Solved

How do I set up LDAP Authetication on phpBB 3.0.5?

Posted on 2009-07-10
27
6,930 Views
Last Modified: 2013-12-19
We just recently installed a new phpBB forum system to allow for interoffice communication.

Although I do consider myself an IT professional, I'm a little embarrassed to say that I have had NO experience working with LDAP. I do have AD experience, but only from within the AD server itself using the built-in MS "Active Directory Users and Computers" program.

Any ways, for those of you who are not familiar with phpBB, here is the information it wants from me.

1) LDAP server name
2) LDAP server port
3) LDAP base dn
4) LDAP uid
5) LDAP user filter
6) LDAP e-mail attribute
7) LDAP user dn
8) LDAP password

The name of our network is HEARUSA. Our AD is located on the domain controller, which is 10.1.0.10 (or HEARUSADC3). The user ID that is going to control this is "2701".

My question is simple. What do I need to give phpBB to let it authenticate through our AD?

Let me know what else I can give to get a solution. Thank you!
0
Comment
Question by:rmconard
  • 13
  • 12
  • +1
27 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24826204

Hey :)

1) LDAP server name

This one will be one of your Domain Controllers, or just your domain name which, if you run "nslookup domain.com", gives you the IP addresses for each of your domain controllers.

2) LDAP server port

389

Can't be changed with AD so this is a safe bet. It's the default LDAP port.

3) LDAP base dn

The point in the directory you want to search from. If you AD domain was called "domain.com" it would be "DC=domain,DC=com".

If you wish to be more restrictive you can. For example, the default Users folder in AD would need you to use "CN=Users,DC=domain,DC=com". Or an OU could be set with "OU=SomeOU,DC=domain,DC=com".

4) LDAP uid

If it means what i think it means then this should be:

sAMAccountName

5) LDAP user filter

To find users the simplest search is:

(&(objectClass=user)(objectCategory=person))

6) LDAP e-mail attribute

Nice and easy:

mail

7) LDAP user dn

Something to authenticate with. If you had an account called "svc-ldap" (much like I do) in AD, and that was in an OU you created called "Service Accounts" this value would be:

CN=svc-ldap,OU=Service Accounts,DC=domain,DC=com

8) LDAP password

The password for the account above.

HTH

Chris
0
 
LVL 3

Author Comment

by:rmconard
ID: 24826425
I keep getting an error saying that the user account to authenticate is invalid.

My user account is called 2701. It's in the "Users" folder on AD.

We only have the basic containers, no sub groups or organization units... none of that stuff.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24826531

Is that the one you're using for the LDAP User DN?

If so, you'd use this value:

CN=2701,CN=Users,DC=domain,DC=com

Chris
0
 
LVL 3

Author Comment

by:rmconard
ID: 24826617
Still says:

"Binding to LDAP server failed with specified user/password."

I know for a fact my username and password are correct. What could I be doing wrong?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24826637

This is before it presents a logon screen? Or during logon?

The 2701 value above, that's what you see in AD Users and Computers (in the main view, not in the accounts properties)?

Chris
0
 
LVL 3

Author Comment

by:rmconard
ID: 24826695
Yes, 2701 is my user ID. Same login I use across our Windows Network.

And no, phpBB is not prompting me to log in. The second I click Submit to try and save the settings you gave me it immediately gives me that error.
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 24826728

The name seen in the list in AD Users and Computers doesn't have to be the user name you use to log on.

For instance, my user name is "dentc", but I appear in the list in AD Users and Computers as "Chris Dent". The distinction is important, the second value makes up the Distinguished Name, the thing it's chasing. If I were to bind with my own user account that would make the Bind DN into "CN=Chris Dent,DC=Users,DC=domain,DC=com", rather than using the user name.

Of course, all of this depends on what the code behind is doing, so don't be afraid to try these formats:

yourdomain\username
username
username@domain.com

Chris
0
 
LVL 3

Author Comment

by:rmconard
ID: 24826775
Ok, I get it.

Now we're making progress, but now am getting a new error:

"Could not connect to LDAP server."

All of my settings are correct. I changed my CN to Ryan Conard, not 2701 and that got me past the first error that said "unknown user" or whatever.

Any thoughts?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24826806

Odd wonder how it managed to check the username and password without talking to the server.

What did you put in the LDAP server box? If you put a name lets change it to an IP address (for one of your DCs). That takes any potential problems in DNS out of the loop.

CHris
0
 
LVL 3

Author Comment

by:rmconard
ID: 24826815
Ok, I made some changes.

1) Removed the port number.
2) Removed the filter.


Now I get this error:

"Could not find a login identity for Ryan Conard."
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24827027

Rather an obscure message.

I'm not very good with PHP, but it kind of looks like it's trying to find the user. Is this when you're saving the LDAP settings?

Chris
0
 
LVL 3

Author Comment

by:rmconard
ID: 24827039
Yes, it happens when I try to save the settings.
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 24827081

Okay, so it builds a filter like this:

(sAMAccountName=<WhateverValue>)

sAMAccountName comes from the uid entry (which is good).

I suspect it's trying to do this:

(sAMAccountName=Ryan Conard)

Which will fail, which is down to our conversation above about the differences between the CN= bit and the user name.

So...

