How do I set up LDAP Authetication on phpBB 3.0.5?
We just recently installed a new phpBB forum system to allow for interoffice communication.
Although I do consider myself an IT professional, I'm a little embarrassed to say that I have had NO experience working with LDAP. I do have AD experience, but only from within the AD server itself using the built-in MS "Active Directory Users and Computers" program.
Any ways, for those of you who are not familiar with phpBB, here is the information it wants from me.
1) LDAP server name
2) LDAP server port
3) LDAP base dn
4) LDAP uid
5) LDAP user filter
6) LDAP e-mail attribute
7) LDAP user dn
8) LDAP password
The name of our network is HEARUSA. Our AD is located on the domain controller, which is 10.1.0.10 (or HEARUSADC3). The user ID that is going to control this is "2701".
My question is simple. What do I need to give phpBB to let it authenticate through our AD?
Let me know what else I can give to get a solution. Thank you!
Although I do consider myself an IT professional, I'm a little embarrassed to say that I have had NO experience working with LDAP. I do have AD experience, but only from within the AD server itself using the built-in MS "Active Directory Users and Computers" program.
Any ways, for those of you who are not familiar with phpBB, here is the information it wants from me.
1) LDAP server name
2) LDAP server port
3) LDAP base dn
4) LDAP uid
5) LDAP user filter
6) LDAP e-mail attribute
7) LDAP user dn
8) LDAP password
The name of our network is HEARUSA. Our AD is located on the domain controller, which is 10.1.0.10 (or HEARUSADC3). The user ID that is going to control this is "2701".
My question is simple. What do I need to give phpBB to let it authenticate through our AD?
Let me know what else I can give to get a solution. Thank you!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is that the one you're using for the LDAP User DN?
If so, you'd use this value:
CN=2701,CN=Users,DC=domain
Chris
ASKER
Still says:
"Binding to LDAP server failed with specified user/password."
I know for a fact my username and password are correct. What could I be doing wrong?
"Binding to LDAP server failed with specified user/password."
I know for a fact my username and password are correct. What could I be doing wrong?
This is before it presents a logon screen? Or during logon?
The 2701 value above, that's what you see in AD Users and Computers (in the main view, not in the accounts properties)?
Chris
ASKER
Yes, 2701 is my user ID. Same login I use across our Windows Network.
And no, phpBB is not prompting me to log in. The second I click Submit to try and save the settings you gave me it immediately gives me that error.
And no, phpBB is not prompting me to log in. The second I click Submit to try and save the settings you gave me it immediately gives me that error.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, I get it.
Now we're making progress, but now am getting a new error:
"Could not connect to LDAP server."
All of my settings are correct. I changed my CN to Ryan Conard, not 2701 and that got me past the first error that said "unknown user" or whatever.
Any thoughts?
Now we're making progress, but now am getting a new error:
"Could not connect to LDAP server."
All of my settings are correct. I changed my CN to Ryan Conard, not 2701 and that got me past the first error that said "unknown user" or whatever.
Any thoughts?
Odd wonder how it managed to check the username and password without talking to the server.
What did you put in the LDAP server box? If you put a name lets change it to an IP address (for one of your DCs). That takes any potential problems in DNS out of the loop.
CHris
ASKER
Ok, I made some changes.
1) Removed the port number.
2) Removed the filter.
Now I get this error:
"Could not find a login identity for Ryan Conard."
1) Removed the port number.
2) Removed the filter.
Now I get this error:
"Could not find a login identity for Ryan Conard."
Rather an obscure message.
I'm not very good with PHP, but it kind of looks like it's trying to find the user. Is this when you're saving the LDAP settings?
Chris
ASKER
Yes, it happens when I try to save the settings.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, did that. I created a user called "ldapauth" and set the first name to "ldapauth" as well, with no last name. So the name should be the same no matter what method it's trying to use.
I still get the same error:
"Could not find a login identity for Ryan Conard."
Even though I changed the CN thing to ldapauth.
Now I'm completely confused. You're more than welcome to see for yourself, if you'd like I can hook you up with admin access to the forums. PM me for the login info.
I still get the same error:
"Could not find a login identity for Ryan Conard."
Even though I changed the CN thing to ldapauth.
Now I'm completely confused. You're more than welcome to see for yourself, if you'd like I can hook you up with admin access to the forums. PM me for the login info.
Hmm perhaps it's trying to match up existing users (in phpBB) to accounts in AD?
Chris
ASKER
It could be. Let me change my phpBB name from Ryan Conard to 2701, maybe then it will find me. Hold on.
ASKER
Well, seems like I just screwed myself.
I changed my admin name from Ryan Conard to 2701. Once I did that I was successfully able to save the LDAP settings. Then I logged out of everything and logged into the board using my AD username and password and it worked perfectly.
