Basic LDAP support in phpBB on a corporate network

I love phpBB and wanted to use it on our intranet to facilitate knowledge sharing between departments.

Getting phpBB up and running on a spare PC (powered by xampp) was easy but to make it useful in a corporate environment you need to be able to use active directory log-ins, and that wasn’t quite as easy, at least not for me who had no previous LDAP experience.

One thing I need to point out before you get your hopes up too much is that – at the time of writing – the LDAP support in phpBB 3 is fairly basic; you can log in but no new accounts will be created in AD and AD groups can’t be mapped to phpBB groups. The latter is a real issue for me since we want to use AD groups to manage access and without that we need to do a lot of manual admin on the phpBB side. However, as a first step to integrating phpBB in your corporate network this will do the trick.

But without further ado, this is what I did to make it work;

Firstly, you need an LDAP Service Account. This is an account that you probably need to ask your local neighbourhood IT department to set up (I did anyway). It’s a special account that will be used as a proxy to validate the credentials of users. They should know what it is….

Let’s say, for simplicity, that this account’s details are as follows;
username: phpbb_ldap_service
password: pa55w0rd
email: php_ldap_service@company.domain.com

We also need the details of our LDAP server and in this article we’ll take those to be
hq-ldap.company.domain.com
serving LDAP requests through port 368

I will now assume that you have set up phpBB and have it running. You will also have enabled the LDAP module. I was running this on xampp under windows and had to;
– Enable LDAP in php.ini (uncomment the ldap extension load)
– Copy libasl.dll from xampp/php folder to xampp/apache/bin folder and restart server

At this point I set up my forum to not require any admin approval for new users and I also set it up so that new users could start posting immediately; I trust my colleagues…

Furthermore I registered a new user in phpBB with the exact details of the service account, i.e;
username: phpbb_ldap_service@company.domain.com
password: pa55w0rd

This is very important! The phpBB account must match the service account for all of this to work.

NOTE: I’ve used the email address here, not the user name. This is because I want to let users log in using their unique email addresses later. You can choose this (as you will see below) and this was a requirement for me; your preferences might vary.

Now log in as a forum admin and give our service account user admin rights too. This too is very important!

Now log in using the service account that you’ve just granted admin rights and go to the “Authorization” pane where you will set up phpBB to use LDAP and connect to the server for authentication.

Set it up as follows:

Authentication method: ldap
LDAP server name: hq-ldap.company.domain.com
LDAP server port: 368
LDAP base DN: DC=company,DC=domain,DC=com
LDAP uid: see below for how to populate this
LDAP user DN: ditto, more about this below
LDAP Password=pa55w0rd

(Fields not mentioned above can be left blank or default)

The LDAP uid field is where you specify which field in an AD record for people in your corporate network should be matched against for authorisation. I am not an LDAP expert so I don’t know for certain if these are “standard” but what you will find if you google it is that most people use “samaccountname” which maps to the user name. I.e. for Joe Bloggs to log in he would use his network user name which, for example, would be jbloggs.
However, I wanted to use the email address and not the log in name so I had to dig around in our AD directories to find out what field was used to store that. Again, this might be a standard LDAP thing but I am not sure so check with your IT people or use an LDAP tool to look at accounts. In my case the field I chose for LDAP uid was “userprincipalname” which was where the user’s email address was mapped to in our AD setup.

The user DN is a string which identifies the service account in your AD structure. It is sort of like a path name for the account and quite frankly the many examples I could find when I googled it confused matters more than anything so I recommend you either determine it using an LDAP tool or, again, just ask somebody in your IT department….

Once those fields are filled in and correct you hit submit and phpBB should present you with a nice green message box telling you that all is well….

Subsequently you can log in with your email and network password, simple!

What could go wrong?
Lots of things, and the lack of helpful error messages from phpBB makes it a frustrating task to determine root cause.
What I would say though is that, if it doesn’t work, then you should firstly go back and check that you’ve got the right server, port, user DN, service account, password…all of those things because it is easy to trip them up.
Get an LDAP tool like Apache’s Active Directory Eclipse plug in and test your assumptions (is that user DN really the right path to my service account?)

It took me about half a day from start to finish which doesn’t sound like much but I can assure you that it was a frustrating couple of hours…I hope you experience is less painful!

Good luck!

Advertisements

Network problem when using VirtualBox HD’s between machines

Problem
– Setting up a new VirtualBox machine using a cloned VDI can (will?) cause problems with Linux guest OS’es where the network device fails to initialize resulting in no network connection. The problem is caused by VBox having hard coded the MAC address first assigned to the guest (when the VDI was first created) in “/etc/udev/rules.d/70-persistent-net.rules”
When trying to run the guest with a new machine (from a different VBox instance for example) it mismatches the MAC address and ethX fails to initialize. Trying to “ifup” also fails.

Solution
– Take note of the MAC address first assigned by VBox when the VDI and machine is first created and then, for each new machine using that VDI, go to Settings::Network::Advanced and type the MAC address directly into the MAC field.

UPDATE: If you’ve got a VDI that you move around to multiple machines (as I do) and you create new virtual machines to use it with then you want to make sure that each of these new ones use the correct MAC address also, of course, otherwise you have no network. Just create a new machine using said VDI and fire it up. If it’s a Windows machine then you can use ipconfig /all to get the MAC address, otherwise, for Linux, you can use ifconfig or alternatively you can just look at the MAC address setting for eth0 in the /etc/udev/rules.d/70-persistent-net.rules file (there will be lines in there that look something like this:
# PCI device 0x10b7:0x9200 (3c59x) (custom name provided by external tool)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*",
ATTR{address}=="XX:YY:ZZ:UU:VV:WW", ATTR{type}=="1", NAME="eth0"

and it’s the ATTR{address} field that stores the MAC address.)

Notes
– I ran into this because I share VDIs between different machines. I would bring the VDI (for an Ubuntu install for example) to a different laptop and set up a new machine in VirtualBox, using the VDI which I store on a USB drive. It would run but the network card would fail to initialize and running ifconfig would just show me the lo (loop back) device being active. Trying to ifup eth0 just threw up “device not found” errors. At first I hand edited the rules file but then I realized that the simplest (and perhaps most obvious) solution was to just assign the same MAC address to all the new machines myself.

installing msttcorefonts on Fedora 13 (fixing Wine problem)

I had to install msttcorefonts (the Microsoft TTF fonts used by most windows programs) to be able to run Wine in my Fedora 13 install. It was pretty clear that the fonts were missing; all Windows apps I tried to run, including the Wine config tool, were unusable with all text garbled.
To fix this I had to install the core fonts and as this was a (somewhat) non-trivial task I have decided to document it here:
Fundamentally I followed the steps on Benprove.com but had to do make some modifications to make it work.
Firstly I “su -“‘ed to get root access.
Then;
  1. cd /tmp or somewhere else convenient…
  2. Download font spec file for the rpm build process (2.0-1 at the time of writing):
    1. wget http://corefonts.sourceforge.net/msttcorefonts-2.0-1.spec
  3. Install rpm-build and cabextract:
    1. yum install rpm-build cabextract
  4. Install ttmkfdir (required to build usable font files from TTF files):
    1. yum install ttmkfdir
  5. Now build the RPM package from the spec file:
    1. rpmbuild -ba msttcorefonts-2.0-1.spec
  6. Install chkfontpath (a util to configure X server font paths apparently)…and xfs which is a deamon that serves fonts to X server clients:
    1. Get chkfontpath (look for latest version if you do this):
      1. wget ftp://ftp.pbone.net/mirror/atrpms.net/f13-i386/atrpms/stable/chkfontpath-1.10.1-2.fc13.i686.rpm
    2. Get xfs:
      1. yum install xfs
    3. Build chkfontpath:
      1. rpm -ivh chkfontpath-1.10.1-2.fc13.i686.rpm
  7. Disable GPG (signature) checking in the yum config file so open /etc/yum.conf in your favourite editor, look for the line “gpgcheck=1” in the “[main]” section and change it to “gpgcheck=0”. Save the file.
  8. Now you can FINALLY install the fonts themselves from the RPM:
    1. yum localinstall  /usr/src/redhat/RPMS/noarch/msttcorefonts-2.0-1.noarch.rpm
  9. Clean up by re-enabling gpg check in /etc/yum.conf (DON’T FORGET THIS!)
  10. Log-out and log back in…

And that was it; Wine is now usable.