation and possible inclusion in a bugfix release.

Thanks for the information.

Quote
Next change in the code was made because I'm using OpenLDAP server, not MSAD
I changed
<                if ($bd = ldap_bind($lds, $modSettings['ldapauth_userprefix'] . $username . $modSettings['ldapauth_usersuffix'], $thepasswrd))
to
>               if ($bd = ldap_bind($lds, "uid=" . $username . "," . $modSettings['ldapauth_usersuffix'], $thepasswrd))'], $thepasswrd))

and in ldapauth_usersuffix I put "ou=organization,dc=...,dc=..."
Is this different than leaving the code as is and setting the prefix to "uid=" and the suffix to ",ou=organization,dc=...,dc=..."?  (Your code doesn't parse--I think you got an extra "$thepasswrd))'], " in there somehow when pasting the code.)

The idea was that with the prefix and suffix settings these could be adjusted for use with other LDAP servers without requiring code changes.

Quote
Now it's work. FYI, smf is running on Centos box with openldap 2.3.27

Thanks for great work!
I'm glad it's working for you.  The code is currently doing everything required for us where we've installed it, so I don't have any planned upgrades, but I do plan to revisit it at some point and address requests/bug fixes, along with the items in the TODO section.

Thanks for the feedback.

obat

Quote from: psa on August 26, 2008, 07:38:15 PM
Quote
Next change in the code was made because I'm using OpenLDAP server, not MSAD
I changed
<                if ($bd = ldap_bind($lds, $modSettings['ldapauth_userprefix'] . $username . $modSettings['ldapauth_usersuffix'], $thepasswrd))
to
>               if ($bd = ldap_bind($lds, "uid=" . $username . "," . $modSettings['ldapauth_usersuffix'], $thepasswrd))'], $thepasswrd))
and in ldapauth_usersuffix I put "ou=organization,dc=...,dc=..."
Is this different than leaving the code as is and setting the prefix to "uid=" and the suffix to ",ou=organization,dc=...,dc=..."?  (Your code doesn't parse--I think you got an extra "$thepasswrd))'], " in there somehow when pasting the code.)

The idea was that with the prefix and suffix settings these could be adjusted for use with other LDAP servers without requiring code changes.
Actually I didn't understand exactly what do you mean about "suffix" and "prefix". Now I did.:) ... and changed it back. Thanks again.

emacias

Hi friends!!
I downloaded ldap module and installed in version 1.1.6 using "Download Packages" all success!!! but i'm looking for an option LDAP Authentication into "Features and Options" to active LDAP but doesn't  exists. 
I was finding LDAP option Registration->Settings->"Method of registration employed for new members" and doesn't show nothing.
Can you help me please

emacias

Hi again!!! I was checking forum and the problem can be spanish language that I'm using actually, I'm going to ckeck this but if you guys can help, better!!!

psa

#33
Yes, language would definitely keep it from working right.

Normally your language files are stored in [smf install directory]/Themes/default/languages/
The mod tries to modify a file in this directory called Modifications.english.php and add a bunch of English text for everything from the menu titles to the option explanations.  Without these the mod will not work.

I haven't worked with the any other language versions of SMF, but I imagine you could place the entries in your install under Modifications.spanish.php to make it work.  If you paste the lines below into your file it will probably work, but everything will be in English.  If you end up translating any of it, send it back to me and I'll include the translation in another version of the mod.  I suppose I'll admit to the fact that I am fluent in Spanish, but haven't run any Spanish language boards (and without a Spanish language keyboard the lack of accents drives me nuts so I don't like typing in it :-[).

$txt['mods_cat_ldapauth'] = 'Ldap Auth';
$txt['ldapauth_Title'] = 'Ldap Authentication Mod Options';
$txt['ldapauth_enable'] = 'Enable Ldap Authentication';
$txt['ldapauth_serverurl'] = 'URL for ldap server<div class="smalltext">(eg ldap://yourldapserver.tld)</div>'
$txt['ldapauth_usersuffix'] = 'Text to append to login for binding to ldap server<div class="smalltext">(eg for MSAD: @yourdomain.forest.tld)</div>';
$txt['ldapauth_userprefix'] = 'Text to prepend to login for binding to ldap server';
$txt['ldapauth_searchdn'] = 'Ldap search dn for your users<div class="smalltext">(eg OU=Your Users,DC=yourdomain,DC=yourtld)</div>';
$txt['ldapauth_searchkey'] = 'Ldap search key for locating user<div class="smalltext">(often cn, but for MSAD, sAMAccountName)</div>';
$txt['ldapauth_fullnameattr'] = 'Ldap Attribute from which to extract the real name<div class="smalltext">(cn for MSAD, name or fullname for others)</div>';
$txt['ldapauth_emailuselogin'] = 'Use login username to construct email address';
$txt['ldapauth_emailsuffix'] = '&nbsp; &nbsp; Suffix to add to login for email address<div class="smalltext">(eg @domain.tld, above must be checked)</div>';
$txt['ldapauth_emailattr'] = 'Ldap Attribute from which to extract email address<div class="smalltext">(if above is not checked)</div>';
$txt['ldapauth_locationuseou'] = 'Use the top level ldap OU to extract the users location';
$txt['ldapauth_locationattr'] = 'Ldap Attribute from which to extract location<div class="smalltext">(if above is not checked)</div>';
$txt['ldapauth_updateonlogin'] = 'Update User information from Ldap on every login<div class="smalltext">(e.g. Name, Location, Email)</div>';
$txt['ldapauth_passwdindb'] = 'Store LDAP passwords in the database';
$txt['ldapauth_regresnames'] = 'Allow reserved login names to be autoregistered by Ldap Auth<div class="smalltext">May be a security risk with some ldap directories</div>';
$txt['ldapauth_authresnames'] = 'Allow reserved login names to be authenticated by Ldap Auth<div class="smalltext">Useful to disable to enforce local accounts for e.g. admin</div>';
$txt['ldapauth_bindusername'] = 'Username to use for binding to Ldap directory to query for new user registrations';
$txt['ldapauth_bindpassword'] = 'Password to use for binding to Ldap directory';
$txt['ldapregister_title'] = 'Register Ldap Member';
$txt['ldapregister_description'] = 'Here you can register members from your LDAP directory who haven\'t logged into SMF yet.  This is especially useful if you need to grant group membership or edit their profile prior to their first use of the board.';

