[BETA] Authentication Plugin - a universal mini-Bridge

[ThorstenE]

Time for my first modification / bridge For the past few weeks I have been working on integrating  SMF 2.0 (RC1) with  webserver-authentication / an external database authentication.

Attached is an early beta version, so I do not recommend running  this on a production site!

Features:
two modes are available:
1) Webserver mode - a user who already authenticated to the webserver before (with BASIC auth, NTLM or Kerberos for example) is automatically created in SMF. This is primary designed for Intranets with integrated Windows authentication but it may also be useful for closed groups with a .htaccess protected private forum.

2) Database mode - sets the SMF in "slave" Mode and allows the user from an external database to authenticate in SMF. The authenticated user is automatically created in SMF and the password will be synchronized during every SMF Logon process. The database mode can read many different encryptions (md5 variants, sha1 variants, cleartext...)

Tested myself with different external systems:
Webserver:
- Apache 2 with enabled auth_sspi (NTLM), Apache 2 with enabled auth_ldap, Apache 1.3 with BASIC auth via .htaccess

Database:
- Drupal, Joomla, php-Fusion, phpKit, cleartext table.

Additional notes:
- when using a different database the database user from SMF must be able to read from the external database.
- both databases must use the same RBDMS (both MySQL, both PostgreSQL ...)
- the synchronization (user migration) is one way (during SMF logon) -> from Master to SMF. An existing SMF user is not synchronized to the external database.

Changelog:
+ Added new enryption methods
+ Increased SQL-Perfomrmance - LIMIT in queries (RemoteAuth.php)
! passwordSalt wasn't checked correctly (RemoteAuth.php)
! Redirect could not be disabled (Register.php)

Installation
use the SMF package mangager for installation.
This modification is SMF 2.0(RC1) only!

Update from previous versions
use the SMF package mangager for installation.  the packages contains install AND update informations.

Troubleshooting:
you can disable the Plugin completely with a short SQL query (with phpMyAdmin):

Code Select Expand


UPDATE smf_settings SET value = '' WHERE variable = 'externalAuth';


Remember: this is an early beta, so once again: do not use this on a production site!!!

Maybe you can give some feedback or ideas.

Edit: Attachments removed, this modification / bridge is no longer supported.

[Orstio]

One of these is redundant:

RemoteAuth.php:

Code Select Expand

define('SMF_INTEGRATION_SETTINGS',serialize(array(
'integrate_pre_include' => 'RemoteAuth.php',

mod to index.php:

Code Select Expand

// Load the RemoteAuth Plugin
require_once($sourcedir . '/RemoteAuth.php');

If you are modifying SMF's index.php to include the file, there is no need to use the integrate_pre_include hook.

[ThorstenE]

Thank you, Orstio. (I'm a newbie with the integration_hooks and still learn ). Updated version is attached above.

[Lou Erickson]

This looks exactly like what I needed for a project I'm working on.  I've been having a terrible time getting any of the common forums to integrate well with an existing system.

The general assumption seems to be that you are writing in php, and can simply use their authentication library functions.  None of them really seem to document the actual database schema or describe how to properly create a user directly in the database yourself.

What reservations do you still have about using it more seriously?  Is it just new and untested?

[ThorstenE]

What reservations do you still have about using it more seriously?  Is it just new and untested?

I tested this myself with many different configurations and also had some beta testers, but I never used it in a bigger productional environment myself. So I don't know anything about the perfomance in large environments.

You should also check our guide to the SMF integration_hooks (the authentication plugin is build on some): http://www.simplemachines.org/community/index.php?topic=173483.0

[jpaytoncfd]

Im using SMF 2.0 and drupal 5.x and I have them both running off the same MYSQL DB, im wondering if I can go into myphpadmin and set the profile tables from each to sync. All I want is for users to have a common login for the CMS and SMF.

Thanks,
Joe

[kosli]

i am using your plugin with SMF 2.0 RC1-1 and as i wanted to set the "real_name" attribute from your plugin i think i found an error in the Subs-Members.php of SMF. in the registerMember function on line 646 it is written:

Code Select Expand

'real_name' => $regOptions['username'],
whereas it should be:

Code Select Expand

'real_name' => $regOptions['real_name'],
otherwise it is not possible to set the real_name directly? am i right and this is a bug in SMF?

btw: i have changed your plugin a little bit so that i can use it with shibboleth authenticated apache.

[ThorstenE]

thanks for testing

The mentioned bug is an intended feature.. during registration you can only fill in "username".. Once  you are logged in you can change your real_name  (e.g. display name) in profile settings to be different from the login name.

Can you post your code changes please? Thank you

[kosli]

The mentioned bug is an intended feature.. during registration you can only fill in "username".. Once  you are logged in you can change your real_name  (e.g. display name) in profile settings to be different from the login name.

so there is no way to set the display name when creating a new user? or do i have to "edit" the user after creating? (which function?)

another problem that is not really "clean" with the authentication plugin/bridge: the user has NO password (the one that is randomly created for the user table doesn't count ;-)), but still there are different forms where the user is asked for a password. he can enter just anything and it works (thanks to the plugin), but it should be possible to somehow disable/hide this password boxes (e.g. entering admin mode or changing profile... ah yes, about changing the profile, the plugin should have the possibility to DISABLE the changing of the username??)

