LDAP Authentication for SMF 1.0.5

[bsiegel]

Link to Mod

Overview
-----------

This mod will allow users to log in to your SMF installation via LDAP. It does it as follows:

* If the username is a 'special' name (such as 'Admin') the login is handled normally.

* Otherwise, the LDAP server is checked to see if the user exists.

* If the LDAP server responds that it does, the password is then tried.

* If the password binds successfully to the server, the SMF database is checked to see if the user exists there.

* If the user does not exist, a new SMF account is created for the user, and the e-mail address and display name are set from data pulled out of the LDAP server.

* If the user does exist but the password does not match the one in the database, the database is updated.

* Finally, the user is logged in normally, cookies are set, etc.


Configuration
-----------------

Open LogInOut.php in your favorite text editor.
Search for: //Begin LDAP integration
Below that you will see the configuration variables you will need to set to get LDAP authentication working.
Change $ldap_admin_user to the name of your administrator user account.
Change $ldap_server to the address of your LDAP server.
Change $ldap_base_dn to the Base DN of your LDAP server.
Change $ldap_uid_field to the name of the field containing the user ID of the user.
Change $ldap_real_name to the name of the field containing the real name of the user.
Change $ldap_email to the name of the field containing the e-mail address of the user.

[Elmacik]

This user has 0 posts... strange
Btw, thanks for the great mod

[GC]

Want to make it for RC 1? lol.

[djoyce]

So, could I use this in my situation:

I'm creating an off-campus hosted site for a department at a university.  Could I use the campus LDAP server for authentication?

This would be slick and keep me from entering the users while still limiting those who can register to university students.  Am I right?

[osmedd]

Want to make it for RC 1? lol.

So, ummm... I haven't looked yet, what are the major changes in 1.1 that would make it difficult to port this mod over?

[mojojojo]

Since I have AD here @ work, i tweaked your script a little to add support for Active Directory:

1)
Add two more variables under //Begin LDAP Integration:
$ldap_bind_user = 'someActiveDirectoryUser@domain';
$ldap_bind_pass = 'password';


2)
search for the following line:
$ldap_connect = @ldap_connect($ldap_server);
and add this below it
// required to search AD, according to note in PHP manual notes
   ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
   ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);

3)
then modify the following line from this
$bind = ldap_bind($connect)

to this:
$bind = ldap_bind($connect, $ldap_bind_user, $ldap_bind_pass)



You're done!

Btw, thanks a lot for the author of this mod!!

[costanza]

I've been trying to get this to work with AD for a while too.  I still couldn't get it with mojojojo's additions.  It gives me a blank page as it tries to go through login2 (thats where it stops according to the URL).  I suppose it could be any number of things in that function.

Oh yeah, I'm using 1.1 RC1, do we know that it only works with 1.0.5?

[mojojojo]

Hi Costanza,

I only tested with version 1.0.5.

[osmedd]

I've done a bit more research and things are much different in 1.1, since there are hooks now to integrate other password and user database systems.  It would be REALLY helpful to have even simple examples of how to utilize these hooks, since I think things get a lot easier if you can use these hooks as opposed to hacking the base code.

[collectivedc]

This would do me really well for us, except that I don't want it to create a user account in SMF if one doesn't already exist. What happens if user registration is turned off??

[perf]

For our campus forum, it would be nice to be able to disable normal account creation and only use LDAP accouts. TLS/SSL would also be a must.

Is someone working on this mod for 1.1? Otherwise I might give it a try if I can find the time.

[salamwho]

For our campus forum, it would be nice to be able to disable normal account creation and only use LDAP accounts. TLS/SSL would also be a must.

Is someone working on this mod for 1.1? Otherwise I might give it a try if I can find the time.

Hi,
Also I am trying to do the same with 1.1RC2, I have done some changes to the file, and it will allow a local account with admin to login without ldap.  The ldap part of the script, I did not test fully as yet, as I am still trying to setup connection to the ldap and also ldap login must be via SSL. I am even trying to setup user groups via  ldap. 

