Jump to content

LDAP / Active Directory 3.0 questions


Recommended Posts

is there any place to find documentation on using LDAP configuration on Active Directory? I need to more a Board in to a global set up using our authorizations in the Active Directory. If I cannot use this then it kills the platform for us.

Is this documented anywhere? I cannot find it and this this should documented somewhere. If I missed it, please point me in the right direction


Link to comment
Share on other sites

  • 1 month later...

S'doable, and works. Am authenticating my forums against Active Directory without issue. AFAIK it's in the "General Documentation" pdf that you can get by clicking "Support" link in AdminCP. There doesn't appear to be any way to setup a mapping between AD Groups and IPB Groups builtin tho... which would be damn useful imo. We're using IPB in a school so it'd be bliss to set it up to detect a member of the AD "Student" group and set them as a regular member in IPB, but to set everyone in the "Teachers" AD Group to automatically be a moderator. Am writing some php to handle this tho in a separate routine.

Link to comment
Share on other sites

For the record, I've done modifications to map AD groups to IPB groups - it's relatively simple to be honest.

In IPB 3, for instance...

In the conf.php file add something like the following

$LOGIN_CONF['ldap_group_map'] = array( 'group1' => 3, 'group2' => 3, // Extend as needed

The first config value will tell IPB which field in LDAP contains the "group id". The second is an array that maps the returned value to a group id in IPB. You will need to change these values accordingly.

At the end of the file find

and change to

This is, again, the field in your AD that has the group membership information.

Then in auth.php where you see

'members_display_name' => $this->fields[$this->ldap_config['ldap_display_name']][0] ? $this->fields[$this->ldap_config['ldap_display_name']][0] : $username, 'password' => $password, 'email' => $this->fields[$this->ldap_config['ldap_email_field']][0] ? $this->fields[$this->ldap_config['ldap_email_field']][0] : $email_address, ) ) );

could change it to something like

'members_display_name' => $this->fields[$this->ldap_config['ldap_display_name']][0] ? $this->fields[$this->ldap_config['ldap_display_name']][0] : $username, 'password' => $password, 'email' => $this->fields[$this->ldap_config['ldap_email_field']][0] ? $this->fields[$this->ldap_config['ldap_email_field']][0] : $email_address, // ADDED THIS 'member_group_id' => $this->ldap_config['ldap_group_map'][ $this->fields[$this->ldap_config['ldap_group_id']][0] ], ) ) );

This is just an example and may need tweaking for your situation, but I've used something similar in the past without issue. You can use the additional_fields to pull other fields and then modify auth.php to do something with those as well (one example was, for a store using LDAP, I've modified it to check an "employment status" field to ensure that only active employees could access the forums). :)

$LOGIN_CONF['ldap_group_id']            = 'ldapGroupCol';

$LOGIN_CONF['additional_fields'] = '';
$LOGIN_CONF['additional_fields'] = 'ldapGroupCol';
                    $this->member_data = $this->createLocalMember( array( 'members' => array( 'name'                 => $this->fields[$this->ldap_config['ldap_display_name']][0] ? $this->fields[$this->ldap_config['ldap_display_name']][0] : $username, 

                    $this->member_data = $this->createLocalMember( array( 'members' => array( 'name'                 => $this->fields[$this->ldap_config['ldap_display_name']][0] ? $this->fields[$this->ldap_config['ldap_display_name']][0] : $username, 

Link to comment
Share on other sites


What about that last question? Have you guys ever though of using this for workflow? I am replacing a workflow process in our unit which I think you are even familar with CVG. ;-)

I think this tool could be modified very easily to be used for that.

Any thoughts ?

Link to comment
Share on other sites

Brandon, you're a star... have just finished integrating your login API into my current (very bodgy) LDAP portal thingy and looking into the group mapping was my next step. You've just saved me a world of digging thru code...!

