News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Ldap Authentication Mod

Started by psa, July 02, 2008, 05:53:13 AM

Previous topic - Next topic

psa

I should note that I've heard from multiple people now that you need to set prepend to "uid=" and append to ",ou=People,dc=usb,dc=ve" (to get a fully qualified name) for authenticating with their ldap servers.  Don't forget the first comma on the "append" string.

Even so, you shouldn't be getting blank pages (PHP syntax/processing errors).

Dark//Virus

#41
Any hope in making this work with the new beta version of SMF?

/EDIT

Im testing this on 1.1.5 to see what its like, and it install quite fine via the installer. i configured the ldap settings, but i keep getting and internal 500 error when trying to login using ldap.

I have attached a screenshot of the ldap settings page
(15:10) <@DV> !ban Ard-Choille
(15:10) -ChanServ- Banned Ard-Choille from #deluxe.
(15:10) <@DV> Man that felt good

emacias

Quote
I guess I was just confused because you said you didn't have the configuration settings available before, and the mod installs in a deactivated mode so that it doesn't cause problems before it has been configured.  Is this on a different install, or did you get it working?

everything worked good!!!

Quote
Well, that dn does look right, and the success with ldapsearch does argue persuasively that you have the right information.

What are you using in the "Text to append to login" and "Text to prepend to login" fields?

with error blank page i had this configuration:

ldapauth_emailuselogin       | 1                                   |
| ldapauth_emailattr           |                                     |
| ldapauth_serverurl           | ldap://ldap.usb.ve                  |
| ldapauth_usersuffix          |                                     |
| ldapauth_userprefix          |                                     |
| ldapauth_searchdn            | ou=People,dc=usb,dc=ve              |
| ldapauth_searchkey           |                                     |
| ldapauth_emailsuffix         | @usb.ve                             |
| ldapauth_locationuseou       | 0                                   |
| ldapauth_locationattr        |                                     |
| ldapauth_updateonlogin       | 1                                   |
| ldapauth_fullnameattr        | cn                                  |
| ldapauth_regresnames         | 1                                   |
| ldapauth_authresnames        | 0                                   |
| ldapauth_bindusername        |                                     |
| ldapauth_bindpassword        |                                     |
| ldapauth_passwdindb          | 0                                   |
| disableHashTime              | 1                                   |
| ldapauth_enable              | 1   


Now that i can start to my forum, settings are:

| ldapauth_emailattr           | mail                                |
| ldapauth_serverurl           | ldap://ldap.usb.ve                  |
| ldapauth_usersuffix          |                                     |
| ldapauth_userprefix          |                                     |
| ldapauth_searchdn            | ,ou=People,dc=usb,dc=ve             |
| ldapauth_searchkey           |                                     |
| ldapauth_emailsuffix         | @usb.ve                             |
| ldapauth_locationuseou       | 0                                   |
| ldapauth_locationattr        |                                     |
| ldapauth_updateonlogin       | 1                                   |
| ldapauth_fullnameattr        | cn                                  |
| ldapauth_regresnames         | 1                                   |
| ldapauth_authresnames        | 1                                   |
| ldapauth_bindusername        |                                     |
| ldapauth_bindpassword        |                                     |
| ldapauth_passwdindb          | 0                                   |
| disableHashTime              | 1                                   |
| ldapauth_enable              | 1

But LDAP Authentication not working yet  :(

What can be?

psa

I think you need to add the prefix and suffix settings I listed before (and not put the first comma in the dn), so that your settings are more like this:

ldapauth_emailuselogin         1
| ldapauth_emailattr
| ldapauth_serverurl           | ldap://ldap.usb.ve                  |
| ldapauth_usersuffix          |  ,ou=People,dc=usb,dc=ve            |
| ldapauth_userprefix          |  uid=                                   |
| ldapauth_searchdn            | ou=People,dc=usb,dc=ve              |
| ldapauth_searchkey           |  cn                                   |
| ldapauth_emailsuffix         | @usb.ve                             |
| ldapauth_locationuseou       | 0                                   |
| ldapauth_locationattr        |                                     |
| ldapauth_updateonlogin       | 1                                   |
| ldapauth_fullnameattr        | cn                                  |
| ldapauth_regresnames         | 1                                   |
| ldapauth_authresnames        | 0                                   |
| ldapauth_bindusername        |                                     |
| ldapauth_bindpassword        |                                     |
| ldapauth_passwdindb          | 0                                   |
| disableHashTime              | 1                                   |
| ldapauth_enable              | 1   


psa

Quote from: virus.cs on September 30, 2008, 10:09:59 PM
Any hope in making this work with the new beta version of SMF?

