RLPVT Posted April 1, 2009 Posted April 1, 2009 is there any place to find documentation on using LDAP configuration on Active Directory? I need to more a Board in to a global set up using our authorizations in the Active Directory. If I cannot use this then it kills the platform for us. Is this documented anywhere? I cannot find it and this this should documented somewhere. If I missed it, please point me in the right direction Thanks
[O-CuK]Marci Posted May 7, 2009 Posted May 7, 2009 S'doable, and works. Am authenticating my forums against Active Directory without issue. AFAIK it's in the "General Documentation" pdf that you can get by clicking "Support" link in AdminCP. There doesn't appear to be any way to setup a mapping between AD Groups and IPB Groups builtin tho... which would be damn useful imo. We're using IPB in a school so it'd be bliss to set it up to detect a member of the AD "Student" group and set them as a regular member in IPB, but to set everyone in the "Teachers" AD Group to automatically be a moderator. Am writing some php to handle this tho in a separate routine.
[O-CuK]Marci Posted May 7, 2009 Posted May 7, 2009 Sorry - s'not in "General Documentation" pdf, it's in the Developer Documentation, page 50.
RLPVT Posted May 7, 2009 Author Posted May 7, 2009 Thanks and I also have another question. Has anyone ever thought of using this application for workflow? I think this software could easily be modifed for workflow controls.
bfarber Posted May 7, 2009 Posted May 7, 2009 For the record, I've done modifications to map AD groups to IPB groups - it's relatively simple to be honest. In IPB 3, for instance... In the conf.php file add something like the following $LOGIN_CONF['ldap_group_map'] = array( 'group1' => 3, 'group2' => 3, // Extend as needed The first config value will tell IPB which field in LDAP contains the "group id". The second is an array that maps the returned value to a group id in IPB. You will need to change these values accordingly. At the end of the file find and change to This is, again, the field in your AD that has the group membership information. Then in auth.php where you see 'members_display_name' => $this->fields[$this->ldap_config['ldap_display_name']][0] ? $this->fields[$this->ldap_config['ldap_display_name']][0] : $username, 'password' => $password, 'email' => $this->fields[$this->ldap_config['ldap_email_field']][0] ? $this->fields[$this->ldap_config['ldap_email_field']][0] : $email_address, ) ) ); could change it to something like 'members_display_name' => $this->fields[$this->ldap_config['ldap_display_name']][0] ? $this->fields[$this->ldap_config['ldap_display_name']][0] : $username, 'password' => $password, 'email' => $this->fields[$this->ldap_config['ldap_email_field']][0] ? $this->fields[$this->ldap_config['ldap_email_field']][0] : $email_address, // ADDED THIS 'member_group_id' => $this->ldap_config['ldap_group_map'][ $this->fields[$this->ldap_config['ldap_group_id']][0] ], ) ) ); This is just an example and may need tweaking for your situation, but I've used something similar in the past without issue. You can use the additional_fields to pull other fields and then modify auth.php to do something with those as well (one example was, for a store using LDAP, I've modified it to check an "employment status" field to ensure that only active employees could access the forums). :)$LOGIN_CONF['ldap_group_id'] = 'ldapGroupCol'; $LOGIN_CONF['additional_fields'] = '';$LOGIN_CONF['additional_fields'] = 'ldapGroupCol'; $this->member_data = $this->createLocalMember( array( 'members' => array( 'name' => $this->fields[$this->ldap_config['ldap_display_name']][0] ? $this->fields[$this->ldap_config['ldap_display_name']][0] : $username, $this->member_data = $this->createLocalMember( array( 'members' => array( 'name' => $this->fields[$this->ldap_config['ldap_display_name']][0] ? $this->fields[$this->ldap_config['ldap_display_name']][0] : $username,
RLPVT Posted May 7, 2009 Author Posted May 7, 2009 BFarber: What about that last question? Have you guys ever though of using this for workflow? I am replacing a workflow process in our unit which I think you are even familar with CVG. ;-) I think this tool could be modified very easily to be used for that. Any thoughts ?
bfarber Posted May 8, 2009 Posted May 8, 2009 I'm afraid I'm not familiar with the workflow you speak of.