From an educational standpoint, I know more or less every school in the UK uses AD, and at the moment they're fairly limited to what they can use that's of decent quality. Most are using Moodle to handle forum and blogging requirements but only as a perk - main use is as their VLE... but it's nowhere near as advanced as IPB when it comes to the social networking aspect.

It does however provide a simple form to allow one to map ldap fields to their userdatabase fields to cover the initial profile setup, which I think is the main bit lacking in IPB and could do with being included in a standard IPB Release... builds the displayname up from givenName and sn fields returned from AD via LDAP, email from mail field etc so the user doesn't need to be prompted for any info on new account creation for an auth'd user.

At the moment I'm using the following to get my info from AD via LDAP (but aiming it at GlobalCatalog port... 3268... rather than the regular LDAP port - dunno if that makes a difference to the array content) within my own portal thang... the AD fields populate the $info array...

I can see things becoming complex where I have AD members with multiple group memberships - how easy/difficult would it be to get these to map as secondary group memberships in IPB?

Stumbling block...

I don't see that anywhere in /sources/loginauth/ldap/auth.php under IPB2.3.6... or am I looking in the wrong auth.php (???)

For the record, I've done modifications to map AD groups to IPB groups - it's relatively simple to be honest.... *snip*

          for ($i=0; $i<$info["count"]; $i++) {

             $_SESSION['name'] = $info[$i]["name"][0];

             $_SESSION['givenname'] = $info[$i]["givenname"][0];

             $_SESSION['sn'] = $info[$i]["sn"][0];

             if ($info[$i]["displayname"][0] == '') {

              $_SESSION['displayname'] = $_SESSION['name'];

              } else {

              $_SESSION['displayname'] = $info[$i]["displayname"][0];


             $_SESSION['town'] = $info[$i]["l"][0];

             $_SESSION['country'] = $info[$i]["c"][0];

             $_SESSION['email'] = $info[$i]["mail"][0];

             $_SESSION['uniqueid'] = $info[$i]["telephonenumber"][0];

             $_SESSION['description'] = $info[$i]["description"][0];

             $datearray = str_split($info[$i]["whencreated"][0]);

             $_SESSION['created'] = ''.$datearray[3].'/'.$datearray[2].'/'.$datearray[0].$datearray[1].' @ '.$datearray[4].':'.$datearray[5].'';


             $datearray = str_split($info[$i]["whenchanged"][0]);

             $_SESSION['changed'] = ''.$datearray[3].'/'.$datearray[2].'/'.$datearray[0].$datearray[1].' @ '.$datearray[4].':'.$datearray[5].'';


             $_SESSION['dn'] = $info[$i]["distinguishedname"][0];

             foreach ($info[$i]["memberof"] as $groups) {

                     if ($groups == 'CN=HOR Teaching Staff,'.$groupbase.'') {unset ($_SESSION['isstudent']);$_SESSION['teacher']=1;}

                  if ($groups == 'CN=HOR pdadmin,'.$groupbase.'') {$_SESSION['pdadmin']='Y';}

                  if ($groups == 'CN=HOR PSOAdmin,'.$groupbase.'') {$_SESSION['psoadmin']='Y';}

                  if ($groups == 'CN=HOR ITtechTeam,'.$groupbase.'') {$_SESSION['itteam']='Y';}

                  if ($groups == 'CN=HOR ICT Teachers,'.$groupbase.'') {$_SESSION['ictteacher']='Y';}

                  if ($groups == 'CN=HOR Web Administrators,'.$groupbase.'') {$_SESSION['webadmin']='Y';}

                  if ($groups == 'CN=HOR Non-Teaching Staff,'.$groupbase.'') {$_SESSION['nonteach']='Y';}

                  if ($groups == 'CN=HOR Students,'.$groupbase.'') 





