LDAP login extension with multiple LDAP server support

Yippy

Flarum LDAP authentication

Based on tituspijean/flarum-ext-auth-ldap @TitusPiJean

This extension enables users to log into Flarum through LDAP, there has been new improvement with this fork. With multiple LDAP server support, and optional email field.

How to install

composer require yippy/flarum-ext-auth-ldap

Must install select2 assets for LDAP Server Settings dropdown selection to work.

php flarum assets:publish

Activate it in Flarum's administration panel.

Languages

This extension support English.

Configuration

Screenshot

LDAP server name: sets the end of the Login with link at the top of the forum:
LDAP domains or server IP adresses (comma separated): list of LDAP servers to use.
Port: LDAP server port
LDAP Version: LDAP server version
Base DNs (semicolon separated): list of base DNs to search users in.
Filter to apply (optional): Additional filtering, for example require users to be in a specific group.
Follow referrals, Use SSL, Use TLS: LDAP server settings
LDAP admin distinguished name and LDAP admin password (leave empty for anonymous binding) : if needed, specific the DN and password of the user allowed to perform searches in the LDAP server.
LDAP user search fields (comma separated): list of the LDAP fields used to look for the users. The extension will try all combinations of base DNs and search fields.
LDAP username field: name of the field containing the username that uniquely identifies the user. Can be uid or sAMAccountname, for example.
LDAP email field (optional): name of the field containing the user's email address. The extension will use the first email found for the user's registration in Flarum.
LDAP nickname search fields, enable Nicknames extension (comma separated)
Disable Flarum login and only use LDAP authentication: merely hides the standard login links and buttons. Users can still use the standard login method through the API.
Display detailed LDAP errors for failed login attempts: enable this option to help troubleshoot LDAP account errors for failed login, this will display a error whether the account isn't found, disabled or password expired.

Development (With docker)

Clone the repository
Copy docker.conf : cp docker/.docker.conf.dist docker/.docker.conf
Change UID in docker/.docker.conf if needed.
Start dockers : ./install.sh install
Open http://flarum.localhost
- MySQL host: mysql
- MySQL DB: flarum
- MySQL user: flarum
- MySQL password: flarum
Go to Admin panel and enable extension
- LDAP domain: ldap
- LDAP DN: dc=flarum,dc=com
- Check connect with Ldap admin
- LDAP admin: cn=admin,dc=flarum,dc=com
- LDAP admin password: flarum
- LDAP search user fields: cn,mail
- LDAP user mail: mail
- LDAP user username: cn
Add and user on : http://localhost:8081/
- Login: cn=admin,dc=flarum,dc=com
- Password: flarum
- Create a new entry -> Default -> inetOrgPerson

Support

This extension is under minimal maintenance.

Links

luceos

Nice one 🥳

Shime007

Please explain how can I enable the select2 assets in flarum?
I can not input correct data from the ldap Server cause the textfields are wrong and I can not write into them.

Yippy

Shime007
You need to run php flarum assets:publish to load the assets, that is required for this extension.

Which settings are you referring to?

Shime007

I run that command and the installation was sucessfull, but I can not fill out the field of the "Flarum User Profile".
The textfields are looking like that:
ScreenShot

I tested with Chrome, Firefox and Edge, always the same problem.

Yippy

Shime007 on the Flarum Admin Dashboard 'Clear Cache' and on your browser 'Empty Cache and Reload'.

Shime007

I completely instaleld flarum new and now the textfield are looking correct and I can input the data.
Can I see Logfiles of the LDAP extension somewhere?
With enabled LDAP errors I always get the massage while Login with one LDAP user that the password of the user is not correct but it is correct.

Shime007

Shime007 Now I enabled the debug Mode and I get following return code:

{ "errors": [ { "status": 401, "code": "account.invalid_inputs" } ] }

Yippy

Shime007

That error code is invalid_inputs, because your input fields cannot be empty. Please note that username and password cannot be blank when checking for LDAP account.

May I ask why you wrote 'one' LDAP user? Does other LDAP user login just fine?

You can amend the PHP controller to output the error directly, I have found most errors and map them for better error display.

Go into vendor\yippy\flarum-ext-auth-ldap\src\Controllers\LDAPAuthController.php amend line 159

throw new Exception("account.incorrect_details");

throw new Exception($error);

Remember to Flarum Clear Cache

This should output the LDAP plugin Diagnostic Message directly on the error page, the reason this isn't used by default is because it's not Language friendly if someone wish to translate it. Hence why most of the common errors is mapped in locale\en.yml

Shime007

Yippy
No one from the LDAP users can Login.
I made some changes on the Firewall and now I can connect to the LDAP Server.
When I want to login I got an Error "Incorrect password entered" with a Link on the DEBUG page with following error code:

{ "errors": [ { "status": 401, "code": "account.invalid_inputs" } ] }

The Login data are correct and also on the administration console of the LDAP extension I defined the search fields etc.

Yippy

Shime007

Can you copy and paste the error details on the login popup, cause it seems it's still not passing through the username and password.

If you not using the API directly the input fields maybe 'disabled' which doesn't pass the value in the request.

You may want to remove the package and try the original fork composer require tituspijean/flarum-ext-auth-ldap if you don't need multi domains. Oddly I can't replicate your issue.

Using the API direct you must pass your username as 'identification' and password as 'password' into the body of the request to /auth/ldap. For the controller to work because at line 38 of LDAPAuthController.php as the following checks:

		$body = $request->getParsedBody();
		$params = Arr::only($body, ['identification', 'password']);
		$id = Arr::get($params, 'identification');
		$password = Arr::get($params, 'password');

		if (empty($id) || empty($password)) {
			return $this->errorResponse("account.invalid_inputs");
		} else {
			return $this->processDomains($id, $password);
		}

Shime007

Yippy
The failure is solved, the problem was our firewall who is blocking everything.
There is also a failure in the description of the Base DNs, the data is not Semicolon separeated as described, it is seperated by comma.

Now I hava again a problem:
I have activated the button "Hide Flarum standard login method" and now the buton is hidden and I can not log in into the Administration management site. Is there a manual way to reactivate this button?

Shime007

The failure is solved, the problem was our firewall who is blocking everything.
There is also a failure in the description of the Base DNs, the data is not Semicolon separeated as described, it is seperated by comma.

Yippy

Shime007

You can display the original Flarum login Button by going into the Database, and editing 'yippy-auth-ldap.onlyUse' '1' to '0' to re-enable the flarum Login.

That's good that you have figured out the issue with the firewall, as I couldn't find any issue on my end with two LDAP servers. But yeah, I need to amend the README, when I get the time for working on Flarum again.