Basic LDAP support in phpBB on a corporate network

I love phpBB and wanted to use it on our intranet to facilitate knowledge sharing between departments.

Getting phpBB up and running on a spare PC (powered by xampp) was easy but to make it useful in a corporate environment you need to be able to use active directory log-ins, and that wasn’t quite as easy, at least not for me who had no previous LDAP experience.

One thing I need to point out before you get your hopes up too much is that – at the time of writing – the LDAP support in phpBB 3 is fairly basic; you can log in but no new accounts will be created in AD and AD groups can’t be mapped to phpBB groups. The latter is a real issue for me since we want to use AD groups to manage access and without that we need to do a lot of manual admin on the phpBB side. However, as a first step to integrating phpBB in your corporate network this will do the trick.

But without further ado, this is what I did to make it work;

Firstly, you need an LDAP Service Account. This is an account that you probably need to ask your local neighbourhood IT department to set up (I did anyway). It’s a special account that will be used as a proxy to validate the credentials of users. They should know what it is….

Let’s say, for simplicity, that this account’s details are as follows;
username: phpbb_ldap_service
password: pa55w0rd
email: php_ldap_service@company.domain.com

We also need the details of our LDAP server and in this article we’ll take those to be
hq-ldap.company.domain.com
serving LDAP requests through port 368

I will now assume that you have set up phpBB and have it running. You will also have enabled the LDAP module. I was running this on xampp under windows and had to;
– Enable LDAP in php.ini (uncomment the ldap extension load)
– Copy libasl.dll from xampp/php folder to xampp/apache/bin folder and restart server

At this point I set up my forum to not require any admin approval for new users and I also set it up so that new users could start posting immediately; I trust my colleagues…

Furthermore I registered a new user in phpBB with the exact details of the service account, i.e;
username: phpbb_ldap_service@company.domain.com
password: pa55w0rd

This is very important! The phpBB account must match the service account for all of this to work.

NOTE: I’ve used the email address here, not the user name. This is because I want to let users log in using their unique email addresses later. You can choose this (as you will see below) and this was a requirement for me; your preferences might vary.

Now log in as a forum admin and give our service account user admin rights too. This too is very important!

Now log in using the service account that you’ve just granted admin rights and go to the “Authorization” pane where you will set up phpBB to use LDAP and connect to the server for authentication.

Set it up as follows:

Authentication method: ldap
LDAP server name: hq-ldap.company.domain.com
LDAP server port: 368
LDAP base DN: DC=company,DC=domain,DC=com
LDAP uid: see below for how to populate this
LDAP user DN: ditto, more about this below
LDAP Password=pa55w0rd

(Fields not mentioned above can be left blank or default)

The LDAP uid field is where you specify which field in an AD record for people in your corporate network should be matched against for authorisation. I am not an LDAP expert so I don’t know for certain if these are “standard” but what you will find if you google it is that most people use “samaccountname” which maps to the user name. I.e. for Joe Bloggs to log in he would use his network user name which, for example, would be jbloggs.
However, I wanted to use the email address and not the log in name so I had to dig around in our AD directories to find out what field was used to store that. Again, this might be a standard LDAP thing but I am not sure so check with your IT people or use an LDAP tool to look at accounts. In my case the field I chose for LDAP uid was “userprincipalname” which was where the user’s email address was mapped to in our AD setup.

The user DN is a string which identifies the service account in your AD structure. It is sort of like a path name for the account and quite frankly the many examples I could find when I googled it confused matters more than anything so I recommend you either determine it using an LDAP tool or, again, just ask somebody in your IT department….

Once those fields are filled in and correct you hit submit and phpBB should present you with a nice green message box telling you that all is well….

Subsequently you can log in with your email and network password, simple!

What could go wrong?
Lots of things, and the lack of helpful error messages from phpBB makes it a frustrating task to determine root cause.
What I would say though is that, if it doesn’t work, then you should firstly go back and check that you’ve got the right server, port, user DN, service account, password…all of those things because it is easy to trip them up.
Get an LDAP tool like Apache’s Active Directory Eclipse plug in and test your assumptions (is that user DN really the right path to my service account?)

It took me about half a day from start to finish which doesn’t sound like much but I can assure you that it was a frustrating couple of hours…I hope you experience is less painful!

Good luck!

A tip about tweeting from a PHP app using OAuth

I followed this excellent tutorial by Adam Green;

http://140dev.com/twitter-api-programming-tutorials/hello-twitter-oauth-php

but for the life of me I couldn’t get it to work; I kept getting a 401 return code saying that my app did not have write access.
But, I had given it write access so…what happened!?

Actually, the cause and effect, and subsequent fix, was simple but not entirely obvious;
I had created the app as a READ ONLY app to start with and generated all the codes for it.
I then had realised my mistake and set the app permissions to Read & Write. The dev.twitter.com page for my subsequently showed me that me that the app now had the required access.
Still, I got a 401 error back.

I had not, however, recreated my access tokens (there’s a button for this at the bottom of the page.)
Once I did this the app worked.

So; the confusingly named “Access Token” and “Access Token Secret” need to be regenerated if you change the permissions for your app. This is not obvious to me since I would expect these tokens to encode the identiy of the app and therefore allow Twitter to access its permissions through the back-end…
But there you go, at least now it works.

0x800F0A12 error when installing Win 7 SP 1 on dual boot machine

Here’s what I’ve got
  • I have a machine with two hard disks; on one there’s a Fedora (15) install and on the other Windows 7
  • I’ve got Grub set up to allow me to boot from either
And here’s the problem
  • The other day I fired up my Windows 7 install for the first time in a loong time and it wanted to install Service Pack 1 (SP1)
  • The install failed with nothing but an “0x800F0A12” message…not very helpful
The fix
The problem (as I found out from here) is that the service pack install requires the active boot partition to be the one with the Windows 7 install on. In my set up that partition is where the Grub loader lives so when the install checks the active partition it fails.
The article I’ve linked to outlines a solution involving the use of the Disk Management tool and DISKPART utility but there’s a simpler way to do this (at least in my situation).
  • Open the Disk Management tool (Computer->Manage->Disk Management)
  • Select the Disk/Partition on which your Windows install resides
    • In my case this was on Disk 1, Disk 0 was where the Grub loader and Fedora installs lived.
    • NOTE: The Disk Management tool will show which partition is “Active” and, since you’ve got the error, that will not be the one where Windows 7 lives. Check this: if your Windows 7 partition is Active and you still get the error then there’s something else going on…
  • Mark it as “active” by right clicking on it and selecting “Mark Partition as Active
  • You’re done
You will now have TWO (2) partitions active; one which is the one you had from before and one which is where Windows 7 lives. It doesn’t matter if you’ve got two, all the “marking as active” operation does is to inform the firmware that the partition can be booted from, not that it will
You can now proceed to install the Service Pack 1.
In my case it all worked.

Stumbling through getting an OpenMPI app compiling and linking with (and without) NetBeans on Fedora

System

Fedora 14
Netbeans 6.9 + g++ 4.5.1 and MPICH2

Problem

I wanted to play around with OpenMP and C++ and I wanted to use the NetBeans IDE but had no luck compiling and/or linking.

Naively I did this:

  • installed MPICH2 packages using the package manager (I tried first with yum but that didn’t work at all…could be a red herring but be warned, see end notes.) 
  • openend up NetBeans, created a C++ app project and wrote a little Hello World program with a simple #pragma omp parallel section
  • I hit compile and…naturally, it just compiles a standard single-threaded app (ignoring the unrecognized pragma)
  • So, I tried to compile the program on the command line using the mpic++ compiler/linker wrapper which is installed with openmpi-devel
    • It failed with the errors about not finding -lmpichcxx, -lpmipch and -lopa (again, see end notes)

Solution

  1. mpic++ for some reason or other produces the wrong (???) command line;
    1. it typically looks like this: 
      1. c++ -m32 -O2 -Wl,-z,noexecstack -I/usr/include/mpich2-i386 -L/usr/lib/mpich2/lib -L/usr/lib/mpich2/lib -lmpichcxx -lmpich -lopa -lpthread -lrt
    2. but it should look like this (highlighting changes from above only):
      1. c++ -fopenmp -m32 -O2 -Wl,-z,noexecstack -I/usr/include/mpich2-i386 -L/usr/lib/mpich2/lib -L/usr/lib/mpich2/lib -lmpichcxx -lmpich -lgomp -lpthread -lrt
  2. Therefore, in the properties of your NetBeans project, under C++ Compiler::Additional Options you set the command line to
    1.  -fopenmp -m32 -O2 -Wl,-z,noexecstack -I/usr/include/mpich2-i386 -L/usr/lib/mpich2/lib -L/usr/lib/mpich2/lib -lmpichcxx -lmpich -lgomp -lpthread -lrt
    2. Alternatively you can of course use that as-is on the command line
  3. ..and compile…and it runs, and according to my perf monitor it uses more than one thread. Perfect.

Notes

libgomp is the GNU OpenMP library and it is part of the gcc 4.5.x install (and possibly earlier, but I haven’t checked/tested this). I don’t know what “libopa” was/is (can’t find anything about it) so it might even be a typo (although this would be horrendous and hopefully not the case) – If anybody reading this can shed some light….?

I tried with c++ and g++ both in the project settings in NetBeans but it doesn’t matter which one you use, as long as the command line is correct as in step 2 above.

The issue alluded to concerning installing OpenMPI using Yum; I did this first #yum install openmpi openmpi-devel but it seems that this, although it installed the libraries, did not create appropriate symlinks to them so that ld could find them (see note about ld failing at the top of this post.) I therefore manually created these and it fixed the linking, but as I subsequently did an install of MPICH2 using the package manager before I got the app running properly I can’t verify exactly if this had a positive effect overall or if it was a red herring. If anybody can recreate this and confirm then that would be great.

Btw, here are some great links for some OpenMP examples and tutorials:

http://www.codeproject.com/KB/library/Parallel_Processing.aspx

http://bisqwit.iki.fi/story/howto/openmp/#ExampleCalculatingTheMandelbrotFractalInParallel

https://computing.llnl.gov/tutorials/openMP/#CFormat

Network problem when using VirtualBox HD’s between machines

Problem
– Setting up a new VirtualBox machine using a cloned VDI can (will?) cause problems with Linux guest OS’es where the network device fails to initialize resulting in no network connection. The problem is caused by VBox having hard coded the MAC address first assigned to the guest (when the VDI was first created) in “/etc/udev/rules.d/70-persistent-net.rules”
When trying to run the guest with a new machine (from a different VBox instance for example) it mismatches the MAC address and ethX fails to initialize. Trying to “ifup” also fails.

Solution
– Take note of the MAC address first assigned by VBox when the VDI and machine is first created and then, for each new machine using that VDI, go to Settings::Network::Advanced and type the MAC address directly into the MAC field.

UPDATE: If you’ve got a VDI that you move around to multiple machines (as I do) and you create new virtual machines to use it with then you want to make sure that each of these new ones use the correct MAC address also, of course, otherwise you have no network. Just create a new machine using said VDI and fire it up. If it’s a Windows machine then you can use ipconfig /all to get the MAC address, otherwise, for Linux, you can use ifconfig or alternatively you can just look at the MAC address setting for eth0 in the /etc/udev/rules.d/70-persistent-net.rules file (there will be lines in there that look something like this:
# PCI device 0x10b7:0x9200 (3c59x) (custom name provided by external tool)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*",
ATTR{address}=="XX:YY:ZZ:UU:VV:WW", ATTR{type}=="1", NAME="eth0"

and it’s the ATTR{address} field that stores the MAC address.)

Notes
– I ran into this because I share VDIs between different machines. I would bring the VDI (for an Ubuntu install for example) to a different laptop and set up a new machine in VirtualBox, using the VDI which I store on a USB drive. It would run but the network card would fail to initialize and running ifconfig would just show me the lo (loop back) device being active. Trying to ifup eth0 just threw up “device not found” errors. At first I hand edited the rules file but then I realized that the simplest (and perhaps most obvious) solution was to just assign the same MAC address to all the new machines myself.

Growing a VirtualBox VDI is easy…

I use VirtualBox for lots of things, not the least to be able to use Microsoft Office for Windows on my work laptop, which is a Mac. Bless Office for the Mac but it sucks and I really need Excel to work with VB and the Data Analysis add-on…

However, I digress. As I installed more and more apps into my Win7 Virtual Machine I started running out of disk space so here follows a brief explanation of what I did (and do) when I need it (the VDI…) to grow. (Note that I didn’t originally create it using the  “dynamically expanding storage” option in VBox and if I had I might not be in this predicament but there you go.)

So;

  1. Create a new harddrive using the Virtual Media Manager in VBox and make sure it’s the size you want
    1. NOTE: Again I didn’t create the new disk as dynamic, but rather as static…I don’t know if the following steps would work if it was dynamic (somehow I doubt it but if you try then please let me know how it went…)
  2. Release and Remove your old harddrive from VBox’ grasp using the Virtual Media Manager;
    1. You have to do this otherwise the next step will fail. All you need to do is to release it, then remove it and REMEMBER to “Keep” the hard disk image when you do that!
  3. Clone your old (and smaller) VDI into the new (and larger) one like so using the VBox command line tool:
VBoxManage clonehd --existing OLD.vdi NEW.vdi
  1. Now go back into Virtual Media Manager and add the NEW.vdi drive
  2. In the settings for your virtual machine (the one that previously used the OLD.vdi) you change it to use NEW.vdi
  3. Downloadsystemrescuecd.iso (or any LiveCD with a Linux Distro and GParted on it. The remaining steps assume you can run GParted)
  4. Attach the LiveCD to your virtual machine so that it will be booted when it starts
  5. Boot your virtual machine…
  6. Run GParted;
    1. The virtual machine’s hard disk will be allocated into the “old” partition (which is the smaller size) and an extra, unallocated, partition which is whatever extra space you now have in your new and (larger) hard disk
  7. Resize the smaller partition (old) to take up all of the (new) disk
    1. NOTE: this assumes your guest OS uses a file system that GParted understands. In my case this was NTFS (Windows) but if you are attempting this to grow something else, and utterly esoteric, I can’t guarantee it will work. However, it would have to be very esoteric…
  8. Shut down the virtual machine
  9. Release the ISO (sysrescd.iso in my example)
  10. Reboot….
  11. Presto, you’re done! The machine should boot up happily and Windows will tell you that the C: drive is whatever size NEW.VDI was created as

Certainly beats using CloneZilla to try and save off the old image and restore it. I tried that too and it didn’t work but even if it did this method seems simpler.

Fixing “Client ‘foo’ can only be used from host ‘bar.local’ problem on Mac

Quick problem fix; there are some strange problems with P4V on Mac OS X which causes a spurious change to the host name in client specifications; everything works fine until one day you fire up P4v and get the error “Client ‘foo’ can only be used from host ‘bar.local”….I’ve found a couple of references to this on various fora but nothing that seems to solve it directly. NOTE: I run P4 locally on my machine and only use it for my own (local) revision control. As I mention below I doubt if this problem occurs if you’re running P4 on a proper networked server….

Anyway, I have a fix that works for me and it’s simple; run p4 to edit your client spec (‘foo’ in my example) and remove the line containing ‘Host‘…That line restricts access to a given host and is the one that seems to get “creatively altered” somehow to add a “.local” extension to it. Remove this restriction and all works.

HOWEVER: this fix assumes you don’t need host restriction which you might, of course. I suspect it might not be a problem for you anyway then since you’ll be using something like a properly resolved IP or network name…so there.