[O-CuK]Marci Posted May 8, 2009 Posted May 8, 2009 Brandon, you're a star... have just finished integrating your login API into my current (very bodgy) LDAP portal thingy and looking into the group mapping was my next step. You've just saved me a world of digging thru code...! From an educational standpoint, I know more or less every school in the UK uses AD, and at the moment they're fairly limited to what they can use that's of decent quality. Most are using Moodle to handle forum and blogging requirements but only as a perk - main use is as their VLE... but it's nowhere near as advanced as IPB when it comes to the social networking aspect. It does however provide a simple form to allow one to map ldap fields to their userdatabase fields to cover the initial profile setup, which I think is the main bit lacking in IPB and could do with being included in a standard IPB Release... builds the displayname up from givenName and sn fields returned from AD via LDAP, email from mail field etc so the user doesn't need to be prompted for any info on new account creation for an auth'd user. At the moment I'm using the following to get my info from AD via LDAP (but aiming it at GlobalCatalog port... 3268... rather than the regular LDAP port - dunno if that makes a difference to the array content) within my own portal thang... the AD fields populate the $info array... I can see things becoming complex where I have AD members with multiple group memberships - how easy/difficult would it be to get these to map as secondary group memberships in IPB? Stumbling block... I don't see that anywhere in /sources/loginauth/ldap/auth.php under IPB2.3.6... or am I looking in the wrong auth.php (???)For the record, I've done modifications to map AD groups to IPB groups - it's relatively simple to be honest.... *snip* for ($i=0; $i<$info["count"]; $i++) { $_SESSION['name'] = $info[$i]["name"][0]; $_SESSION['givenname'] = $info[$i]["givenname"][0]; $_SESSION['sn'] = $info[$i]["sn"][0]; if ($info[$i]["displayname"][0] == '') { $_SESSION['displayname'] = $_SESSION['name']; } else { $_SESSION['displayname'] = $info[$i]["displayname"][0]; } $_SESSION['town'] = $info[$i]["l"][0]; $_SESSION['country'] = $info[$i]["c"][0]; $_SESSION['email'] = $info[$i]["mail"][0]; $_SESSION['uniqueid'] = $info[$i]["telephonenumber"][0]; $_SESSION['description'] = $info[$i]["description"][0]; $datearray = str_split($info[$i]["whencreated"][0]); $_SESSION['created'] = ''.$datearray[3].'/'.$datearray[2].'/'.$datearray[0].$datearray[1].' @ '.$datearray[4].':'.$datearray[5].''; unset($datearray); $datearray = str_split($info[$i]["whenchanged"][0]); $_SESSION['changed'] = ''.$datearray[3].'/'.$datearray[2].'/'.$datearray[0].$datearray[1].' @ '.$datearray[4].':'.$datearray[5].''; unset($datearray); $_SESSION['dn'] = $info[$i]["distinguishedname"][0]; foreach ($info[$i]["memberof"] as $groups) { if ($groups == 'CN=HOR Teaching Staff,'.$groupbase.'') {unset ($_SESSION['isstudent']);$_SESSION['teacher']=1;} if ($groups == 'CN=HOR pdadmin,'.$groupbase.'') {$_SESSION['pdadmin']='Y';} if ($groups == 'CN=HOR PSOAdmin,'.$groupbase.'') {$_SESSION['psoadmin']='Y';} if ($groups == 'CN=HOR ITtechTeam,'.$groupbase.'') {$_SESSION['itteam']='Y';} if ($groups == 'CN=HOR ICT Teachers,'.$groupbase.'') {$_SESSION['ictteacher']='Y';} if ($groups == 'CN=HOR Web Administrators,'.$groupbase.'') {$_SESSION['webadmin']='Y';} if ($groups == 'CN=HOR Non-Teaching Staff,'.$groupbase.'') {$_SESSION['nonteach']='Y';} if ($groups == 'CN=HOR Students,'.$groupbase.'') { unset($_SESSION['teacher']); $_SESSION['isstudent']=1; $dnchunks=explode(",",$_SESSION['dn']); if ($dnchunks[1]=='OU='.$yr7.''){$_SESSION['year']=7;} elseif ($dnchunks[1]=='OU='.$yr6.''){$_SESSION['year']=6;} elseif ($dnchunks[1]=='OU='.$yr8.''){$_SESSION['year']=8;} elseif ($dnchunks[1]=='OU='.$yr9.''){$_SESSION['year']=9;} elseif ($dnchunks[1]=='OU='.$yr10.''){$_SESSION['year']=10;} elseif ($dnchunks[1]=='OU='.$yr11.''){$_SESSION['year']=11;} elseif ($dnchunks[1]=='OU='.$yr12.''){$_SESSION['year']=12;} } (Everything's session based as 90% of staff n' students don't know the meaning of the words "log out"... but they do seem to manage to remember to close their browser... which will inevitably lead to my next mission of making our install of IPB session based rather than cookie *cringe*) Just reglancing over your code above using mine for field refs.... $LOGIN_CONF['ldap_group_id'] = 'memberof'; $LOGIN_CONF['ldap_group_map'] = array( 'CN=HOR Web Administrators,'.$groupbase.'' => 4, 'CN=HOR Students,'.$groupbase.'' => 3, // Extend as needed 'memberof' field returns the fqdn for each group, hence the 'CN={THE GROUP},{BASEDN}' fudge. 4 being admin in IPB, 3 being member. Change $LOGIN_CONF['additional_fields'] = ''; to $LOGIN_CONF['additional_fields'] = 'memberof';Then in auth.php where you see
bfarber Posted May 9, 2009 Posted May 9, 2009 Oh, I was looking at 3.0 when I posted that. Unfortunately 2.3 requires an additional modification. In 2.3.6 you'll see something like Change to Then you have to modify loginauth/login_core.php to accept the group id And to pass it to the internal method And then the internal method needs to accept it And then of course store it in the db Really we're starting to veer off course here. As you can see, it's much easier to do this in 3.x. ;)$this->create_local_member( $username, $password, $email );$this->create_local_member( $username, $password, $email, $this->ldap_config['ldap_group_map'][ $this->fields[$this->ldap_config['ldap_group_id']][0] ] );function create_local_member( $username, $password, $email_address='', $group_id=0 )$member = $this->_create_local_member( $username, $md_5_password, $email_address, $group_id );function _create_local_member( $username, $md5_password, $email_address='', $joined='', $ip_address='', $group_id=0 )'mgroup' => $group_id ? $group_id : $this->ipsclass->vars['member_group'],
Strike X Posted May 9, 2009 Posted May 9, 2009 bfarber: that is very cool that it's much easier to do this in 3.x :) But wouldn't it be cool if it can be done via ACP? :shifty:
bfarber Posted May 11, 2009 Posted May 11, 2009 [quote name='Shahid-Hussain' date='09 May 2009 - 05:13 AM' timestamp='1241860398' post='1800627'] bfarber: that is very cool that it's much easier to do this in 3.x :) But wouldn't it be cool if it can be done via ACP? :shifty: Problem is, everyone has different requirements. Easy enough to add group support in I suppose (though it would take a bit of work to make it ACP-configurable), but then someone will ask for secondary groups. Then custom profile fields. Then profile settings. Never ends.
aturner Posted July 16, 2010 Posted July 16, 2010 Sorry to bring up a really old topic, but I'm stuck on how you can implement those additional LDAP fields into custom fields in IPB. I've managed to import an additional field from LDAP such as telephoneNumber into the standard email field for an IPB member, but I'm not sure how it can be implemented into custom fields such as Skype etc. All I am missing is the syntax for the auth.php file as you listed in your post bfarber. For instance, adding this line: Allows me to place the number into the Title field of the user's profile, but I need to know how to edit this so I can place said number into one of the custom fields. 'title' => $this->fields[$this->ldap_config['ldap_telephone']][0] ? $this->fields[$this->ldap_config['ldap_telephone']][0] : $title,
bfarber Posted July 16, 2010 Posted July 16, 2010 You should change the call to send the data directly to IPSMember::save (which is all $this->createLocalMember() is doing), however this isn't really a help forum - it's a feedback/feature request forum. If you need help coding for the software or modifying the code, you should post in our peer to peer forum here: http://community.invisionpower.com/forum/310-product-modifications/
Recommended Posts
Archived
This topic is now archived and is closed to further replies.