LDAP Mod for phpBB Forums

Use Lightweight Directory Access Protocol (LDAP) to authenticate users on phpBB forums, from the same authentication server as used for other applications

Thursday, June 02, 2005

In our March 2005 issue, we saw how to set up online forums using phpBB on PCQLinux 2005. In this article, we'll explore ways to install and configure LDAP (Lightweight Directory Access Protocol) mod on an already running phpBB forum. The mechanism explained is OS independent and would work fine on any OS that can run phpBB.

LDAP
Organizations use single server for authentication purposes for various intranet applications such as e-mail, defect registers and ticket-logging system. Most often, this server uses LDAP (Lightweight Directory Access Protocol) authentication. phpBB, by default, creates its own user and password database. If one wants phpBB to use LDAP authentication, one has to use 'LDAP Auth MOD (phpBB)' available at http://sourceforge.net/projects/ldapauthmod/. 

Enabling LDAP will let you authenticate users against a Windows ADS domain on using Samba/LDAP on Linux.

Configuring php
LDAP support in PHP is not enabled by default. You will need to use the '--with-ldap[=DIR]' configuration option when compiling PHP to enable LDAP support. DIR is the LDAP base install directory. For Windows users, to enable this module, copy files from the DLL folder of the php/Win32 binary package to the SYSTEM folder of your Windows machine ( c:\windows\system32). Next you need to copy some files as follows. If you are running a PHP version up to 4.2.0, copy only 'libsasl.dll' to the Windows system 32 folder. For PHP 4.3.0 and above you need to copy both 'libeay.dll' and 'ssleay32.dll' to this folder. Then you need to edit php.ini to uncomment the line below.

extension = php_ldap.so (or php_ldap.dll for windows)

Also, `extension_dir' is set to a directory where the extension files are actually present.

Installing LDAP mod
Extract the file (downloaded from  Sourceforge) to a directory of your choice. This mod comes with files that need to be replaced over original ones but a manual installation of the mod is highly recommended. 'Install.txt' explains manual installation in a lucid way. Before applying the patch, follow the good old practice of backing up the current installation. Also, make sure that you have created an admin account in phpBB with the same name as in LDAP or you will not have admin access.

After installing the LDAP mod in your phpBB server you can authenticate users through your Windows 2000 machine

After this, simply apply the patch as explained in 'install.txt'. The document uses the following conventions.

---[ OPEN ]---

[file name]       

Open the file to be edited.

---[ FIND ]---

around line [xxx]

[code]

This would find the line number xxx, in/around which modifications/addition needs to be done. It must be noted that this line number might not always be exact, depending on the version of phpBB you are using. So, a better idea is to search for the code in the file rather than the line number.

---[ AFTER, ADD ]---

[code]

after the lines found, add [code].

---[ REPLACE WITH]---

[code]

replace the code found previously by [code]

A couple of other conspicuous labels are used, which are easily understandable. After editing 17 files, a couple of files, namely functions_ldap.php and functions_ldap_ groups.php, have to be copied to 'includes' directory in phpBB installation.

Also, one has to connect to MySQL/MS SQL/other database (whichever is used as the forum database) and run about 20 SQL queries. These queries, essentially, add LDAP specific fields in the database.  phpBB code has already been modified in previous steps to use these fields.

It should be noted that the mod's installation guide shows you how to modify only the default template-SubSilver. If you are using any other custom template, make sure that you do similar changes in that template as well.

Configuring LDAP Mod
Manual installation of the mod is tedious and takes  half an hour. Before, making your forum available to the public, it is a good idea to get LDAPCheck.php (available with the mod) running. This is a small php script, which connects to the LDAP server you specify and searches for a specific user. If everything goes fine, it displays all the details related to that user.

After installing the mod, login as admin to the forums (do not use LDAP password, yet). Go to Admin Panel>General Admin> Configuration>Authentication Setting. Set Authentication mode to LDAP; LDAP host name to your server name; LDAP port to 389 (or whatever is used by your server).

Often, the LDAP server that you will want to connect to would contain user-related information of several divisions/locations of your organization. For performance and security reasons, you might like only a few specific users to be authenticated for using phpBB forums.

In such cases, you should specify Base DN (Base Directory Name) of the LDAP directory server. To identify the actual values, an LDAP client like GQ or LDAP Browser from Softerra (http://www.softerra.com/products/ldapbrowser.php) should be used.

One should also fill fields, namely, LDAP User ID Field (LDAP property/field that you want to use as your forum user names, default = 'uid'); LDAP property/field containing user e-mail addresses; LDAP property/field containing user website addresses, etc based on actual fields used on the LDAP server. 

Once all these settings are saved, you can use LDAP usernames and passwords for logging on to the forums.

Sandeep Gupta

Page(s)   1