[corrigan]

I'd like to see a way to pull the ID_MEMBER field from LDAP instead of it auto incrementing.  All of my LDAP accounts have unique IDs and it would be nice to be able to delete accounts from the SMF database so that they are not searchable, yet if the person came back all of their old posts would relink to their new account.  Right now when the SMF account is deleted their ID_MEMBER is retired and when the account is recreated a new ID_MEMBER is generated (which leaves all of their old posts not connected with their current account).

Thanks for a great mod!  Can't wait for a 1.1 version!

[peterr]

I've been trying to get this mod to work with our 2k3 AD and SMF 1.0.7 and by using information from this thread and some other info that I found elsewhere I finally have a working AD integration.

I actually made a mod of the LDAP mod . But here is the complete mod of the original LogInOut.php that comes with SMF 1.0.7, and you can make a diff with original LDAP mod to see the changes if you wish.


1) Find
    // Load the data up!
    above add:
       
        //Begin LDAP integration
        $ldap_admin_user = 'admin';                               // name of your administrator user account (will not be LDAP authenticated)
        $ldap_server = 'ldap://server';                              // ldap server name or IP
        $ldap_base_dn = 'DC=mydomain, DC=com';        // Base DN of your LDAP server. hxxp:mydomain.com [nonactive] -> DC=mydomain, DC=com
        $ldap_email = 'mail';                                           // LDAP name of the field containing the e-mail address of the user
        // LDAP/AD integration
        $ldap_user_domain_suffix = '@mydomain.com';   // AD user domain suffix
           
        // Only special users get to authenticate the old way
        if ($_REQUEST[user] == $ldap_admin_user) {

       

2) Find
    mysql_free_result($request);
    below add:
     

    }
    else {
        // If not the admin, authenticate via LDAP
        $ldap_connect = @ldap_connect($ldap_server);
        // required to search AD, according to note in PHP manual notes
        ldap_set_option($ldap_connect, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($ldap_connect, LDAP_OPT_REFERRALS, 0); // disable plain text password
        if (!$ldap_connect) {
            $context['login_error'] = 'LDAP could not connect';
            return;
        }
       
        $name = $_REQUEST[user];
        $ldap_user = $name.$ldap_user_domain_suffix;
        $pass = $_REQUEST['passwrd'];
        $filter="samaccountname=".$name;     

      if (@ldap_bind($ldap_connect, $ldap_user, $pass)) {
         $request = db_query("
            SELECT passwd, ID_MEMBER, ID_GROUP, lngfile, is_activated, emailAddress, additionalGroups, memberName, passwordSalt
            FROM {$db_prefix}members
            WHERE memberName = '$name'
            LIMIT 1", __FILE__, __LINE__);
         if (mysql_num_rows($request) == 0) {
            // User bound to LDAP OK but does not exist in SMF database - create

            $ldap_search = @ldap_search($ldap_connect, $ldap_base_dn, $filter, array($ldap_email));
            $ldap_result = @ldap_first_entry($ldap_connect, $ldap_search);

            if (!$ldap_result) {
               $context['login_error'] = 'LDAP search error.';
               return;
            }

            $ldap_fields = @ldap_get_attributes($ldap_connect, $ldap_result);
                // we need users email to properly register him in smf
            if (!is_array($ldap_fields) || count($ldap_fields) < 1 ||
                     $ldap_fields[$ldap_email][0] == NULL || $ldap_fields[$ldap_email][0] == '') {
               $context['login_error'] = 'LDAP error retrieving user information.';
               return;
            }           
            
            $register_vars = array(
               'memberName' => "'$name'",
               'emailAddress' => "'".$ldap_fields[$ldap_email][0]."'",
               'passwd' => '\'' . md5_hmac($pass, strtolower($name)) . '\'',
               'posts' => 0,
               'dateRegistered' => time(),
               'memberIP' => "'$user_info[ip]'",
               'is_activated' => 1,
               'validation_code' => "''",
               'realName' => "'$name'",
               'personalText' => '\'' . addslashes($modSettings['default_personalText']) . '\'',
               'im_email_notify' => 1,
               'ID_THEME' => 0,
               'ID_POST_GROUP' => 4,
            );

            db_query("
               INSERT INTO {$db_prefix}members
                  (" . implode(', ', array_keys($register_vars)) . ")
               VALUES (" . implode(', ', $register_vars) . ')', __FILE__, __LINE__);
            $memberID = db_insert_id();
            updateStats('member');