Can you post your code changes please? Thank you

i have to make some more changes so that it will be usable for others.... or perhaps i'll create a new plugin based on your code. the problem is that for the shibboleth auth, it needs to be much more flexible about the fields that are used. the username/mail etc. fields can be named any possible name, so there should be a "matching" between shibboleth attributes and SMF fields.
e.g. in my case the user name is in

Code Select Expand

$_SERVER['HTTP_SHIB_SWISSEP_UNIQUEID'] and the mail address is in

Code Select Expand

$_SERVER['HTTP_SHIB_INETORGPERSON_MAIL']. so i could see if i can make the configuration site more flexible or just hard-code this fields.... :-)

[ThorstenE]

yeah agreed, changing the username should be disabled.. I'll add this to the next version.

For the passwords: the user is allready authenticated from the webserver, so another password is useless (IMO).

The profile "password change" can be disabled from within the plugin settings. the admin password security can also be disabled (default SMF feature):
Admin - Security - General - Disable administration security (enable the checkbox).

[Özgür]

TE are you think add support for wordpress or how can i make this ?

[epicurean]

any ideia how to integrate two smf forums where one is used to user register and make new posts and the other supposely imports de user table (only the profile information... not the posts/pms information) to the new forum...

a complete integration where the user logins in one forum and remains logged in the other it was perfect...:p any ideia?

[ThorstenE]

daydreamer, sorry for the late reply. I haven't tested Wordpress, do you know anything about their password encryption? If they use the basics (md5, sha1 or variants) you can use it for Wordpress..It's easy to extend the $other_passwords array, I only need to know which type of password encrypted is used by SMF.

epicurean, this plugin is designed for authentication in general (the external database can also be another SMF ). But it doesn't synchronize other information than basics (username, password, mail).

I belive you are interested in sharing the members table between two Forums?
http://www.simplemachines.org/community/index.php?topic=245380.msg1585095#msg1585095

[carnac]

Nice mod, please add a mode for LDAP Auth.
That would be great ! And what I need .

[ThorstenE]

Nice mod, please add a mode for LDAP Auth.
That would be great ! And what I need .

Apache 1.3/ 2.0 / 2.2 with auth_ldap is already implemented

[ma_il]

This is exactly what I was looking for. Do you have any indications if it should work with 2.0 RC3? It seems to have been installed correctly but I still cannot get it to recognize Apaches HTTP credentials.
The login form is still displayed and asks for the regular password. Do I have to remove the passwords from the DB for this to work?

Edit: my bad! Please excuse my stupidity. After modifying the version in the .xml file, I installed the module but didn't actually enable the feature in the admin section. Now it works just as it should! Many thanks!

[Kama Sutra]

This is what I was looking for. I have a community website running and added SMF 2.0(RC3) to my site. I installed your plugin as instructed and installed correctly and using database mode but it does'nt work! I've installed SMF on the same MySql database.
I assumed that auto loginto SMF is:
../forum/index.php?user=username
Where username already exists in my site's member table, but it does not update the SMF member table!
this is an error that I get:

../forum/index.php?action=login2 8: Undefined index: auth_field_passwordsalt
File: /home/mysite/public_html/forum/Sources/RemoteAuth.php
Line: 285

Is there anyway I can debug RemoteAuth.php so that I can see if it loaded the correct user, password and email? I do not use passwordsalt, so let it blank.

I am a novice to php and your URGENT assistance will be greatly apreciated.

[ThorstenE]

The plugin doesn't use any autologin feature. the users have to use the SMF login form and were migrated during login. Please try the attached RemoteAuth.php

Edit: and please stop sending me PMs or I'll completely ignore you.

[Snaky_Love]

Hi, what is the status of this plugin?
I would like to connect two smf instances via this plugin - will it allow a SSO, so users will not have to login twice?
Thanks!

[Snaky_Love]

Hallo ma_il, Hello TE,

I tried to install this with 2.0 RC3 - I changed the "install for" value in package-info.xml to "2.0 - 2.0.99, 2.0 RC3", then it shows up as installable, but the install fails because "TEST FAILED" for ./Themes/default/Profile.template.php.

The install wants to replace...

Code Select Expand


// FIND:
<input type="', $field['type'] == 'password' ? 'password' : 'text', '" name="', $key, '" id="', $key, '" size="', empty($field['size']) ? 30 : $field['size'], '" value="', $field['value'], '" ', $field['input_attr'], ' />';

// REPLACE WITH:
<input type="', $field['type'] == 'password' ? 'password' : 'text', '" name="', $key, '" id="', $key, '" size="', empty($field['size']) ? 30 : $field['size'], '" value="', $field['value'], '" ', $field['input_attr'], ($field['type'] == 'password' && isset($modSettings['auth_disable_pwchange'])) ? 'disabled="disabled"' : '',' />';

// ORIGINAL FILE HAS:
<input type="', $field['type'] == 'password' ? 'password' : 'text', '" name="', $key, '" id="', $key, '" size="', empty($field['size']) ? 30 : $field['size'], '" value="', $field['value'], '" ', $field['input_attr'], ' class="input_', $field['type'] == 'password' ? 'password' : 'text', '" />';

... so the install fails.

This only seems to change the css style to "disabled" - in the original file there seems to be some more info about which css class to use, well, ok, this does not seem to destroy too much, if I change it manually - I attached the modified version, this installs with RC 2.0 RC3, but I do not know if anything will break. BTW the way mods work - using xml files for actually simulating what patch does is really... well, let´s say strange...

Edit: my bad! Please excuse my stupidity. After modifying the version in the .xml file, I installed the module but didn't actually enable the feature in the admin section. Now it works just as it should! Many thanks!

ma_il, how are your experiences with this mod? Will it work with 2.0 RC3 without problems?

TE, will there be an official update to work with 2.0 RC3? Would you like to check my file - can this be a valid update for 2.0 RC3?
I did not check any other functional problems, I just get it installed, I am just in the process of testing...

THANKS!
Snaky