I hope so.  I'm not running SMF 2.0 anywhere, though, so I haven't really dug into it.  In particular, my sites running this mod are using TinyPortal, so they can't be tested with SMF 2 until TinyPortal supports it.

Quote
Im testing this on 1.1.5 to see what its like, and it install quite fine via the installer. i configured the ldap settings, but i keep getting and internal 500 error when trying to login using ldap.

I have attached a screenshot of the ldap settings page
Well, this is annoying.  A 500 error should also give you an error in your web server logs (the actual "internal error").  Can you see what it says?

I wonder if this is related to the problem an earlier poster listed with a missing function import.  I'll poke at that tomorrow and test and release a bugfix version if I can see that it is actually a bug.

Having your error from the server would be very helpful, though.  Thanks for trying the mod out.

emacias

Quote from: psa on September 30, 2008, 11:26:50 PM
I think you need to add the prefix and suffix settings I listed before (and not put the first comma in the dn), so that your settings are more like this:

ldapauth_emailuselogin         1
| ldapauth_emailattr
| ldapauth_serverurl           | ldap://ldap.usb.ve                  |
| ldapauth_usersuffix          |  ,ou=People,dc=usb,dc=ve            |
| ldapauth_userprefix          |  uid=                                   |
| ldapauth_searchdn            | ou=People,dc=usb,dc=ve              |
| ldapauth_searchkey           |  cn                                   |
| ldapauth_emailsuffix         | @usb.ve                             |
| ldapauth_locationuseou       | 0                                   |
| ldapauth_locationattr        |                                     |
| ldapauth_updateonlogin       | 1                                   |
| ldapauth_fullnameattr        | cn                                  |
| ldapauth_regresnames         | 1                                   |
| ldapauth_authresnames        | 0                                   |
| ldapauth_bindusername        |                                     |
| ldapauth_bindpassword        |                                     |
| ldapauth_passwdindb          | 0                                   |
| disableHashTime              | 1                                   |
| ldapauth_enable              | 1

Hi psa thanks for your big help!!! i did only one change because your preferences not worked, smf showed blank page, So I changed field:

| ldapauth_authresnames        | 1                                   | 

that is: " Allow reserved login names to be authenticated by Ldap Auth
Useful to disable to enforce local accounts for e.g. admin"

AND IT`S Working!!!

By the way, add text configuration from .../Themes/default/languages/Modifications.english.php to .../Modifications.spanish_es.php and worked!!!, My next job will be traslate to spanish language, I promise it!!!

Mil gracias amigo desde Venezuela!!!

Dark//Virus

#46
Well thats good to hear about v2.0

I have check the iis server and there is nothing in the event logs under app, security or system. I have also enabled IIS logging on the site and the log is attached to this post

If i log out and try to login for the first time as domain user bob it says 500 internal server error, and the path string ends with login2

If i try and register a ldap user it gives me the same 500 internal server error page, but with this path http://tstiis02/test-forums/index.php?action=regcenter

Did anything look strange on the screenshot of settings i sent you?

FYI - I purposely installed SMF version 1.1.5 to test this, so it is a 100% fresh install with nothing other than this mod uploaded, installed sucessfully, configured.

Thank you

PS : Also attached is my /Themes/default/languages/modifications.english.php file - Where do the settings that you define for these properties go? into mysql or into a file?
(15:10) <@DV> !ban Ard-Choille
(15:10) -ChanServ- Banned Ard-Choille from #deluxe.
(15:10) <@DV> Man that felt good

psa

Looks like obat had it right with the bug in reserved name handling.  I'm testing a fix for it right now.  emacias had the work around right to select "allow reserved names to be authenticated".  This bug is probably the cause of everyone's blank pages and 500 errors.