            // If it's enabled, increase the registrations for today.
            trackStats(array('registers' => '+'));

            //Retry the query
            mysql_free_result($request);
            $request = db_query("
               SELECT passwd, ID_MEMBER, ID_GROUP, lngfile, is_activated, emailAddress, additionalGroups, memberName, passwordSalt
               FROM {$db_prefix}members
               WHERE memberName = '$name'
               LIMIT 1", __FILE__, __LINE__);
            if (mysql_num_rows($request) == 0) {
               $context['login_error'] = 'Failed to add LDAP user to the database';
               return;
            }
         }
         // LDAP user found in the database
         // Figure out the password, and load the settings.
         $user_settings = mysql_fetch_assoc($request);
         $md5_passwrd = md5_hmac($pass, strtolower($user_settings['memberName']));

         // Old style encryption... now's the only time to fix it.
         if ($user_settings['passwd'] == crypt($pass, substr($pass, 0, 2)) || $user_settings['passwd'] == md5($pass))
         {
            updateMemberData($user_settings['ID_MEMBER'], array('passwd' => '\'' . $md5_passwrd . '\''));
            $user_settings['passwd'] = $md5_passwrd;
         }
         // What about if the user has come from vBulletin or Invision?  Let's welcome them with open arms \o/.
         elseif ($user_settings['passwordSalt'] != '' && ($user_settings['passwd'] == md5(md5($pass) . $user_settings['passwordSalt']) || $user_settings['passwd'] == md5(md5($user_settings['passwordSalt']) . md5($pass))))
         {
            // Get our new encryption in!
            updateMemberData($user_settings['ID_MEMBER'], array('passwd' => '\'' . $md5_passwrd . '\'', 'passwordSalt' => '\'\''));
            $user_settings['passwd'] = $md5_passwrd;
         }
         // SMF's password doesn't match LDAP's password
         elseif ($user_settings['passwd'] != $md5_passwrd)
         {
            updateMemberData($user_settings['ID_MEMBER'], array('passwd' => '\'' . $md5_passwrd . '\'', 'passwordSalt' => '\'\''));
            $user_settings['passwd'] = $md5_passwrd;
         }
         mysql_free_result($request);
      } else {
         // LDAP says bad password
         // They've messed up again - keep a count to see if they need a hand.
         if (isset($_SESSION['failed_login']))
            $_SESSION['failed_login']++;
         else
            $_SESSION['failed_login'] = 1;

         // Hmm... don't remember it, do you?  Here, try the password reminder .
         if ($_SESSION['failed_login'] >= $modSettings['failed_login_threshold'])
            redirectexit('action=reminder');
         // We'll give you another chance...
         else
         {
            $context['login_error'] = &$txt[39];
            log_error($txt[39] . ' - ' . $user_settings['memberName']);
            return;
         }
      }





This works for me, and I hope it will work for you too. It's a bit simplified original version of the original LDAP mod (we have only one domain name), and in some other AD environments you might need to twak this a bit more.

Also make sure that you have LDAP extension enabled in PHP (php.ini), you might have to do the following:
uncomment:
extension=php_ldap.dll
and make sure that extensions dir is set up correctly:
extension_dir = "c:\php\ext"

(this was done with PHP version 5.1.2)


Big thanks to bsiegel for this mod and to others for their valuable information in this thread.

[Bateau]

do that work with RC2 as well?

[rmettai]

I want to automatically add the user to SMF from LDAP when they try to login after authentication is successfully, if they are already not in the system instead of having them register first. Is this possible ?

[bsiegel]

Hey, I sort of forgot about this.

