Basic LDAP support in phpBB on a corporate network

I love phpBB and wanted to use it on our intranet to facilitate knowledge sharing between departments.

Getting phpBB up and running on a spare PC (powered by xampp) was easy but to make it useful in a corporate environment you need to be able to use active directory log-ins, and that wasn’t quite as easy, at least not for me who had no previous LDAP experience.

One thing I need to point out before you get your hopes up too much is that – at the time of writing – the LDAP support in phpBB 3 is fairly basic; you can log in but no new accounts will be created in AD and AD groups can’t be mapped to phpBB groups. The latter is a real issue for me since we want to use AD groups to manage access and without that we need to do a lot of manual admin on the phpBB side. However, as a first step to integrating phpBB in your corporate network this will do the trick.

But without further ado, this is what I did to make it work;

Firstly, you need an LDAP Service Account. This is an account that you probably need to ask your local neighbourhood IT department to set up (I did anyway). It’s a special account that will be used as a proxy to validate the credentials of users. They should know what it is….

Let’s say, for simplicity, that this account’s details are as follows;
username: phpbb_ldap_service
password: pa55w0rd
email: php_ldap_service@company.domain.com

We also need the details of our LDAP server and in this article we’ll take those to be
hq-ldap.company.domain.com
serving LDAP requests through port 368

I will now assume that you have set up phpBB and have it running. You will also have enabled the LDAP module. I was running this on xampp under windows and had to;
– Enable LDAP in php.ini (uncomment the ldap extension load)
– Copy libasl.dll from xampp/php folder to xampp/apache/bin folder and restart server

At this point I set up my forum to not require any admin approval for new users and I also set it up so that new users could start posting immediately; I trust my colleagues…

Furthermore I registered a new user in phpBB with the exact details of the service account, i.e;
username: phpbb_ldap_service@company.domain.com
password: pa55w0rd

This is very important! The phpBB account must match the service account for all of this to work.

NOTE: I’ve used the email address here, not the user name. This is because I want to let users log in using their unique email addresses later. You can choose this (as you will see below) and this was a requirement for me; your preferences might vary.

Now log in as a forum admin and give our service account user admin rights too. This too is very important!

Now log in using the service account that you’ve just granted admin rights and go to the “Authorization” pane where you will set up phpBB to use LDAP and connect to the server for authentication.

Set it up as follows:

Authentication method: ldap
LDAP server name: hq-ldap.company.domain.com
LDAP server port: 368
LDAP base DN: DC=company,DC=domain,DC=com
LDAP uid: see below for how to populate this
LDAP user DN: ditto, more about this below
LDAP Password=pa55w0rd

(Fields not mentioned above can be left blank or default)

The LDAP uid field is where you specify which field in an AD record for people in your corporate network should be matched against for authorisation. I am not an LDAP expert so I don’t know for certain if these are “standard” but what you will find if you google it is that most people use “samaccountname” which maps to the user name. I.e. for Joe Bloggs to log in he would use his network user name which, for example, would be jbloggs.
However, I wanted to use the email address and not the log in name so I had to dig around in our AD directories to find out what field was used to store that. Again, this might be a standard LDAP thing but I am not sure so check with your IT people or use an LDAP tool to look at accounts. In my case the field I chose for LDAP uid was “userprincipalname” which was where the user’s email address was mapped to in our AD setup.

The user DN is a string which identifies the service account in your AD structure. It is sort of like a path name for the account and quite frankly the many examples I could find when I googled it confused matters more than anything so I recommend you either determine it using an LDAP tool or, again, just ask somebody in your IT department….

Once those fields are filled in and correct you hit submit and phpBB should present you with a nice green message box telling you that all is well….

Subsequently you can log in with your email and network password, simple!

What could go wrong?
Lots of things, and the lack of helpful error messages from phpBB makes it a frustrating task to determine root cause.
What I would say though is that, if it doesn’t work, then you should firstly go back and check that you’ve got the right server, port, user DN, service account, password…all of those things because it is easy to trip them up.
Get an LDAP tool like Apache’s Active Directory Eclipse plug in and test your assumptions (is that user DN really the right path to my service account?)

It took me about half a day from start to finish which doesn’t sound like much but I can assure you that it was a frustrating couple of hours…I hope you experience is less painful!

Good luck!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s