In our March 2005 issue, we saw how to set up online forums
using phpBB on PCQLinux 2005. In this article, we'll explore ways to install
and configure LDAP (Lightweight Directory Access Protocol) mod on an already
running phpBB forum. The mechanism explained is OS independent and would work
fine on any OS that can run phpBB.
LDAP
Organizations use single server for authentication purposes for various
intranet applications such as e-mail, defect registers and ticket-logging
system. Most often, this server uses LDAP (Lightweight Directory Access
Protocol) authentication. phpBB, by default, creates its own user and password
database. If one wants phpBB to use LDAP authentication, one has to use 'LDAP
Auth MOD (phpBB)' available at http://sourceforge.net/projects/ldapauthmod/.
|
Enabling LDAP will let you authenticate users against a
Windows ADS domain on using Samba/LDAP on Linux.
Configuring php
LDAP support in PHP is not enabled by default. You will need to use the
'--with-ldap<=DIR>' configuration option when compiling PHP to enable LDAP
support. DIR is the LDAP base install directory. For Windows users, to enable
this module, copy files from the DLL folder of the php/Win32 binary package to
the SYSTEM folder of your Windows machine ( c:\windows\system32). Next you need
to copy some files as follows. If you are running a PHP version up to 4.2.0,
copy only 'libsasl.dll' to the Windows system 32 folder. For PHP 4.3.0 and
above you need to copy both 'libeay.dll' and 'ssleay32.dll' to this
folder. Then you need to edit php.ini to uncomment the line below.
extension = php_ldap.so (or
php_ldap.dll for windows)
Also, `extension_dir' is set to a directory where the
extension files are actually present.
Installing LDAP mod
Extract the file (downloaded from Sourceforge) to a directory of your
choice. This mod comes with files that need to be replaced over original ones
but a manual installation of the mod is highly recommended. 'Install.txt'
explains manual installation in a lucid way. Before applying the patch, follow
the good old practice of backing up the current installation. Also, make sure
that you have created an admin account in phpBB with the same name as in LDAP or
you will not have admin access.
|
After this, simply apply the patch as explained in 'install.txt'.
The document uses the following conventions.
---< OPEN >---
Open the file to be edited.
---< FIND >---
around line
This would find the line number xxx, in/around which
modifications/addition needs to be done. It must be noted that this line number
might not always be exact, depending on the version of phpBB you are using. So,
a better idea is to search for the code in the file rather than the line number.
---< AFTER, ADD >---
after the lines found, add .
---< REPLACE WITH>---
replace the code found previously by
A couple of other conspicuous labels are used, which are
easily understandable. After editing 17 files, a couple of files, namely
functions_ldap.php and functions_ldap_ groups.php, have to be copied to
'includes' directory in phpBB installation.
Also, one has to connect to MySQL/MS SQL/other database
(whichever is used as the forum database) and run about 20 SQL queries. These
queries, essentially, add LDAP specific fields in the database. phpBB code
has already been modified in previous steps to use these fields.
|
It should be noted that the mod's installation guide
shows you how to modify only the default template-SubSilver. If you are using
any other custom template, make sure that you do similar changes in that
template as well.
Configuring LDAP Mod
Manual installation of the mod is tedious and takes half an hour.
Before, making your forum available to the public, it is a good idea to get
LDAPCheck.php (available with the mod) running. This is a small php script,
which connects to the LDAP server you specify and searches for a specific user.
If everything goes fine, it displays all the details related to that user.
After installing the mod, login as admin to the forums (do
not use LDAP password, yet). Go to Admin Panel>General Admin>
Configuration>Authentication Setting. Set Authentication mode to LDAP; LDAP
host name to your server name; LDAP port to 389 (or whatever is used by your
server).
Often, the LDAP server that you will want to connect to
would contain user-related information of several divisions/locations of your
organization. For performance and security reasons, you might like only a few
specific users to be authenticated for using phpBB forums.
In such cases, you should specify Base DN (Base Directory
Name) of the LDAP directory server. To identify the actual values, an LDAP
client like GQ or LDAP Browser from Softerra (http://www.softerra.com/products/ldapbrowser.php)
should be used.
One should also fill fields, namely, LDAP User ID Field (LDAP
property/field that you want to use as your forum user names, default = 'uid');
LDAP property/field containing user e-mail addresses; LDAP property/field
containing user website addresses, etc based on actual fields used on the LDAP
server.
Once all these settings are saved, you can use LDAP
usernames and passwords for logging on to the forums.
Sandeep Gupta