Anyhow, the system I developed this for is now using hxxp:www.ja-sig.org/products/cas [nonactive] to manage logins instead of LDAP. But I will look into what is needed to make this work with more recent versions. We are preparing our forums for an update to 1.1 when it is released, so hopefully I will be able to look into this along with the other things we porting over.

BTW if anyone else wants to CASify their forums, let me know. I should be able to help you out. Also I might know a little something about active directory if people are getting stuck with it.

--bsiegel

[lightningbit]

Another SMF admin with LDAP support on his wishlist.

I just setup 1.1RC2, I've been reading through this thread and it looks there is still no solution? 
we have a multitree domain structure, what I would like to see in SMF is
a user logging on with his domaincredentials, where his basic userinfo is automatically "cached" or copied in the SMF database.
obviously, we want to keep the "backdoor" user like "admin" away from AD or LDAP

in my case, any user of any of our domains can be registered, we'll use groups to determine permissions

I'm happy to help testing in a corporate environment if it would help

L.

[geniusfreak]

I took peterr's mod and tweaked it further to pull over the users display name from Active Directory.
I have this running perfectly on a FreeBSD 6.1 host with PHP 4.4.3 and Apache 2.2.3 connecting to a Server 2003 domain.

Please pardon the long code post but I had issues with extra braces in the code peterr posted and the full code makes is easier for someone to use IMO.

This is from the 1.0.8 Release.
The lines you have to change for your location start at line 169

Code Select Expand


<?php
/******************************************************************************
* LogInOut.php                                                                *
*******************************************************************************
* SMF: Simple Machines Forum                                                  *
* Open-Source Project Inspired by Zef Hemel ([email protected])                *
* =========================================================================== *
* Software Version:           SMF 1.0.2                                       *
* Software by:                Simple Machines (http://www.simplemachines.org) *
* Copyright 2001-2005 by:     Lewis Media (http://www.lewismedia.com)         *
* Support, News, Updates at:  http://www.simplemachines.org                   *
*******************************************************************************
* This program is free software; you may redistribute it and/or modify it     *
* under the terms of the provided license as published by Lewis Media.        *
*                                                                             *
* This program is distributed in the hope that it is and will be useful,      *
* but WITHOUT ANY WARRANTIES; without even any implied warranty of            *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                        *
*                                                                             *
* See the "license.txt" file for details of the Simple Machines license.      *
* The latest version can always be found at http://www.simplemachines.org.    *
******************************************************************************/
if (!defined('SMF'))
die('Hacking attempt...');

/* This file is concerned pretty entirely, as you see from its name, with
logging in and out members, and the validation of that.  It contains:

void Login()
- shows a page for the user to type in their username and password.
- caches the referring URL in $_SESSION['login_url'].
- uses the Login template and language file with the login sub
  template.
- if you are using a wireless device, uses the protocol_login sub
  template in the Wireless template.
- accessed from ?action=login.

void Login2()
- actually logs you in and checks that login was successful.
- employs protection against a specific IP or user trying to brute
  force a login to an account.
- on error, uses the same templates Login() uses.
- upgrades password encryption on login, if necessary.
- after successful login, redirects you to $_SESSION['login_url'].
- accessed from ?action=login2, by forms.

void Logout()
- logs the current user out of their account.
- requires that the session hash is sent as well, to prevent automatic
  logouts by images or javascript.
- redirects back to $_SESSION['logout_url'], if it exists.
- accessed via ?action=logout;sc=...
*/

// Ask them for their login information.
function Login()
{
global $txt, $context;

// In wireless?  If so, use the correct sub template.
if (WIRELESS)
$context['sub_template'] = WIRELESS_PROTOCOL . '_login';
// Otherwise, we need to load the Login template/language file.
else
{
loadTemplate('Login');
loadLanguage('Login');
$context['sub_template'] = 'login';
}

// Get the template ready.... not really much else to do.
$context['page_title'] = $txt[34];
$context['default_username'] = &$_REQUEST['u'];
$context['default_password'] = '';
$context['never_expire'] = false;