Bug fix will be up in a moment, with some additional hints in the settings for non-MSAD users.  Then I'll go back and answer the last couple of messages here.

Dark//Virus

Well, just to add to the confusion, here is the current settings i have set / tried and i still get the 500 error
(15:10) <@DV> !ban Ard-Choille
(15:10) -ChanServ- Banned Ard-Choille from #deluxe.
(15:10) <@DV> Man that felt good

psa

New version has been uploaded and attached to the first post.  I can verify the bug in my local test environments and verify that it is fixed in the new version.

Anyone trying the mod should upgrade to the latest version before posting errors or issues to the board so that I know that this bug isn't causing you trouble.  Please uninstall the old version and then install the new one.

Thank you.

psa

Quote from: emacias on October 01, 2008, 02:57:48 PM
Hi psa thanks for your big help!!! i did only one change because your preferences not worked, smf showed blank page, So I changed field:

| ldapauth_authresnames        | 1                                   | 

that is: " Allow reserved login names to be authenticated by Ldap Auth
Useful to disable to enforce local accounts for e.g. admin"

AND IT`S Working!!!

Great, I'm glad it's working for you now.  With the version I just uploaded you shouldn't need to make that one setting change to avoid the blank pages, but if you don't want to redo any customizations you've made keeping the setting you pointed out should avoid the bug.

Quote
By the way, add text configuration from .../Themes/default/languages/Modifications.english.php to .../Modifications.spanish_es.php and worked!!!, My next job will be traslate to spanish language, I promise it!!!

Mil gracias amigo desde Venezuela!!!

Watch out in your translations that you don't leave any apostrophe characters ' in there unless they have a backward slash before them: \'

De nada, y buena suerte!

Dark//Virus

Ok, i have just uninstalled then reinstalled a fresh copy of SMF 1.1.5.

Then installed the mod

Configured the options (in screenshot)

and same 500 internal server error, we are going through our php.ini if you would like to see it i can post that also if you like.

(15:10) <@DV> !ban Ard-Choille
(15:10) -ChanServ- Banned Ard-Choille from #deluxe.
(15:10) <@DV> Man that felt good

psa

I can see from your configuration screenshot that you've loaded 0.6.1 because of the embarrasingly misplaced hints.  I've uploaded a new version of 0.6.1 with the correct setting hints, and rearranged it so that the prepend segment comes before the append segment, as would be more intuitive.

This shouldn't make any difference to your problem however, since there is no functional change here.

If you are still getting the 500 error, then we're back to square one.  The only 500 errors in the log you attached were right at the beginning, and this being an access log instead of an error log, it doesn't say anything more.

When PHP encounters an error it responds back to the server with some text explaining what went wrong.  The server usually places this in an error log before responding back to the client with a 500 error.  Since I don't work with IIS at all, I don't know where IIS would put these errors, or if there's a futher setting to turn it on somewhere.

Without any kind of error, either from the application in "Forum Error Log" or from the web server in its error log, I don't know where to begin looking for a problem.

Does this error come up when you enter a username and password and press the button to log in?  Or on some of the other screens (such as the login page itself)?

Dark//Virus

Ok, so i downloaded it again, and made sure i got the right version, installed it, attached is a screenshot of the settings section.

I have also attached the php.ini file so we can look into that, perhaps i can turn on logging in here to find more info.

Same issue is happening, and once i make the settings, i log out, then attempt to login using domain credentials when the 500 error occurs

Also we are using MSAD
(15:10) <@DV> !ban Ard-Choille
(15:10) -ChanServ- Banned Ard-Choille from #deluxe.
(15:10) <@DV> Man that felt good

psa

I'm still kind of stuck without being able to see any errors on your server.

I did notice a couple of things in your php.ini that I wondered about:

You appear to have the ldap extension disabled (commented out with a semicolon).  Without the standard ldap extension you can't do ldap queries.  I don't run Microsoft Windows, so perhaps I'm missing something, but it seems like you ought to try enabling the extension.  I know it is required on my servers.

You also have not specified a location for php errors to go.

