I'm having some problems integrating JForum with our local LDAP repository. I've read the documentation, and followed the guide to making modifications to SystemGlobals.properties, which looks as follows:
After I'd set this up and restarted the application, there no longer appeared to be any way to log in to JForum - you are stuck as the Anonymous user without any way to log in and test your LDAP connection. In addition, the documentation makes reference to this being expected - but this makes no sense.... how are you supposed to log in without any login form or login page? Is JForum configured with LDAP completely dependent upon it being part of another site?
I really don't get it.. [originally posted on jforum.net by jsp1611]
There are two methods of doing external authentication:
The first (which I think you want) is to use JForum's own login screen, but validate the id and password against a non-jforum user database. If the user is validated, a jforum user entry is automatically created for them.
This is done via a class that implements the LoginAuthenticator interface. Like the LDAPAuthenticator class.
The minimum needed to set this up in your config are the following properties.
NOTE: You have the authenticatin type set to sso above.
The other external authentication method is to use Single Sign On (SSO). This assumes that your main application is going to have the login screen and be passing information about the authenticated user to jforum. To do this, you need to have a class that implements the SSO interface (e.g. RemoteUserSSO).
Thanks very much for taking the time to reply. What you've said makes a lot more sense than what I thought was the case.
I've been reading up on LDAP over the last couple of days, and trying to understand how it functions, and how it's accessed via JNDI. I've also been looking at the source for LDAPAuthenticator, as I've been having problems in getting the connection to Active Directory working. I can see a few problems with the class as it stands:
1. The initial connection to the LDAP repository is made using the credentials of the user who is logging in - this means that when an exception is thrown, you cannot tell if the problem is with the connection itself, or with the users credentials.
2. Possibly as a result of the above, logging has been omitted from the class. This makes diagnosis of LDAP connection problems difficult.
I've written a quick replacement for the class; which works well with Apache Directory server; although it still doesn't work with our local Active Directory install - I think this is because of Active Directory. The approach is different - you connect with an administrative account (in the same way you would with, say, JDBC), run a search on the username supplied, and if you get something back, reconnect to the repository as that user. This allows you to differentiate between situations where there's a problem with the LDAP setup, and where the user has supplied an incorrect username or password.
This is still a work in progress until I can confirm it works with AD; but here you go:
I made some changes to the LDAP section of the props file as well.
If I figure out what the problem is with AD, I'll let you know. [originally posted on jforum.net by jsp1611]