// Set the login URL - will be used when the login process is done.
if (isset($_SESSION['old_url']) && (strstr($_SESSION['old_url'], 'board=') !== false || strstr($_SESSION['old_url'], 'topic=') !== false))
$_SESSION['login_url'] = $_SESSION['old_url'];
else
unset($_SESSION['login_url']);
}

// Perform the actual logging-in.
function Login2()
{
global $txt, $db_prefix, $scripturl, $user_info;
global $cookiename, $maintenance, $ID_MEMBER;
global $modSettings, $scripturl, $context, $sc, $sourcedir;

// Load cookie authentication stuff.
require_once($sourcedir . '/Subs-Auth.php');

// Double check the cookie...
if (isset($_GET['sa']) && $_GET['sa'] == 'check')
{
// Strike!  You're outta there!
if ($_GET['member'] != $ID_MEMBER)
fatal_lang_error('login_cookie_error', false);

// Some whitelisting for login_url...
if (empty($_SESSION['login_url']))
redirectexit();
else
{
// Best not to clutter the session data too much...
$temp = $_SESSION['login_url'];
unset($_SESSION['login_url']);

redirectexit($temp, false);
}
}

// Are you guessing with a script that doesn't keep the session id?
spamProtection('login');

// Been guessing a lot, haven't we?
if (isset($_SESSION['failed_login']) && $_SESSION['failed_login'] >= $modSettings['failed_login_threshold'] * 3)
fatal_lang_error('login_threshold_fail');

// Set up the cookie length.  (if it's invalid, just fall through and use the default.)
if (isset($_POST['cookieneverexp']) || (!empty($_POST['cookielength']) && $_POST['cookielength'] == -1))
$modSettings['cookieTime'] = 3153600;
elseif (!empty($_POST['cookielength']) && ($_POST['cookielength'] >= 1 || $_POST['cookielength'] <= 525600))
$modSettings['cookieTime'] = (int) $_POST['cookielength'];

// Set things up in case an error occurs.
if (!empty($maintenance) || empty($modSettings['allow_guestAccess']))
$context['sub_template'] = 'kick_guest';

// Load the template stuff - wireless or normal.
if (WIRELESS)
$context['sub_template'] = WIRELESS_PROTOCOL . '_login';
else
{
loadTemplate('Login');
$context['sub_template'] = 'login';
}
loadLanguage('Login');

// Set up the default/fallback stuff.
$context['default_username'] = isset($_REQUEST['user']) ? htmlspecialchars(stripslashes($_REQUEST['user'])) : '';
$context['default_password'] = '';
$context['never_expire'] = $modSettings['cookieTime'] == 525600 || $modSettings['cookieTime'] == 3153600;
$context['login_error'] = &$txt[106];
$context['page_title'] = $txt[34];

// You forgot to type your username, dummy!
if (!isset($_REQUEST['user']) || $_REQUEST['user'] == '')
{
$context['login_error'] = &$txt[37];
return;
}

// Hmm... maybe 'admin' will login with no password. Uhh... NO!
if (!isset($_REQUEST['passwrd']) || $_REQUEST['passwrd'] == '')
{
$context['login_error'] = &$txt[38];
return;
}

// No funky symbols either.
if (preg_match('~[<>&"\'=\\\]~', $_REQUEST['user']) != 0)
{
$context['login_error'] = &$txt[240];
return;
}

       //Begin LDAP integration
        $ldap_admin_user = 'admin';                   // name of your administrator user account (will not be LDAP authenticated)
        $ldap_server = 'ldap://ServerNameOrIp';               // ldap server name or IP
        $ldap_base_dn = 'DC=domain,DC=com';        // Base DN of your LDAP server. mydomain.com -> DC=mydomain, DC=com
        $ldap_email = 'mail';                         // LDAP name of the field containing the e-mail address of the user
       // LDAP/AD integration
        $ldap_user_domain_suffix = '@domain.com';   // AD user domain suffix
           
