Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7350
  • Last Modified:

How do I set up LDAP Authetication on phpBB 3.0.5?

We just recently installed a new phpBB forum system to allow for interoffice communication.

Although I do consider myself an IT professional, I'm a little embarrassed to say that I have had NO experience working with LDAP. I do have AD experience, but only from within the AD server itself using the built-in MS "Active Directory Users and Computers" program.

Any ways, for those of you who are not familiar with phpBB, here is the information it wants from me.

1) LDAP server name
2) LDAP server port
3) LDAP base dn
4) LDAP uid
5) LDAP user filter
6) LDAP e-mail attribute
7) LDAP user dn
8) LDAP password

The name of our network is HEARUSA. Our AD is located on the domain controller, which is 10.1.0.10 (or HEARUSADC3). The user ID that is going to control this is "2701".

My question is simple. What do I need to give phpBB to let it authenticate through our AD?

Let me know what else I can give to get a solution. Thank you!
0
rmconard
Asked:
rmconard
  • 13
  • 12
  • +1
4 Solutions
 
Chris DentPowerShell DeveloperCommented:

Hey :)

1) LDAP server name

This one will be one of your Domain Controllers, or just your domain name which, if you run "nslookup domain.com", gives you the IP addresses for each of your domain controllers.

2) LDAP server port

389

Can't be changed with AD so this is a safe bet. It's the default LDAP port.

3) LDAP base dn

The point in the directory you want to search from. If you AD domain was called "domain.com" it would be "DC=domain,DC=com".

If you wish to be more restrictive you can. For example, the default Users folder in AD would need you to use "CN=Users,DC=domain,DC=com". Or an OU could be set with "OU=SomeOU,DC=domain,DC=com".

4) LDAP uid

If it means what i think it means then this should be:

sAMAccountName

5) LDAP user filter

To find users the simplest search is:

(&(objectClass=user)(objectCategory=person))

6) LDAP e-mail attribute

Nice and easy:

mail

7) LDAP user dn

Something to authenticate with. If you had an account called "svc-ldap" (much like I do) in AD, and that was in an OU you created called "Service Accounts" this value would be:

CN=svc-ldap,OU=Service Accounts,DC=domain,DC=com

8) LDAP password

The password for the account above.

HTH

Chris
0
 
rmconardAuthor Commented:
I keep getting an error saying that the user account to authenticate is invalid.

My user account is called 2701. It's in the "Users" folder on AD.

We only have the basic containers, no sub groups or organization units... none of that stuff.
0
 
Chris DentPowerShell DeveloperCommented:

Is that the one you're using for the LDAP User DN?

If so, you'd use this value:

CN=2701,CN=Users,DC=domain,DC=com

Chris
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
rmconardAuthor Commented:
Still says:

"Binding to LDAP server failed with specified user/password."

I know for a fact my username and password are correct. What could I be doing wrong?
0
 
Chris DentPowerShell DeveloperCommented:

This is before it presents a logon screen? Or during logon?

The 2701 value above, that's what you see in AD Users and Computers (in the main view, not in the accounts properties)?

Chris
0
 
rmconardAuthor Commented:
Yes, 2701 is my user ID. Same login I use across our Windows Network.

And no, phpBB is not prompting me to log in. The second I click Submit to try and save the settings you gave me it immediately gives me that error.
0
 
Chris DentPowerShell DeveloperCommented:

The name seen in the list in AD Users and Computers doesn't have to be the user name you use to log on.

For instance, my user name is "dentc", but I appear in the list in AD Users and Computers as "Chris Dent". The distinction is important, the second value makes up the Distinguished Name, the thing it's chasing. If I were to bind with my own user account that would make the Bind DN into "CN=Chris Dent,DC=Users,DC=domain,DC=com", rather than using the user name.

Of course, all of this depends on what the code behind is doing, so don't be afraid to try these formats:

yourdomain\username
username
username@domain.com

Chris
0
 
rmconardAuthor Commented:
Ok, I get it.

Now we're making progress, but now am getting a new error:

"Could not connect to LDAP server."

All of my settings are correct. I changed my CN to Ryan Conard, not 2701 and that got me past the first error that said "unknown user" or whatever.

Any thoughts?
0
 
Chris DentPowerShell DeveloperCommented:

Odd wonder how it managed to check the username and password without talking to the server.

What did you put in the LDAP server box? If you put a name lets change it to an IP address (for one of your DCs). That takes any potential problems in DNS out of the loop.

CHris
0
 
rmconardAuthor Commented:
Ok, I made some changes.

1) Removed the port number.
2) Removed the filter.


Now I get this error:

"Could not find a login identity for Ryan Conard."
0
 
Chris DentPowerShell DeveloperCommented:

Rather an obscure message.

I'm not very good with PHP, but it kind of looks like it's trying to find the user. Is this when you're saving the LDAP settings?

Chris
0
 
rmconardAuthor Commented:
Yes, it happens when I try to save the settings.
0
 
Chris DentPowerShell DeveloperCommented:

Okay, so it builds a filter like this:

(sAMAccountName=<WhateverValue>)

sAMAccountName comes from the uid entry (which is good).