emacias

Hi SPA: i did some changes but ldap not working, I'm using a OpenLDAP server. At the begining of configuration i can register users but only fill address mail, when i checked table smf_members smf save a password but i don't know which, when the user start autentication showed error, checked logs and show this error: smf: ldap_bind() [<a href='function.ldap-bind'>function.ldap-bind</a>]: Unable to bind to server: Invalid DN syntax             

Next:   i puted disable not storage password into database and other option but when start autentication, smf show blank page. Now I need to know where is the configuration save? I think is in a table but i don't know.

I need your help, now i can't do nothing

emacias

Hi again SPA:
I need start session with ldap authentication because in this moment, i can't start session and show blank page. Where i disable option "LDAP AUTH ENABLE", these options ldap_auth are in a file or a table from a database?
I really appreciate your help

psa

Quote from: emacias on September 30, 2008, 06:21:53 PM
Hi SPA: i did some changes but ldap not working, I'm using a OpenLDAP server. At the begining of configuration i can register users but only fill address mail, when i checked table smf_members smf save a password but i don't know which

You shouldn't need to register users in advance, since this mod will auto-register them.

Quotewhen the user start autentication showed error, checked logs and show this error: smf: ldap_bind() [<a href='function.ldap-bind'>function.ldap-bind</a>]: Unable to bind to server: Invalid DN syntax

It will throw this error if in the options page the "Ldap search dn for your users" isn't properly filled out.  It needs to have something like
OU=Users,DC=yourdomain,DC=com

If the DN doesn't exist then it will also throw an error.

Quote
Next:   i puted disable not storage password into database and other option but when start autentication, smf show blank page. Now I need to know where is the configuration save? I think is in a table but i don't know.

A blank page usually means there is a PHP syntax error which you can find in the web server logs.  This means there is a code problem in one of the files--possibly the language file that you had to modify and which gets loaded by each PHP page.

psa

Quote from: emacias on September 30, 2008, 06:57:34 PM
Hi again SPA:
I need start session with ldap authentication because in this moment, i can't start session and show blank page. Where i disable option "LDAP AUTH ENABLE", these options ldap_auth are in a file or a table from a database?
I really appreciate your help
Looks like you posted while I was responding--sorry about that.
The values are in the settings table of the database, usually named something like 'smf_settings'.  Set it to 0 to disable.

emacias

Hello SPA:  i haven't modifications in languages file yet. I just need deactive option "LDAP AUTH ENABLE" manually because i can't start session with any user.

For otherside: dn ldap that i use is right because i probe with other applications like horde, joomla, etc.
my dn is ou=People,dc=usb,dc=ve and my server is hxxp:ldap.usb.ve [nonactive]

In fact if you run ldapsearch command in linux you can get queries ldap hxxp:usb.ve [nonactive]
e.g: ldapsearch -x -h hxxp:ldap.usb.ve [nonactive] -b 'ou=People,dc=usb,dc=ve'

Thanks again for your help

psa

Quote from: emacias on September 30, 2008, 07:49:30 PM
Hello SPA:  i haven't modifications in languages file yet. I just need deactive option "LDAP AUTH ENABLE" manually because i can't start session with any user.

I guess I was just confused because you said you didn't have the configuration settings available before, and the mod installs in a deactivated mode so that it doesn't cause problems before it has been configured.  Is this on a different install, or did you get it working?

Quote
For otherside: dn ldap that i use is right because i probe with other applications like horde, joomla, etc.
my dn is ou=People,dc=usb,dc=ve and my server is ldap.usb.ve

In fact if you run ldapsearch command in linux you can get queries ldap usb.ve
e.g: ldapsearch -x -h ldap.usb.ve -b 'ou=People,dc=usb,dc=ve'
Well, that dn does look right, and the success with ldapsearch does argue persuasively that you have the right information.

What are you using in the "Text to append to login" and "Text to prepend to login" fields?

Advertisement: