- Apache 2.4.x
- PHP 7.1.11
- MySQL(i) 10.2.10-MariaDB
- Windows Server 2012 R2 Domain Controller
- LDAP server name: this is literally the full name of your domain. The name of ours was ad.example.com, not ad01.example.com or ad02.example.com, which are individual domain controllers within the domain.
- LDAP server port: we left this blank.
- LDAP base dn: this is basically where your user accounts, who will be logging into phpBB, are stored in Active Directory. Ours was OU=Users,OU=Accounts,OU=People,DC=ad,DC=example,DC=com. One of the ways you can find the base DN is by installing Remote Server Administration Tools (RSAT) on any machine that is part of your domain and then running the following command on that machine: dsquery user -limit 1000 | dsget user -dn. Within the returned list of users, find a user that you know is in the correct location within Active Directory, and use that as your LDAP base distinguished name. For example, if one of the users was CN=UserName123,OU=Generics,OU=Accounts,OU=People,DC=ad,DC=example,DC=com, then the LDAP base distinguished name would be OU=Generics,OU=Accounts,OU=People,DC=ad,DC=example,DC=com.
- LDAP uid: we used samaccountname.
- LDAP user filter: we left this blank.
- LDAP email attribute: we used mail.
- LDAP user dn: this is the full username of the generic/service Active Directory account that will be used to perform the authentication on behalf of phpBB. We put our username in the form ADNAME\username. For us, this was EXAMPLEAD\phpbbldapuser. I did not try it, but I suspect ad.example.com\phpbbldapuser would have worked, too, as EXAMPLEAD and ad.example.com are both valid names for our domain.
- LDAP password: the password of the LDAP user dn user account mentioned in the previous step.
In our experience, SELinux blocked port 389, which is the default Active Directory/LDAP port. So, in addition to allowing the port through the firewall, we had to also configure SELinux to allow it, as well:
sudo firewall-cmd --permanent --add-port=389/tcp
sudo firewall-cmd --reload
yum install -y setroubleshoot-server
semanage port -m -t http_port_t -p tcp 389
If you're not sure whether the firewall or SELinux is the issue, try temporarily disabling them to test your configuration. If one or the other appears to be causing the issue, then make the appropriate changes to the firewall or SELinux, and then re-enable the firewall or SELinux.
Turn Off: systemctl stop firewalld
Turn On: systemctl start firewalld
Turn off: setenforce 1
Turn on: setenforce 0
Our organizational policies require us to regularly change passwords, including service accounts like our Active Directory account that is used to authenticate users in phpBB against Active Directory. As a result, once we change the password to this Active Directory user account, phpBB will not fall back to another authentication method, such as the built-in user database. You simply can no longer loging to phpBB at all -- regardless of which username and password you attempt. So, you will have to manually set it back to using the built-in user database:
- Issue the command sudo mysql -p at the command prompt.
- Type your database password.
- Issue the following command use phpbb; If the name of your database is not phpbb, then type the actual name of the database.
- Issue the following command: UPDATE phpbb_config SET config_value= 'db' WHERE config_name= 'auth_method';
- Issue the following command: quit
- Delete the following file: <YOUR PATH TO PHPBB>/cache/production/data_global.php, replacing "<YOUR PATH TO PHPBB>" to wherever you extracted your phpBB files.