I suspect it's trying to do this:

(sAMAccountName=Ryan Conard)

Which will fail, which is down to our conversation above about the differences between the CN= bit and the user name.

So...

Could you create a new user and set the name to be the same as the user name? That way we can do:

CN=LdapUser,CN=Users,DC=domain,DC=com

And it can try and find "LdapUser" with "(sAMAccountName=LdapUser)" which will also work.

Chris
0
 
rmconardAuthor Commented:
Ok, did that. I created a user called "ldapauth" and set the first name to "ldapauth" as well, with no last name. So the name should be the same no matter what method it's trying to use.

I still get the same error:

"Could not find a login identity for Ryan Conard."

Even though I changed the CN thing to ldapauth.

Now I'm completely confused. You're more than welcome to see for yourself, if you'd like I can hook you up with admin access to the forums. PM me for the login info.
0
 
Chris DentPowerShell DeveloperCommented:

Hmm perhaps it's trying to match up existing users (in phpBB) to accounts in AD?

Chris
0
 
rmconardAuthor Commented:
It could be. Let me change my phpBB name from Ryan Conard to 2701, maybe then it will find me. Hold on.
0
 
rmconardAuthor Commented:
Well, seems like I just screwed myself.

I changed my admin name from Ryan Conard to 2701. Once I did that I was successfully able to save the LDAP settings. Then I logged out of everything and logged into the board using my AD username and password and it worked perfectly.

Then I went to go log back into the Admin Panel and it says I don't have access. Why... I don't know? Only thing I can think of is that my forum password and AD password are different. It will not accept the password I originally set for my admin login on the forums, only my AD password.

Using my AD password it lets me login, but only as a regular user.

I can easily reload phpBB, I'm not worried about that. But I foresee a problem in the near future every time I do this.
0
 
Chris DentPowerShell DeveloperCommented:

That's not too helpful. There must be a way around that.

Can you log in with any other account from AD? Or can you edit the phpBB database? I would imagine it's possible to give your account it's administrative rights back again with direct access to the data behind.

Chris
0
 
rmconardAuthor Commented:
Nevermind, I fixed.

I simply reset my AD password to match my phpBB password... (duh?)

Thank you all your help, Chris. I have one final question though.

The way I want the phpBB forums set up is to show a persons username as their actual name. For example, my company employee Id # is 2701. That's my Windows Network log in name, my actual name in the Active Directory is Ryan Conard.

When I sign into phpBB using 2701 and my AD password, it works fine which exactly how we want it. But phpBB is then showing my username as 2701 and NOT Ryan Conard.

How can I change this? Is is a matter of changing LDAP to look for different information off of the AD?
0
 
Chris DentPowerShell DeveloperCommented:

It's tricky, user names should only really be unique attributes. You could potentially change the "uid" attribute in the LDAP configuration of phpBB to CN or name, or even displayName. The trouble is, without them being enforced unique you may run into bother if you have even a remotely large AD domain, it scales badly.

The only other attribute which may be better, and is enforced unique is "userPrincipalName". That's the other user name you see under the Profile tab in AD Users and Computers (looks like an e-mail address). However, that may suffer from exactly the same problem as the current username.

If you have Exchange then the mail field is also loosely enforced unique. It's a possibility if nothing else :)

Chris
0
 
rmconardAuthor Commented:
How would I set phpBB to authenticate using the employee ID (like it is), but to display the displayName property?
0
 
Chris DentPowerShell DeveloperCommented:

That I don't know I'm afraid. I've never actually used phpBB, only dug into the source code earlier to try and see what it was up to with that error message.

AD and LDAP are more my thing, when you've seen a few hundred of these LDAP settings you've seen them all :)

Chris
0
 
rmconardAuthor Commented:
I got it!

I changed sAMAccountName to displayName and it works! I can log in using my full name and password from the AD, so can other users.

Thanks for all your help Chris!

-Ryan
0
 
Chris DentPowerShell DeveloperCommented:

You're welcome :)

Chris
0
 
rmconardAuthor Commented:
Problem resolved. It took a while, but all of the information Chris-Dent provided me allowed me to set up my phpBB to use LDAP. Thank!
0
 
tdiddy78Commented:
rmconrad -

I'm having the same exact issue as you in the thread above.  I'm able to get phpBB 3.0.5 up and running with LDAP authentication against Active Directory, so end users can log in with their userid/password.  However when logged in, only their userid is shown and I'd like to reference the Active Directory's displayName.

You said you were able to do this by simply switching sAMAccountName to displayName under the LDAP UID section in the client authentication section in phpBB's Admin Control Panel.

However when I tried this, I run into the same issue of "Could not find login identity for" my service account.

If you can provide some of the additional steps that you took, I'd appreciate it.  My only issue is that another team provides the system administration so I don't have direct access to Active Directory.

If anyone else can assist, I'd appreciate it.  In short, I'm looking to conduct LDAP Active Directory based authentication in phpBB so that when a end user logs in with their userid, their displayName is shown through out the forum.
0
 
bxglxbxglx2000Commented:

Dear Chris-Den and rmconard
Please help me here:

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/phpBB/Q_26306009.html

Thank you much!!!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 13
  • 12
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now