        // Only special users get to authenticate the old way
        if ($_REQUEST[user] == $ldap_admin_user) {
// Load the data up!
$request = db_query("
SELECT passwd, ID_MEMBER, ID_GROUP, lngfile, is_activated, emailAddress, additionalGroups, memberName, passwordSalt
FROM {$db_prefix}members
WHERE memberName = '$_REQUEST[user]'
LIMIT 1", __FILE__, __LINE__);
// Probably mistyped or their email, try it as an email address. (memberName first, though!)
if (mysql_num_rows($request) == 0)
{
$request = db_query("
SELECT passwd, ID_MEMBER, ID_GROUP, lngfile, is_activated, emailAddress, additionalGroups, memberName, passwordSalt
FROM {$db_prefix}members
WHERE emailAddress = '$_REQUEST[user]'
LIMIT 1", __FILE__, __LINE__);
// Let them try again, it didn't match anything...
if (mysql_num_rows($request) == 0)
{
$context['login_error'] = &$txt[40];
return;
}
}

// Figure out the password, and load the settings.
$user_settings = mysql_fetch_assoc($request);
$md5_passwrd = md5_hmac($_REQUEST['passwrd'], strtolower($user_settings['memberName']));

// Check if the account is activated...
if (empty($user_settings['is_activated']))
{
$context['login_error'] = $txt['activate_not_completed1'] . ' <a href="' . $scripturl . '?action=activate;sa=resend;u=' . $user_settings['ID_MEMBER'] . '">' . $txt['activate_not_completed2'] . '</a>';
log_error($txt['activate_not_completed1'] . ' - ' . $user_settings['memberName'], false);
return;
}

// Old style encryption... now's the only time to fix it.
if ($user_settings['passwd'] == crypt($_REQUEST['passwrd'], substr($_REQUEST['passwrd'], 0, 2)) || $user_settings['passwd'] == md5($_REQUEST['passwrd']))
{
updateMemberData($user_settings['ID_MEMBER'], array('passwd' => '\'' . $md5_passwrd . '\''));
$user_settings['passwd'] = $md5_passwrd;
}
// What about if the user has come from vBulletin or Invision?  Let's welcome them with open arms \o/.
elseif ($user_settings['passwordSalt'] != '' && ($user_settings['passwd'] == md5(md5($_REQUEST['passwrd']) . $user_settings['passwordSalt']) || $user_settings['passwd'] == md5(md5($user_settings['passwordSalt']) . md5($_REQUEST['passwrd']))))
{
// Get our new encryption in!
updateMemberData($user_settings['ID_MEMBER'], array('passwd' => '\'' . $md5_passwrd . '\'', 'passwordSalt' => '\'\''));
$user_settings['passwd'] = $md5_passwrd;
}
// Bad password!  Thought you could fool the database?!
elseif ($user_settings['passwd'] != $md5_passwrd)
{
// They've messed up again - keep a count to see if they need a hand.
if (isset($_SESSION['failed_login']))
$_SESSION['failed_login']++;
else
$_SESSION['failed_login'] = 1;

// Hmm... don't remember it, do you?  Here, try the password reminder ;).
if ($_SESSION['failed_login'] >= $modSettings['failed_login_threshold'])
redirectexit('action=reminder');
// We'll give you another chance...
else
{
$context['login_error'] = &$txt[39];
log_error($txt[39] . ' - ' . $user_settings['memberName']);
return;
}
}
mysql_free_result($request);
   }
    else {
        // If not the admin, authenticate via LDAP
        $ldap_connect = @ldap_connect($ldap_server);
        // required to search AD, according to note in PHP manual notes
        ldap_set_option($ldap_connect, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($ldap_connect, LDAP_OPT_REFERRALS, 0); // disable plain text password
        if (!$ldap_connect) {
            $context['login_error'] = 'LDAP could not connect';
            return;
        }
       