         if ($dnchunks[1]=='OU='.$yr7.''){$_SESSION['year']=7;}

                           elseif ($dnchunks[1]=='OU='.$yr6.''){$_SESSION['year']=6;}

                           elseif ($dnchunks[1]=='OU='.$yr8.''){$_SESSION['year']=8;}

                           elseif ($dnchunks[1]=='OU='.$yr9.''){$_SESSION['year']=9;}

                           elseif ($dnchunks[1]=='OU='.$yr10.''){$_SESSION['year']=10;}

                           elseif ($dnchunks[1]=='OU='.$yr11.''){$_SESSION['year']=11;}

                           elseif ($dnchunks[1]=='OU='.$yr12.''){$_SESSION['year']=12;}



 (Everything's session based as 90% of staff n' students don't know the meaning of the words "log out"... but they do seem to manage to remember to close their browser... which will inevitably lead to my next mission of making our install of IPB session based rather than cookie *cringe*)

    Just reglancing over your code above using mine for field refs....


        $LOGIN_CONF['ldap_group_id']            = 'memberof';

          $LOGIN_CONF['ldap_group_map'] = array(

          'CN=HOR Web Administrators,'.$groupbase.'' => 4,

          'CN=HOR Students,'.$groupbase.'' => 3,

          // Extend as needed

    'memberof' field returns the fqdn for each group, hence the 'CN={THE GROUP},{BASEDN}' fudge. 4 being admin in IPB, 3 being member.



        $LOGIN_CONF['additional_fields'] = '';



        $LOGIN_CONF['additional_fields'] = 'memberof';

Then in auth.php where you see

Link to comment
Share on other sites

Oh, I was looking at 3.0 when I posted that. Unfortunately 2.3 requires an additional modification.

In 2.3.6 you'll see something like

Change to

Then you have to modify loginauth/login_core.php to accept the group id

And to pass it to the internal method

And then the internal method needs to accept it

And then of course store it in the db

Really we're starting to veer off course here. As you can see, it's much easier to do this in 3.x. ;)

$this->create_local_member( $username, $password, $email );
$this->create_local_member( $username, $password, $email, $this->ldap_config['ldap_group_map'][ $this->fields[$this->ldap_config['ldap_group_id']][0] ] );
function create_local_member( $username, $password, $email_address='', $group_id=0 )
$member = $this->_create_local_member( $username, $md_5_password, $email_address, $group_id );
function _create_local_member( $username, $md5_password, $email_address='', $joined='', $ip_address='', $group_id=0 )
'mgroup'                 => $group_id ? $group_id : $this->ipsclass->vars['member_group'],
Link to comment
Share on other sites

[quote name='Shahid-Hussain' date='09 May 2009 - 05:13 AM' timestamp='1241860398' post='1800627']

that is very cool that it's much easier to do this in 3.x :)

But wouldn't it be cool if it can be done via ACP? :shifty:

Problem is, everyone has different requirements. Easy enough to add group support in I suppose (though it would take a bit of work to make it ACP-configurable), but then someone will ask for secondary groups. Then custom profile fields. Then profile settings. Never ends.

Link to comment
Share on other sites

  • 1 year later...

Sorry to bring up a really old topic, but I'm stuck on how you can implement those additional LDAP fields into custom fields in IPB.

I've managed to import an additional field from LDAP such as telephoneNumber into the standard email field for an IPB member, but I'm not sure how it can be implemented into custom fields such as Skype etc.

All I am missing is the syntax for the auth.php file as you listed in your post bfarber.

For instance, adding this line:

Allows me to place the number into the Title field of the user's profile, but I need to know how to edit this so I can place said number into one of the custom fields.

		 'title'               => $this->fields[$this->ldap_config['ldap_telephone']][0] ? $this->fields[$this->ldap_config['ldap_telephone']][0] : $title,
Link to comment
Share on other sites

You should change the call to send the data directly to IPSMember::save (which is all $this->createLocalMember() is doing), however this isn't really a help forum - it's a feedback/feature request forum. If you need help coding for the software or modifying the code, you should post in our peer to peer forum here: http://community.invisionpower.com/forum/310-product-modifications/

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...