Could you create a new user and set the name to be the same as the user name? That way we can do:

CN=LdapUser,CN=Users,DC=domain,DC=com

And it can try and find "LdapUser" with "(sAMAccountName=LdapUser)" which will also work.

Chris
0
 
LVL 3

Author Comment

by:rmconard
ID: 24827172
Ok, did that. I created a user called "ldapauth" and set the first name to "ldapauth" as well, with no last name. So the name should be the same no matter what method it's trying to use.

I still get the same error:

"Could not find a login identity for Ryan Conard."

Even though I changed the CN thing to ldapauth.

Now I'm completely confused. You're more than welcome to see for yourself, if you'd like I can hook you up with admin access to the forums. PM me for the login info.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24827201

Hmm perhaps it's trying to match up existing users (in phpBB) to accounts in AD?

Chris
0
 
LVL 3

Author Comment

by:rmconard
ID: 24827211
It could be. Let me change my phpBB name from Ryan Conard to 2701, maybe then it will find me. Hold on.
0
 
LVL 3

Author Comment

by:rmconard
ID: 24827302
Well, seems like I just screwed myself.

I changed my admin name from Ryan Conard to 2701. Once I did that I was successfully able to save the LDAP settings. Then I logged out of everything and logged into the board using my AD username and password and it worked perfectly.

Then I went to go log back into the Admin Panel and it says I don't have access. Why... I don't know? Only thing I can think of is that my forum password and AD password are different. It will not accept the password I originally set for my admin login on the forums, only my AD password.

Using my AD password it lets me login, but only as a regular user.

I can easily reload phpBB, I'm not worried about that. But I foresee a problem in the near future every time I do this.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24827317

That's not too helpful. There must be a way around that.

Can you log in with any other account from AD? Or can you edit the phpBB database? I would imagine it's possible to give your account it's administrative rights back again with direct access to the data behind.

Chris
0
 
LVL 3

Author Comment

by:rmconard
ID: 24827385
Nevermind, I fixed.

I simply reset my AD password to match my phpBB password... (duh?)

Thank you all your help, Chris. I have one final question though.

The way I want the phpBB forums set up is to show a persons username as their actual name. For example, my company employee Id # is 2701. That's my Windows Network log in name, my actual name in the Active Directory is Ryan Conard.

When I sign into phpBB using 2701 and my AD password, it works fine which exactly how we want it. But phpBB is then showing my username as 2701 and NOT Ryan Conard.

How can I change this? Is is a matter of changing LDAP to look for different information off of the AD?
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 24827476

It's tricky, user names should only really be unique attributes. You could potentially change the "uid" attribute in the LDAP configuration of phpBB to CN or name, or even displayName. The trouble is, without them being enforced unique you may run into bother if you have even a remotely large AD domain, it scales badly.

The only other attribute which may be better, and is enforced unique is "userPrincipalName". That's the other user name you see under the Profile tab in AD Users and Computers (looks like an e-mail address). However, that may suffer from exactly the same problem as the current username.

If you have Exchange then the mail field is also loosely enforced unique. It's a possibility if nothing else :)

Chris
0
 
LVL 3

Author Comment

by:rmconard
ID: 24827491
How would I set phpBB to authenticate using the employee ID (like it is), but to display the displayName property?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24827506

That I don't know I'm afraid. I've never actually used phpBB, only dug into the source code earlier to try and see what it was up to with that error message.

AD and LDAP are more my thing, when you've seen a few hundred of these LDAP settings you've seen them all :)

Chris
0
 
LVL 3

Author Comment

by:rmconard
ID: 24827549
I got it!

I changed sAMAccountName to displayName and it works! I can log in using my full name and password from the AD, so can other users.

Thanks for all your help Chris!

-Ryan
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24827555

You're welcome :)

Chris
0
 
LVL 3

Author Closing Comment

by:rmconard
ID: 31602144
Problem resolved. It took a while, but all of the information Chris-Dent provided me allowed me to set up my phpBB to use LDAP. Thank!
0
 

Expert Comment

by:tdiddy78
ID: 26025401
rmconrad -

I'm having the same exact issue as you in the thread above.  I'm able to get phpBB 3.0.5 up and running with LDAP authentication against Active Directory, so end users can log in with their userid/password.  However when logged in, only their userid is shown and I'd like to reference the Active Directory's displayName.

You said you were able to do this by simply switching sAMAccountName to displayName under the LDAP UID section in the client authentication section in phpBB's Admin Control Panel.

However when I tried this, I run into the same issue of "Could not find login identity for" my service account.

If you can provide some of the additional steps that you took, I'd appreciate it.  My only issue is that another team provides the system administration so I don't have direct access to Active Directory.

If anyone else can assist, I'd appreciate it.  In short, I'm looking to conduct LDAP Active Directory based authentication in phpBB so that when a end user logs in with their userid, their displayName is shown through out the forum.
0
 

Expert Comment

by:bxglxbxglx2000
ID: 33132847

Dear Chris-Den and rmconard
Please help me here:

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/phpBB/Q_26306009.html

Thank you much!!!
0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Re-imbursement Claim System 3 25
ADFS 3.0 and UPN Problem 6 16
php namespace question with Twilio 4 16
Datepicker in PHP 9 21
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now