        $name = $_REQUEST[user];
        $ldap_user = $name.$ldap_user_domain_suffix;
        $pass = $_REQUEST['passwrd'];
        $filter="samaccountname=".$name;     

      if (@ldap_bind($ldap_connect, $ldap_user, $pass)) {
         $request = db_query("
            SELECT passwd, ID_MEMBER, ID_GROUP, lngfile, is_activated, emailAddress, additionalGroups, memberName, passwordSalt
            FROM {$db_prefix}members
            WHERE memberName = '$name'
            LIMIT 1", __FILE__, __LINE__);
         if (mysql_num_rows($request) == 0) {
            // User bound to LDAP OK but does not exist in SMF database - create

            $ldap_search = @ldap_search($ldap_connect, $ldap_base_dn, $filter, array($ldap_email,"displayName"));
            $ldap_result = @ldap_first_entry($ldap_connect, $ldap_search);

            if (!$ldap_result) {
               $context['login_error'] = 'LDAP search error.';
               return;
            }

            $ldap_fields = @ldap_get_attributes($ldap_connect, $ldap_result);
                // we need users email to properly register him in smf
                print_r($ldap_fields);
                //die();
            if (!is_array($ldap_fields) || count($ldap_fields) < 1 ||
                     $ldap_fields[$ldap_email][0] == NULL || $ldap_fields[$ldap_email][0] == '') {
               $context['login_error'] = 'LDAP error retrieving user information.';
               return;
            }           
            
            $register_vars = array(
               'memberName' => "'$name'",
               'emailAddress' => "'".$ldap_fields[$ldap_email][0]."'",
               'passwd' => '\'' . md5_hmac($pass, strtolower($name)) . '\'',
               'posts' => 0,
               'dateRegistered' => time(),
               'memberIP' => "'$user_info[ip]'",
               'is_activated' => 1,
               'validation_code' => "''",
               'realName' => "'".$ldap_fields["displayName"][0]."'",
               'personalText' => '\'' . addslashes($modSettings['default_personalText']) . '\'',
               'im_email_notify' => 1,
               'ID_THEME' => 0,
               'ID_POST_GROUP' => 4,
            );

            db_query("
               INSERT INTO {$db_prefix}members
                  (" . implode(', ', array_keys($register_vars)) . ")
               VALUES (" . implode(', ', $register_vars) . ')', __FILE__, __LINE__);
            $memberID = db_insert_id();
            updateStats('member');

            // If it's enabled, increase the registrations for today.
            trackStats(array('registers' => '+'));

            //Retry the query
            mysql_free_result($request);
            $request = db_query("
               SELECT passwd, ID_MEMBER, ID_GROUP, lngfile, is_activated, emailAddress, additionalGroups, memberName, passwordSalt
               FROM {$db_prefix}members
               WHERE memberName = '$name'
               LIMIT 1", __FILE__, __LINE__);
            if (mysql_num_rows($request) == 0) {
               $context['login_error'] = 'Failed to add LDAP user to the database';
               return;
            }
         }
         // LDAP user found in the database
         // Figure out the password, and load the settings.
         $user_settings = mysql_fetch_assoc($request);
         $md5_passwrd = md5_hmac($pass, strtolower($user_settings['memberName']));

         // Old style encryption... now's the only time to fix it.
         if ($user_settings['passwd'] == crypt($pass, substr($pass, 0, 2)) || $user_settings['passwd'] == md5($pass))
         {
            updateMemberData($user_settings['ID_MEMBER'], array('passwd' => '\'' . $md5_passwrd . '\''));
            $user_settings['passwd'] = $md5_passwrd;
         }
         // What about if the user has come from vBulletin or Invision?  Let's welcome them with open arms \o/.
         elseif ($user_settings['passwordSalt'] != '' && ($user_settings['passwd'] == md5(md5($pass) . $user_settings['passwordSalt']) || $user_settings['passwd'] == md5(md5($user_settings['passwordSalt']) . md5($pass))))
         {
            // Get our new encryption in!
            updateMemberData($user_settings['ID_MEMBER'], array('passwd' => '\'' . $md5_passwrd . '\'', 'passwordSalt' => '\'\''));
            $user_settings['passwd'] = $md5_passwrd;
         }
         // SMF's password doesn't match LDAP's password
         elseif ($user_settings['passwd'] != $md5_passwrd)
         {
            updateMemberData($user_settings['ID_MEMBER'], array('passwd' => '\'' . $md5_passwrd . '\'', 'passwordSalt' => '\'\''));
            $user_settings['passwd'] = $md5_passwrd;
         }
         mysql_free_result($request);
      } else {
         // LDAP says bad password
         // They've messed up again - keep a count to see if they need a hand.
         if (isset($_SESSION['failed_login']))
            $_SESSION['failed_login']++;
         else
            $_SESSION['failed_login'] = 1;

