News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Ldap Authentication Mod

Started by psa, July 02, 2008, 05:53:13 AM

Previous topic - Next topic

psa

Hey everyone, sorry I haven't been around lately.  Thanks for the patch jcwatson.  You're right that I haven't had the code doing an ldap query to find the principal to bind to, because I mostly try to avoid that approach with my authentication systems due to the extra overhead of the authentication request and the necessity of storing up to date querying credentials in the endpoint systems.

That said, I know that many people don't have the luxury of setting up their directories as they would like them, so this is valuable functionality.  I'll review your code when I get a moment and see about adding it with new configuration options to the mod.

Thanks!

cbhank

Hello,

I am running SMF 1.17 on Debian Etch and the module seems to work OK here.

To get it working, however, in my particular case I had to reinstall apache and php from source and compile in LDAP to php ... but that was another can of worms.

If anyone were interested, I used these instructions:

hxxp:dan.drydog.com/apache2php.html [nonactive]

then I made sure I had the LDAP libraries, then added --with-ldap to the configure flags.

Thank you very much, without LDAP support we wouldn't be able to use SMF.
// Mark

cbhank

#82
We are soon going to start allowing our existing customers log into our Forum. These users are currently in an AD, but they will be migrated to OpenLDAP at a later date.

Two custom mods I did myself:

.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..

1) We wish for newly-created accounts (auto-created per this mod) to have the option "Hide your email address" to be SET when the account is created. Most of our customers will not want to be identified by their email addresses.  So, I added this line to the module:

                              'hideEmail' => 1,

righh after the other line

                            'validation_code' => "''",

around line 145. That did the trick.

2) I didn't like the fact that the LDAP password was plain text, so I changed in
Sources/ModSettings.php:

            //array('text', 'ldapauth_bindpassword')
              array('password', 'ldapauth_bindpassword')

.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..

One problem I need to resolve:

We are on 1.1.7 - and although it seems the basic functions of the mod work well, some of the additional info in the AD is not getting pulled in, for example the dn for the real name (a similar problem exists for extracting email addresses). The error received in the log is:

8: Undefined offset: 0
File: /home/www/forum/Sources/LdapAuth.php
Line: 146

which is this line:
'realName' => '\'' . $func['htmlspecialchars']($lentries[0][$modSettings['ldapauth_fullnameattr']][0]) . '\'',

If anyone can help with this as well, I'd appreciate it.

// Mark

inrforum

#83
From looking at the code, it seems the ldap password is saved in the sql database.
For my organisation this is a complete no-no.

Why is it saved in the first place?
And how can I auth SMF vs. LDAP / AD without having the password saved?
(got that - rtfm, duh)

Still - I would prefer ApacheAuth:
I do have other sites up which authenticate vs. ldap with Apache mod_ldap, which works fine. Is there a way to setup SMF with ApacheAuth?

thanks in advance,
best regards

Vaѕh

We're currently running  0.6.1-2BETA4 on SMF RC1, with mild-success.

Everything seems to work, but the following:

-  Update User information from Ldap on every login - when this box is checked SMF does not update user information on each login.
- Store LDAP passwords in the database - When this is unchecked SMF continues to store ldap password's locally.

Are there any resolutions for this? -- We're in the process of tying in all of our stuff via ldap to bridge our services through one authentication process.

inrforum: http://www.simplemachines.org/community/index.php?topic=294254.0 -- I was shown this module earlier. mod_ldap won't work for what we're trying to do, but perhaps it can assist you.
Andrew Berquist

inrforum

the LDAP-Authentication part with the mod works fine, with the exception of display name:

Display name is set to an empty string on logon.
Even if the user enters a display name in his account settings, it will be reset on next logon.
How would I get display name to be set like user name?


NeonXL

#86
Hello,

I need LDAP Authentication too and so I found this thread. I installed a fresh 1.1.8, didn´t make it authenticate via LDAP, deleted it, installed 2.0RC1 and installed the Mod here, too. Had to do little modifications on my own, but seems to run.

Thank you for the great work so far, even if it is not running. But that is because I am absolutely not familiar with LDAP and so I have to wait for our administrators here to give me the correct data for the ldap-servers etc.

My questions will come then... ;-)

Edit: No questions, runs perfectly with 2.0RC1!  :)

jsivak

Quote from: Vaѕh on February 23, 2009, 02:56:05 AM
We're currently running  0.6.1-2BETA4 on SMF RC1, with mild-success.