; Log errors to specified file.
;error_log = D:\Intranet\Logs\PHP\log

; Log errors to syslog (Event Log on NT, not valid in Windows 95).
;error_log = syslog

If you uncomment one of these you should be able to see the errors produced by PHP in the specified file or in your event log (in addition to whatever IIS does or does not do with them), and then perhaps we could find the description of your 500 error.


Dark//Virus

#55
Well, 2 steps forward.

We enabled those options in the php file and it works!

i am able to register ldap people, which is great, but i cannot log in as a member who isnt already registered manually via ldap.

and once a member is registered manually with ldap their network password doesnt work. they type it wrong 3 times, and get the password reset email, and then it gets reset by the user.


/EDIT

Fixed a few things, ldap users couldnt login for the first time, so we edited the values in ldapauth.php to put blank fields into the db for stuff like buddy_list because it wouldnt auto create them.

Now everything is working 100%, apart from if an ldap user doesnt have an email address assigned it wont log them in. but that isnt a big issue.

That you very much PSA. This is awesome.
(15:10) <@DV> !ban Ard-Choille
(15:10) -ChanServ- Banned Ard-Choille from #deluxe.
(15:10) <@DV> Man that felt good

Dark//Virus

#56
I have a couple of requests

I would like to take the 'title' field from AD and put it in the Users Personal Text catagorey so it will show their position in the business etc, i know what to edit in ldapauth.php so it puts the info into the table, but i dont know what to edit to get that information from AD and assign it to a variable

Also, i would like to know (this may be out of your scope) if we could modify board permissions to use groups from the domain.

eg: have a board called senior management, and users who are a member of the group called "Management" in ad, were able to see that board. So basically embed domain groups into SMF forums member groups

If the later is too difficult that is fine, but the first would really help

(15:10) <@DV> !ban Ard-Choille
(15:10) -ChanServ- Banned Ard-Choille from #deluxe.
(15:10) <@DV> Man that felt good

psa

I'm glad you got it working.

I don't know why you had to put blank values in the database for some elements--I thought I had picked up everything required.  When you get done making changes I would be interested in seeing your version of LdapAuth.php for reference and testing.

Technically, it's possible to put in nonexistent or static email addresses (all the same) automatically for users who don't have one in your directory and thus enable them to login, but many parts of SMF assume that the user has a valid email address, so I'm not sure that is a good idea.  We found that the email information in the directory was inconsistent, which is why we have the option to construct one automatically from the username and domain, since everyone has one of those by default with our system.

Making custom changes to the LdapAuth to populate other fields from your LDAP directory isn't too hard if you know any PHP.
Around line 42, after $lattributes has been set and expanded, add the field you are looking for to the array so that it will be queried in the directory:

$lattributes[] = 'title';

You can add others after it with the same syntax.

There's two places where this information will be used.  The first is in the code that updates users' attributes everytime they login, even if they're already registered.  If you don't have this option checked (to update user info on each login) you can skip this part.
Add the attribute into the database query:

db_query("UPDATE {$db_prefix}members SET
personalText='" . addslashes($lentries[0]['title'][0]) .",    // replace SMF Personal Text with Ldap title field
emailAddress='$lmail',

Only the middle line here is new; the other two are supplied as context so you know where to place it.

In order to add this field when a new user is registered in the system (i.e. logs into SMF with LDAP credentials for the first time), you need to modify the personalText line further down (on line 147 in the unmodified 0.6.1 LdapAuth).
Original line:

'personalText' => '\'' . addslashes($modSettings['default_personalText']) . '\'',

New version:

'personalText' => '\'' . addslashes($lentries[0]['title'][0]) . '\'',


And that should do it, provided that I haven't made any typos...

psa

As I mentioned to an earlier poster, bringing group authorities across would be significantly more difficult.  I've considered it, and different ways to implement it, but most would either be error-prone or require significant new synchronization code to implement.

I'm still considering it.

Dark//Virus

#59
Thats cool.
Attached is the ldapauth.php file as requested in its current state, which is working for everything except the title, even with the changes sugessted
(15:10) <@DV> !ban Ard-Choille
(15:10) -ChanServ- Banned Ard-Choille from #deluxe.
(15:10) <@DV> Man that felt good

Advertisement: