Page 1 of 1

PHPBB working with Active Directory over LDAP

Posted: Thu Oct 01, 2015 8:50 pm
by lowcrawler
When I looked into doing this, I found all sorts of conflicting, inaccurate, or incomplete information. It took a long time to get it working and I thought it might be helpful if I wrote up what I did for people that might need to do this in the future.

Part of why this is so hard is that the error messages are terrible. For example, if you have everything 100% correct but have the wrong servername... the error message is "Binding to LDAP server failed with specified user/password." ... or if you have the correct server name but wrong username ... you get the same message. But if you don't put any username, you get the message "An error occurred while searching the LDAP directory.".

The easiest way I thought to do this was to simply go through the process.

You need at least one active directory user name and password. I'd suggest at least two - one that is your actual user and then one that will be your 'ldap service' user.

1) Go through the normal installation process.

2) When done, log out.

3) Then register a new user (JohnDoe) with the exact same name as your active directory username. Note, you need the 'samaccountname' (or 'userprincipalname' depending on if you decide later you want to use that... but for sake of this, we'll use the samaccountname. For those familar in ADUC, this is the 'pre-windows 2000' username. It's almost always the same as the normal username (uid) but not always.

4) Test that the login created in #3 ('JohnDoe') works... after verifying, log out and log back in as the admin user.

5) As the admin user, go to ACP and then user management and set JohnDoe to founder status.

We are creating this secondary user, with the exact same login details as your AD account, because once you change the authentication scheme to LDAP, it will no longer look at the PHPBB database for authentication... and your 'admin' user won't work anymore. (lest, of course, you've made your admin user and the LDAP service account I talked about the same name) This is important -- I've locked myself out of installations quite a few times.

6) Now on the main ACP page find 'authentication' and go select "LDAP".

That'll bring up a page with the following fields:

ldap server name This should be your domain controller. I used an IP address.
LDAP server port As our DC responds on 389, I left this blank. If you wanted 'secure' you could try 636. Further, if you are having trouble, I saw people mention 3269.
LDAP Base dn This is basically the root of where it's going to search through your AD tree. So if you wanted it to search through you'd be looking at entering "dc=subdomain,dc=domain,dc=com". Whoever runs your Active Directory server probably knows this part.
LDAP uid This is basically the LDAP attribute that we'll try to match logon's with. So if you want people to use just 'johndoe' you'd want to match the samaccountname ... whereas if you want people's usernames to be their entire email address (''), you might use 'userprincipalname'. I had success with 'samaccountname'.
LDAP user filter Don't know, I don't use it. In theory, this could speed up your LDAP search query.
LDAP email attribute for many active directory installations, this is "userprincipalname", though often there is also an 'email' attribute.
LDAP user dn This is the fully qualified distinguished name of your LDAP service account. What does that mean? Remember how I said you should have two accounts on the active directory server? This is the 'service' account... it's only purpose is to let phpbb's ldap query connect to your active directory to do a search for the user that is attempting to log in.
Unfortunately, you can't just put in "ldapservice" or whatever the actual account name is. You have to use the 'distinguished' name -- which looks something like this: CN=John Doe,OU=Service Accounts,OU=Users,DC=subdomain,DC=domain,DC=com Do not put it in quotes. Hopefully you are good enough with active directory, or know someone who is, to give you this name. The important thing to note here is that this is NOT simply a username and it's also NOT optional if you are trying to connect to active directory.
LDAP password This is the password for the above account.

If you get it all right, it'll give you a green success... and now people will be able to log in, without registering, with their active directory username and passwords.

Re: PHPBB working with Active Directory over LDAP

Posted: Fri Oct 09, 2015 12:13 pm
by Sajaki
thank you for the writeup ;) i'll try this at work.