         // Hmm... don't remember it, do you?  Here, try the password reminder Wink.
         if ($_SESSION['failed_login'] >= $modSettings['failed_login_threshold'])
            redirectexit('action=reminder');
         // We'll give you another chance...
         else
         {
            $context['login_error'] = &$txt[39];
            log_error($txt[39] . ' - ' . $user_settings['memberName']);
            return;
         }
      }
}


// Get ready to set the cookie...
$username = $user_settings['memberName'];
$ID_MEMBER = $user_settings['ID_MEMBER'];

// Bam!  Cookie set.  A session too, just incase.
setLoginCookie(60 * $modSettings['cookieTime'], $user_settings['ID_MEMBER'], $md5_passwrd);

// Reset the login threshold.
if (isset($_SESSION['failed_login']))
unset($_SESSION['failed_login']);

$user_info['is_guest'] = false;
$user_settings['additionalGroups'] = explode(',', $user_settings['additionalGroups']);
$user_info['is_admin'] = $user_settings['ID_GROUP'] == 1 || in_array(1, $user_settings['additionalGroups']);

// Are you banned?
if (isset($_SESSION['ban']['last_checked']))
unset($_SESSION['ban']['last_checked']);
is_not_banned();

// An administrator, set up the login so they don't have to type it again.
if ($user_info['is_admin'])
$_SESSION['admin_time'] = time();

// Don't stick the language or theme after this point.
unset($_SESSION['language']);
unset($_SESSION['ID_THEME']);

// You've logged in, haven't you?
updateMemberData($ID_MEMBER, array('lastLogin' => time(), 'memberIP' => '\'' . $user_info['ip'] . '\''));

// Get rid of the online entry for that old guest....
db_query("
DELETE FROM {$db_prefix}log_online
WHERE session = 'ip$user_info[ip]'
LIMIT 1", __FILE__, __LINE__);
$_SESSION['log_time'] = 0;

// Just log you back out if it's in maintenance mode and you AREN'T an admin.
if (empty($maintenance) || allowedTo('admin_forum'))
redirectexit('action=login2;sa=check;member=' . $ID_MEMBER, true, $context['server']['needs_login_fix']);
else
redirectexit('action=logout;sesc=' . $sc, true, $context['server']['needs_login_fix']);
}

// Log the user out.
function Logout()
{
global $db_prefix, $sourcedir, $ID_MEMBER, $context;

// Make sure they aren't being auto-logged out.
checkSession('get');

require_once($sourcedir . '/Subs-Auth.php');

// If you log out, you aren't online anymore :P.
db_query("
DELETE FROM {$db_prefix}log_online
WHERE ID_MEMBER = $ID_MEMBER
LIMIT 1", __FILE__, __LINE__);
$_SESSION['log_time'] = 0;

// Empty the cookie! (set it in the past, and for ID_MEMBER = 0)
setLoginCookie(-3600, 0);

// Off to the merry board index we go!
if (empty($_SESSION['logout_url']))
redirectexit('', true, $context['server']['needs_login_fix']);
else
{
$temp = $_SESSION['logout_url'];
unset($_SESSION['logout_url']);

redirectexit($temp, false, $context['server']['needs_login_fix']);
}
}

?>



I may take a crack at the latest RC but no promises

[Leszer]

Is this in development for 1.1.2?  Does anyone know if the mods above are working for 1.1.2?