Setup Active Directory (LDAP) Authentication on CentOS 7

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
Post Reply
Loosus456
Registered User
Posts: 6
Joined: Tue Nov 14, 2017 2:41 am

Setup Active Directory (LDAP) Authentication on CentOS 7

Post by Loosus456 » Wed Nov 15, 2017 8:51 pm

For phpBB 3.2.1, I wanted to share my recent experience in setting up Active Directory/LDAP authentication on CentOS 7 with the following configuration:
  • Apache 2.4.x
  • PHP 7.1.11
  • MySQL(i) 10.2.10-MariaDB
  • Windows Server 2012 R2 Domain Controller
Setting up this authentication method on phpBB was extremely painful, and I've setup many systems with LDAP before now. Setting up LDAP authentication on phpBB is probably the most infuriating one I've ever done.

Basic Setup
  • LDAP server name: this is literally the full name of your domain. The name of ours was ad.example.com, not ad01.example.com or ad02.example.com, which are individual domain controllers within the domain.
  • LDAP server port: we left this blank.
  • LDAP base dn: this is basically where your user accounts, who will be logging into phpBB, are stored in Active Directory. Ours was OU=Users,OU=Accounts,OU=People,DC=ad,DC=example,DC=com. One of the ways you can find the base DN is by installing Remote Server Administration Tools (RSAT) on any machine that is part of your domain and then running the following command on that machine: dsquery user -limit 1000 | dsget user -dn. Within the returned list of users, find a user that you know is in the correct location within Active Directory, and use that as your LDAP base distinguished name. For example, if one of the users was CN=UserName123,OU=Generics,OU=Accounts,OU=People,DC=ad,DC=example,DC=com, then the LDAP base distinguished name would be OU=Generics,OU=Accounts,OU=People,DC=ad,DC=example,DC=com.
  • LDAP uid: we used samaccountname.
  • LDAP user filter: we left this blank.
  • LDAP email attribute: we used mail.
  • LDAP user dn: this is the full username of the generic/service Active Directory account that will be used to perform the authentication on behalf of phpBB. We put our username in the form ADNAME\username. For us, this was EXAMPLEAD\phpbbldapuser. I did not try it, but I suspect ad.example.com\phpbbldapuser would have worked, too, as EXAMPLEAD and ad.example.com are both valid names for our domain.
  • LDAP password: the password of the LDAP user dn user account mentioned in the previous step.
Port Blocked

In our experience, SELinux blocked port 389, which is the default Active Directory/LDAP port. So, in addition to allowing the port through the firewall, we had to also configure SELinux to allow it, as well:
  • Firewall:
    sudo firewall-cmd --permanent --add-port=389/tcp
    sudo firewall-cmd --reload
  • SELinux:
    yum install -y setroubleshoot-server
    semanage port -m -t http_port_t -p tcp 389
Testing Firewall and SELinux as Problems

If you're not sure whether the firewall or SELinux is the issue, try temporarily disabling them to test your configuration. If one or the other appears to be causing the issue, then make the appropriate changes to the firewall or SELinux, and then re-enable the firewall or SELinux.
  • Firewall:
    Turn Off: systemctl stop firewalld
    Turn On: systemctl start firewalld
  • SELinux:
    Turn off: setenforce 1
    Turn on: setenforce 0
If You Lock Yourself Out

Our organizational policies require us to regularly change passwords, including service accounts like our Active Directory account that is used to authenticate users in phpBB against Active Directory. As a result, once we change the password to this Active Directory user account, phpBB will not fall back to another authentication method, such as the built-in user database. You simply can no longer loging to phpBB at all -- regardless of which username and password you attempt. So, you will have to manually set it back to using the built-in user database:
  1. Issue the command sudo mysql -p at the command prompt.
  2. Type your database password.
  3. Issue the following command use phpbb; If the name of your database is not phpbb, then type the actual name of the database.
  4. Issue the following command: UPDATE phpbb_config SET config_value= 'db' WHERE config_name= 'auth_method';
  5. Issue the following command: quit
  6. Delete the following file: <YOUR PATH TO PHPBB>/cache/production/data_global.php, replacing "<YOUR PATH TO PHPBB>" to wherever you extracted your phpBB files.

User avatar
AmigoJack
Registered User
Posts: 4999
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Setup Active Directory (LDAP) Authentication on CentOS 7

Post by AmigoJack » Thu Nov 16, 2017 4:02 pm

Alternatively you just run this query to update said LDAP password:

Code: Select all

UPDATE phpbb_config
   SET config_value= 'new password'
 WHERE config_name= 'ldap_password';
and delete /cache/production/data_global.php.
The worst thing about censorship is ███████████

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: No registered users and 17 guests