We help IT Professionals succeed at work.

How do I set up LDAP Authetication on phpBB 3.0.5?

rmconard
rmconard asked
on
Medium Priority
8,265 Views
Last Modified: 2013-12-19
We just recently installed a new phpBB forum system to allow for interoffice communication.

Although I do consider myself an IT professional, I'm a little embarrassed to say that I have had NO experience working with LDAP. I do have AD experience, but only from within the AD server itself using the built-in MS "Active Directory Users and Computers" program.

Any ways, for those of you who are not familiar with phpBB, here is the information it wants from me.

1) LDAP server name
2) LDAP server port
3) LDAP base dn
4) LDAP uid
5) LDAP user filter
6) LDAP e-mail attribute
7) LDAP user dn
8) LDAP password

The name of our network is HEARUSA. Our AD is located on the domain controller, which is 10.1.0.10 (or HEARUSADC3). The user ID that is going to control this is "2701".

My question is simple. What do I need to give phpBB to let it authenticate through our AD?

Let me know what else I can give to get a solution. Thank you!
Comment
Watch Question

PowerShell Developer
CERTIFIED EXPERT
Top Expert 2010
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
I keep getting an error saying that the user account to authenticate is invalid.

My user account is called 2701. It's in the "Users" folder on AD.

We only have the basic containers, no sub groups or organization units... none of that stuff.
Chris DentPowerShell Developer
CERTIFIED EXPERT
Top Expert 2010

Commented:

Is that the one you're using for the LDAP User DN?

If so, you'd use this value:

CN=2701,CN=Users,DC=domain,DC=com

Chris

Author

Commented:
Still says:

"Binding to LDAP server failed with specified user/password."

I know for a fact my username and password are correct. What could I be doing wrong?
Chris DentPowerShell Developer
CERTIFIED EXPERT
Top Expert 2010

Commented:

This is before it presents a logon screen? Or during logon?

The 2701 value above, that's what you see in AD Users and Computers (in the main view, not in the accounts properties)?

Chris

Author

Commented:
Yes, 2701 is my user ID. Same login I use across our Windows Network.

And no, phpBB is not prompting me to log in. The second I click Submit to try and save the settings you gave me it immediately gives me that error.
Chris DentPowerShell Developer
CERTIFIED EXPERT
Top Expert 2010
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Ok, I get it.

Now we're making progress, but now am getting a new error:

"Could not connect to LDAP server."

All of my settings are correct. I changed my CN to Ryan Conard, not 2701 and that got me past the first error that said "unknown user" or whatever.

Any thoughts?
Chris DentPowerShell Developer
CERTIFIED EXPERT
Top Expert 2010

Commented:

Odd wonder how it managed to check the username and password without talking to the server.

What did you put in the LDAP server box? If you put a name lets change it to an IP address (for one of your DCs). That takes any potential problems in DNS out of the loop.

CHris

Author

Commented:
Ok, I made some changes.

1) Removed the port number.
2) Removed the filter.


Now I get this error:

"Could not find a login identity for Ryan Conard."
Chris DentPowerShell Developer
CERTIFIED EXPERT
Top Expert 2010

Commented:

Rather an obscure message.

I'm not very good with PHP, but it kind of looks like it's trying to find the user. Is this when you're saving the LDAP settings?

Chris

Author

Commented:
Yes, it happens when I try to save the settings.
Chris DentPowerShell Developer
CERTIFIED EXPERT
Top Expert 2010
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Ok, did that. I created a user called "ldapauth" and set the first name to "ldapauth" as well, with no last name. So the name should be the same no matter what method it's trying to use.

I still get the same error:

"Could not find a login identity for Ryan Conard."

Even though I changed the CN thing to ldapauth.

Now I'm completely confused. You're more than welcome to see for yourself, if you'd like I can hook you up with admin access to the forums. PM me for the login info.
Chris DentPowerShell Developer
CERTIFIED EXPERT
Top Expert 2010

Commented:

Hmm perhaps it's trying to match up existing users (in phpBB) to accounts in AD?

Chris

Author

Commented:
It could be. Let me change my phpBB name from Ryan Conard to 2701, maybe then it will find me. Hold on.

Author

Commented:
Well, seems like I just screwed myself.

I changed my admin name from Ryan Conard to 2701. Once I did that I was successfully able to save the LDAP settings. Then I logged out of everything and logged into the board using my AD username and password and it worked perfectly.

Then I went to go log back into the Admin Panel and it says I don't have access. Why... I don't know? Only thing I can think of is that my forum password and AD password are different. It will not accept the password I originally set for my admin login on the forums, only my AD password.

Using my AD password it lets me login, but only as a regular user.

I can easily reload phpBB, I'm not worried about that. But I foresee a problem in the near future every time I do this.
Chris DentPowerShell Developer
CERTIFIED EXPERT
Top Expert 2010

Commented:

That's not too helpful. There must be a way around that.

Can you log in with any other account from AD? Or can you edit the phpBB database? I would imagine it's possible to give your account it's administrative rights back again with direct access to the data behind.

Chris

Author

Commented:
Nevermind, I fixed.

I simply reset my AD password to match my phpBB password... (duh?)

Thank you all your help, Chris. I have one final question though.

The way I want the phpBB forums set up is to show a persons username as their actual name. For example, my company employee Id # is 2701. That's my Windows Network log in name, my actual name in the Active Directory is Ryan Conard.

When I sign into phpBB using 2701 and my AD password, it works fine which exactly how we want it. But phpBB is then showing my username as 2701 and NOT Ryan Conard.

How can I change this? Is is a matter of changing LDAP to look for different information off of the AD?
Chris DentPowerShell Developer
CERTIFIED EXPERT
Top Expert 2010
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
How would I set phpBB to authenticate using the employee ID (like it is), but to display the displayName property?
Chris DentPowerShell Developer
CERTIFIED EXPERT
Top Expert 2010

Commented:

That I don't know I'm afraid. I've never actually used phpBB, only dug into the source code earlier to try and see what it was up to with that error message.

AD and LDAP are more my thing, when you've seen a few hundred of these LDAP settings you've seen them all :)

Chris

Author

Commented:
I got it!

I changed sAMAccountName to displayName and it works! I can log in using my full name and password from the AD, so can other users.

Thanks for all your help Chris!

-Ryan
Chris DentPowerShell Developer
CERTIFIED EXPERT
Top Expert 2010

Commented:

You're welcome :)

Chris

Author

Commented:
Problem resolved. It took a while, but all of the information Chris-Dent provided me allowed me to set up my phpBB to use LDAP. Thank!

Commented:
rmconrad -

I'm having the same exact issue as you in the thread above.  I'm able to get phpBB 3.0.5 up and running with LDAP authentication against Active Directory, so end users can log in with their userid/password.  However when logged in, only their userid is shown and I'd like to reference the Active Directory's displayName.

You said you were able to do this by simply switching sAMAccountName to displayName under the LDAP UID section in the client authentication section in phpBB's Admin Control Panel.

However when I tried this, I run into the same issue of "Could not find login identity for" my service account.

If you can provide some of the additional steps that you took, I'd appreciate it.  My only issue is that another team provides the system administration so I don't have direct access to Active Directory.

If anyone else can assist, I'd appreciate it.  In short, I'm looking to conduct LDAP Active Directory based authentication in phpBB so that when a end user logs in with their userid, their displayName is shown through out the forum.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.