Then I went to go log back into the Admin Panel and it says I don't have access. Why... I don't know? Only thing I can think of is that my forum password and AD password are different. It will not accept the password I originally set for my admin login on the forums, only my AD password.
Using my AD password it lets me login, but only as a regular user.
I can easily reload phpBB, I'm not worried about that. But I foresee a problem in the near future every time I do this.
I changed my admin name from Ryan Conard to 2701. Once I did that I was successfully able to save the LDAP settings. Then I logged out of everything and logged into the board using my AD username and password and it worked perfectly.
Then I went to go log back into the Admin Panel and it says I don't have access. Why... I don't know? Only thing I can think of is that my forum password and AD password are different. It will not accept the password I originally set for my admin login on the forums, only my AD password.
Using my AD password it lets me login, but only as a regular user.
I can easily reload phpBB, I'm not worried about that. But I foresee a problem in the near future every time I do this.
That's not too helpful. There must be a way around that.
Can you log in with any other account from AD? Or can you edit the phpBB database? I would imagine it's possible to give your account it's administrative rights back again with direct access to the data behind.
Chris
ASKER
Nevermind, I fixed.
I simply reset my AD password to match my phpBB password... (duh?)
Thank you all your help, Chris. I have one final question though.
The way I want the phpBB forums set up is to show a persons username as their actual name. For example, my company employee Id # is 2701. That's my Windows Network log in name, my actual name in the Active Directory is Ryan Conard.
When I sign into phpBB using 2701 and my AD password, it works fine which exactly how we want it. But phpBB is then showing my username as 2701 and NOT Ryan Conard.
How can I change this? Is is a matter of changing LDAP to look for different information off of the AD?
I simply reset my AD password to match my phpBB password... (duh?)
Thank you all your help, Chris. I have one final question though.
The way I want the phpBB forums set up is to show a persons username as their actual name. For example, my company employee Id # is 2701. That's my Windows Network log in name, my actual name in the Active Directory is Ryan Conard.
When I sign into phpBB using 2701 and my AD password, it works fine which exactly how we want it. But phpBB is then showing my username as 2701 and NOT Ryan Conard.
How can I change this? Is is a matter of changing LDAP to look for different information off of the AD?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How would I set phpBB to authenticate using the employee ID (like it is), but to display the displayName property?
That I don't know I'm afraid. I've never actually used phpBB, only dug into the source code earlier to try and see what it was up to with that error message.
AD and LDAP are more my thing, when you've seen a few hundred of these LDAP settings you've seen them all :)
Chris
ASKER
I got it!
I changed sAMAccountName to displayName and it works! I can log in using my full name and password from the AD, so can other users.
Thanks for all your help Chris!
-Ryan
I changed sAMAccountName to displayName and it works! I can log in using my full name and password from the AD, so can other users.
Thanks for all your help Chris!
-Ryan
You're welcome :)
Chris
ASKER
Problem resolved. It took a while, but all of the information Chris-Dent provided me allowed me to set up my phpBB to use LDAP. Thank!
rmconrad -
I'm having the same exact issue as you in the thread above. I'm able to get phpBB 3.0.5 up and running with LDAP authentication against Active Directory, so end users can log in with their userid/password. However when logged in, only their userid is shown and I'd like to reference the Active Directory's displayName.
You said you were able to do this by simply switching sAMAccountName to displayName under the LDAP UID section in the client authentication section in phpBB's Admin Control Panel.
However when I tried this, I run into the same issue of "Could not find login identity for" my service account.
If you can provide some of the additional steps that you took, I'd appreciate it. My only issue is that another team provides the system administration so I don't have direct access to Active Directory.
If anyone else can assist, I'd appreciate it. In short, I'm looking to conduct LDAP Active Directory based authentication in phpBB so that when a end user logs in with their userid, their displayName is shown through out the forum.
I'm having the same exact issue as you in the thread above. I'm able to get phpBB 3.0.5 up and running with LDAP authentication against Active Directory, so end users can log in with their userid/password. However when logged in, only their userid is shown and I'd like to reference the Active Directory's displayName.
You said you were able to do this by simply switching sAMAccountName to displayName under the LDAP UID section in the client authentication section in phpBB's Admin Control Panel.
However when I tried this, I run into the same issue of "Could not find login identity for" my service account.
If you can provide some of the additional steps that you took, I'd appreciate it. My only issue is that another team provides the system administration so I don't have direct access to Active Directory.
If anyone else can assist, I'd appreciate it. In short, I'm looking to conduct LDAP Active Directory based authentication in phpBB so that when a end user logs in with their userid, their displayName is shown through out the forum.
Dear Chris-Den and rmconard
Please help me here:
https://www.experts-exchange.com/questions/26306009/How-to-fix-PHPBB-connect-to-LDAP-AD-on-Win2003.html
Thank you much!!!
ASKER
My user account is called 2701. It's in the "Users" folder on AD.
We only have the basic containers, no sub groups or organization units... none of that stuff.