Everything seems to work, but the following:

-  Update User information from Ldap on every login - when this box is checked SMF does not update user information on each login.
- Store LDAP passwords in the database - When this is unchecked SMF continues to store ldap password's locally.

Are there any resolutions for this? -- We're in the process of tying in all of our stuff via ldap to bridge our services through one authentication process.

inrforum: http://www.simplemachines.org/community/index.php?topic=294254.0 -- I was shown this module earlier. mod_ldap won't work for what we're trying to do, but perhaps it can assist you.

There's a typo on line 76 in LdapAuth.php: $sha_passwrd needs to be changed to $sha_passwd

sDuck

psa, you're a life saver!  This mod is EXACTLY what I needed to sell SMF as a fully functional forum.   :D

Is the file on the beginning of this thread the most up to date one?  I didn't have time to troll through the 5 pages of posts. 

Thanks again for your hard work! 

ysmdm1

After upgrade from 1.1.6 to 1.1.8 this Mod cannot working I try to re-install but not success

please help  :'(

sDuck

To add an avatar when the user registers via LDAP.  This is assuming that all pictures are stored with the persons user name in a directory with the JPG extension.  I've left a wildcard in there incase the username is not the only defining factor for the file (IE, Date it was taken UserXYZ_010100.JPG):

LDAPAuth.php
Line137: 
<search>// User does not exist in SMF database - create</search>

<Add After>
foreach (glob("/Pictures/" . $username . "*.jpg") as $userPic){
$userPic1 = "http://www.example.com" . $userPic . "";
}
</add after>

Line 146:

<search> 'location' => "'" . $func['htmlspecialchars']($llocation) . "'",</search>

<Add After>
'avatar' => "'" . $userPic1 . "'",
</add after>


carnac

Hi,

is there a modified package which works with smf 2.0 RC 1 ?


discogravy

perhaps I'm doing someting wrong -- I downloaded the zip and unzipped it in Packages/ dir and chown'd it to apache, but when I try to install it via admin panel I get this error:


Error in Package Installation
At least one error was encountered during a test installation of this package. It is strongly recommended that you do not continue with installation unless you know what you are doing, and have made a backup very recently. This error may be caused by a conflict between the package you're trying to install and another package you have already installed, an error in the package, a package which requires another package that you don't have installed yet, or a package designed for another version of SMF.


it then shows the README and these failed tests;


Install Actions
Installations actions for "Ldap Authentication":
Installing this package will perform the following actions:
Type Action Description
1. Execute Modification ./Sources/LogInOut.php Test failed
2. Execute Modification ./Themes/default/languages/Modifications.english.php Test successful
3. Execute Modification ./Sources/Admin.php Test failed
4. Execute Modification ./Sources/ManageSettings.php File not found
5. Execute Modification ./Sources/ManageRegistration.php Test failed
6. Execute Modification ./Themes/default/Register.template.php Test successful
7. Execute Code ldap_add_settings.php
8. Execute Code ldap_force_settings.php
9. Extract File ./Sources/LdapAuth.php


Is there a package that I'm missing? I have tried this with the 2.0 RC and 1.1.10 and have gotten the same error; the ManageSettings.php file completely missing leads me to think I'm missing another package, but if it's mentioned, I've missed it...can anyone help?

bakxs

i would like to know how many people are currently succesfully running a reasonable uptodate version of SMF with LDAP integration?? We would like to run SMF with LDAP, where users registering in SMF, actually register in LDAP.. Other sites (Gallery, Wiki and Joomla) will only authenticate users in LDAP.

forethought

I just got done installing the latest SMF (1.1.10) and using this LDAP authentication package. I had to do some customizing of the code (our LDAP server is listening on a non-standard port), but other than that, I can login as a user established in LDAP with no problems.

Only real snags I ran into were problems with SMF, not the mod itself  >:(

mrojas73

Very nice mod...downloaded it installed it, changed my ldap settings and logged right in using my MSAD account.

Thank you psa, this is a very nice addition to SMF.

Marco

Mr. Jinx

Is this mod still being developed?
I'm looking for forum software that we can use for our corporate intranet. If SMF has a good working LDAP/AD integration, then SMF it will be :)
Does it work ok with SMF 2.0 RC3?

Arantor

As it predates 2.0 RC2, I suspect it doesn't work properly with RC3.

psa

Arantor is right; it does not work with 2.0.  I've recently started using 2.0RC3, though, so I may look into porting it over if there is interest.

Mr. Jinx

You have my interest, and there must be more people that like to run this on 2.0!

Advertisement: