Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Active Directory Integration

edited December 2008 in Vanilla 1.0 Help
Hello, I'd like for my users to be able to sign into a secure folder (based on AD usernames and passwords) on my website and be able to immediately use the Vanilla forum (without creating seperate forum accounts or signing in a second time). The root directory of the forum is within the secure folder. Is this possible? Thanks for any help!


  • I guess this is a job for someone who's very familiar with the windows login/user authentication structure. What do they call it again? LDAP?
  • Would this be something I would change on my server or an addon to Vanilla?
  • I assume someone would have to write a new authentication module. I have no idea how complex it'd be though. It's possible to get windows logon info into web pages for sure but I dont think it's the easiest thing in the world.
  • edited August 2006
    Yeah, you'd have to write a new authentication module. Actually, I really hope Mark does some work on the authentication process in Vanilla to possibly make the whole thing as an a separate (sign-in) php file that we could just include in our own custom sign-on page and pass the username/password to it for it to then set up the necessary Vanilla cookies and database updates etc. returning just a True/False to indicate success. This would then mean that after your own PHP file checks the current users authentication against AD or LDAP it would simply pass the authenticated name/password to the Vanilla sign-in function. (I call it a sign-in function rather than authentication function because we're not using Vanilla to authenticate the user, we've already done that and we know who they are, but we just need to process the sign-in to Vanilla. Standard single-sign-on stuff really.) A similar function for automatically adding new users (once they had been authenticated elsewhere) would also be extremely useful. (Maybe the sign-in function could have a flag to indicate 'register this person if not already a member' option.)
  • "Actually, I really hope Mark does some work on the authentication process in Vanilla ..." - Have you seen the entire People library? None of the user authentication whatsoever is dealt with in vanilla itself.
  • minisweeper... I've seen lots of comments about the People library but nothing that actually says what it is or what it does. (ie. I'm aware of the People library but I can't find any documentation or posts on how to use it.) That's why I'm on this site now, trying to find those posts that are talking about external integration. But with 2000+ discussions it difficult to find the ones related to this, and also distracting when I see lots of other interesting discussions which I end up delving into :-) I think Mark could do with creating a category for all discussions related to external integration (and then some consolidation of existing discussions into this category because discussion of single-signon and integration are scattered throughout many places here). Very rarely does a website consist of *just* a forum these days, but multi-function things where a forum is just one supporting element that has to integrate. I am currently working to integrate Vanilla into a TextPattern site so I'll have to do a lot more digging into People but it would be great if there was documentation to back up what is possible. It would be even better if there was a single include file / function I could call to do all the work for me.
  • Well I'm not the best man to explain, but the People library deals with all the user management in vanilla. As i understand it, the existing authentication class will work fine if you supply it the necessary details (i.e. username and password) so where you get that information from (your own login page, LDAP, whatever) doesnt really matter. There's also a createuser function which will setup a user as necessary in vanilla when it's supplied the correct details. As I say, i'm really not the man to explain but hopefully that's highlighted a few things for you. If you're reasonably PHP competant and browse through the People folder you should get a basic feel for what the different componants do. If you have any specific questions I'm sure Mark would be happy to field them (in his own time, he's a busy man).
  • Yeah, thanks Mini, a big help. I went and searched for 'people' and got some good stuff. Have to print it and dissect it now to find the bits I need. All this OOP is new to me!
  • [quote]This would then mean that after your own PHP file checks the current users authentication against AD or LDAP it would simply pass the authenticated name/password to the Vanilla sign-in function.[/quote] This doesn't sound that difficult. Is there a good Vanilla resourse to figure it out?
  • edited August 2006
    @ndwhite... I don't have any LDAP code for you sorry, but once you've authenticated, the following will work to create the automatic login to Vanilla. Save the following content as a .php file: <?php /* ** * Do your normal LDAP / Active Directory authentication check here. ** */ $Username = ldap_username; // replace ldap_username with whatever var contains the username $Password = ldap_password; // same for ldap_password $PersistentSession = 0; // or 1 for persistent // load the appropriate files // ** CHANGE THE PATH TO SUIT YOUR LOCATION ** include_once("../vanilla/appg/settings.php"); include_once("../vanilla/appg/init_people.php"); // create the necessary session and cookie $Ret = $Context->Authenticator->Authenticate($Username, $Password, $PersistentSession); ?> <html> <head> <title>Test login</title> </head> <body> <h1>Test login</h1> <?php if ($Ret) { ?> <p>Welcome, you are logged in. <a href="/vanilla/index.php">Go to Vanilla!</a></p> <?php } else { ?> <p>Sorry, the details you supplied were incorrect.</p> <?php } ?> </body> </html> I don't claim any credit for this. But it works sweet for me.
  • This is hot. I got how to integrate registration from another thread. daveh, thanks. would you be willing to provide the same type of thing for logout, and password change? Thanks again.
  •'s the logout... just call the function from wherever! //----------------------------------------------- //log out of Vanilla forum function ddh_vanilla_logout() { include_once("../collaborate/appg/settings.php"); include_once("../collaborate/appg/init_people.php"); $Ret = $Context->Authenticator->DeAuthenticate(); } I'm working on the password change as I type. I'll post it when I've got it sorted.
  • @daveh Thanks! This code should get me started. I don't know anything about LDAP and I'm just figuring out any AD problems as they come along. I appreciate the suggestions!
  • edited August 2006's the password change function. Some tags incase anyone is searching for this: [change password, update password, change vanilla password] OK, now the code. Save the whole thing as a .php file and just call it in your browser... <?php // testing purposes only. the username and password would normally // be collected from elsewhere. $Username = "theuser"; $Password = "newpassword"; $Ret = ddh_vanilla_change_password($Username, $Password); // Now the function that does the dirty deed... function ddh_vanilla_change_password($Username, $NewPassword) { // this function changes the password of the specified userName // set the paths here to match your own installation include_once("../vanilla/appg/settings.php"); include_once("../vanilla/appg/init_people.php"); // build the update sql statement $s=$Context->ObjectFactory->NewContextObject($Context, 'SqlBuilder'); $s->Clear(); $s->SetMainTable('User', 'u'); $s->AddFieldNameValue('Password', $NewPassword, 1, 'md5'); $s->AddWhere('u', 'Name', '', $Username, '='); // go ahead and force the change $Ret = $Context->Database->Update($s, 'dontneedthis', 'dontneedthis', 'dontneedthis'); // return the number of rows affected (0=no changes made, 1=password changed OK, >1=oops!) return $Ret; } ?> <html> <head> <title>Test Password Reset</title> </head> <body> <h1>Test Password Reset</h1> <?php if ($Ret) { ?> <p>Set password for <?php echo $Ret ?> users to <?php echo $Password ?>.</p> <?php } else { ?> <p>No passwords were changed. Either there's a problem or the user already had this password.</p> <?php } ?> </body> </html>
  • edited August 2006
    I've written a replacement for People.Class.Authenticator.php (in library/People) that uses LDAP (the server runs OpenLDAP).

    Warning: Use this code only as a template for your own work. I do not guarentee that it will work for you without modification (this is *not* an extension).

    Installation: Extract the file into library/People and set

    $Configuration['AUTHENTICATION_MODULE'] = 'People/People.Class.LdapAuthenticator.php';

    in conf/settings.php to enable it.

    With some work, it should be possible to convert to Active Directory. Most of the configuration settings are at the top of the file. This implementation uses LDAP exclusively for authentication, so when a user attempts to login, the LDAP server is immediately checked. If successful, the Vanilla database is checked to see if the user already exists. If not, a new Vanilla user is created (so that user settings can be stored, among other reasons). The password stored in the Vanilla database is totally disregarded. For this reason, it's best to set

    $Configuration['ALLOW_PASSWORD_CHANGE'] = 0;

    in conf/settings.php. This means that you will need to provide some other way for users to change this password (which presumably you do, given that you're using Active Directory).

    Note that this implemention does not use any fancy caching techniques, so if you have a heavy load, this will put some strain on your AD server. Also, there is a debug flag that you can set at the top of the file that will write out debugging information to a text file (currently /tmp/vanilla_ldap.log...see the bottom of the file).

    Hope this is helpful to somebody.

  • Thanks Jonathan! I'll report back if I've successfully integrated my AD usernames and passwords into Vanilla with your (everyone else’s) help.
  • Jonathan's LDAP Authenticator works like a charm. Running Vanilla on Debian Linux with Mac OS X OpenDirectory on the backend handling LDAP.

    Hint: I had to set LDAP_USE_TLS in the authentication module to "false" and set OD to allow LDAPv2 binds in slapd.conf. (Add "allow bind_v2" to /etc/slapd.conf and restart OD.) While less secure, this seemed to be safer and easier than possibly borking my LDAP server trying to get it to handle TLS. I wouldn't do this if both servers were not behind the same firewall.
  • Wish I knew PHP in order to create an extension based on this...
  • Same here, integration with Active Directory at work would mean I could just replace our crappy intranet with Vanilla.
  • This would be AWESOME as an extension. I am going to try the above method tonight to see if it works on my server
This discussion has been closed.