Authenticating new/existing accounts with LDAP

I was wondering if anyone has any experience with using LDAP to authenticate their accounts.

I have a directory with all my accounts and I was hoping to use LDAP to authenticate them.
Therefore, if they try to login with their LDAP username/password on ZenPhoto they would have an account immediately created for them so I don't have to manually create all the accounts for everyone.

Anyone do this before? I don't see a plugin which is too bad.


  • So far, no one has done this. However, it is feasible, but will require an extension to the Zenphoto_Authority class. Provision has been made for this kind of thing--an alternate lib-auth can be placed into the plugins folder.

    I would be interested in such an effort. If you have the knowledge of the LDAP side, create a ticket for this effort and we can continue the converstaion there.
  • Having this feature on my ZenPhoto gallery would make it the perfect tool for what I want to accomplish. However I am currently only working part time and am not sure if I could commit that much time to helping you build this.

    I will submit a ticket, and see what we can get going.
  • Hi,
    i extended the checkLogon-function in the lib-auth.php to realize an LDAP-authentication.
    The LDAP-properties (ServerIP,Port,Group,dc,ou,zenphoto-group cn) are supplied by an LDAP Zenphoto plugin (that i also wrote).

    The autentication itself is done via LDAP, but all user properties are stored in the zenphoto-DB To distinguish between a local and a ldap-user i used the 'other-credentials' DB-field with the value 'ldap'.

    At the moment i'm struggling with two issues:
    - The replacement in the plugins/alt/ folder: When i take the original lib-auth.php script and change the require_once-statment at the beginning, i'm getting this error: "PHP Fatal error: Call to a member function checkCookieCredentials() on a non-object in /var/www/zen/zp-core/auth_zp.php on line 71" so i modified the original lib-auth.php.

    - The second one is that the zp-core/zp-extensions/user-expiry.php at Line 161 overwrites the 'other-credentials'-field in the db after every successfull login and logout. It seems that the getCredentials-function (lib-auth.php) doesn't provide the correct value from the db-field, so i comment the line out at the moment.

    The LDAP-authentication works fine, but what is missing is the ldap-user registration part on the admin->users page. I tried to modify the page, but my php-knowlegde is not as good as i wish.
    The plan for the LDAP-user registration is to use normal user registration process/site, but list the users from the zenphoto ldap group on the admin->users page, use the provided name as username and set 'ldap' in the 'other_credentials' db-field.
    I thought that a marked "Use LDAP"-Checkbox (that is only visible when the "Enable LDAP Logon"-Checkbox on the ldap-plugin page is marked) will enable the LDAP-userlist and set the original "New User:"- and the Password-Textbox disabled/invisible.
    The ldap-plugin also provides a function that returns an array with the ldap-usernames that are in the zenphoto-ldap group.

    So my question is, if anybody is interested to do the admin-users-page modification, but addition i have to mention that i also have no github-experience.
  • acrylian Administrator, Developer
    I am not familiar with the login stuff or LDAP itself. I could imagine that it might be easier to extend the federated_logon plugin. But my colleague sbillard surely knows more about that.

    Also the admin-users.php has a filter to attach extra information via plugins (currently there are extra fields shown if the comment_form plugin is enabled though). See the plugin tutorial on the user guide.
  • Thanks for the information.
    I studied the lib-auth.php and admin-users.php today and wrote the GUI-component (extended the admin-users-page) to add LDAP-Users to the local DB, but authenticate them against the LDAP-Server at the Login. Maybe i will extend it to import the users from a whole ldap-group..

    Well, a few changes need to be done regarding user-management, but i'm looking forward to complete these tasks during the next (2) week(s).

    Can i contact sbillard in some way (pn,mail,ticket,..) to talk about this feature? I would like to contribute it.
  • acrylian Administrator, Developer
    First please read the two links within

    Then there are basically two ways to contribute generally:

    1) Provide the tools you create as 3rd party tools. This is actually the preferred way.
    2) Use GitHub's issue tracker or a pull request. Be sure you use the 1.4.5 build for what you do. Sbillard will decided if this is added. But since it would be a new feature it will most likely not get in before 1.4.5 anway. (1.4.4.x are support builds only and do not introduce new things unless needed because of bugs or security issues).
  • I know it is a bit late, but you should also take a look at the `external_auth.php` script. It is core implementation a plugin can use to enable authortie outside of zenphoto to be used for user id and autentication. Unfortunately, the sole example of its use is not publicly available, but it is the basis of a plugin which uses a bbs system's authentication.

    In this case there are no Zenphoto users created in the database. All rights come from the external source which is preferable, since otherwise it violates the addage that if you have two copies of something then one of them will be wrong.
  • I thought about it, you're right. It is much more simpler, after the code review of the external_auth.php i understand the principals of the user handling a little bit better, that was the missing link.
    I think, i only have to change the "return NULL;" in the external_auth.php and make a few changes in my ldap-Plugin to get it working.
    Thanks for the hint, my approach was a little bit more complex.
    I will post here again when i'm finished.
  • Hi,
    after several hours of troubleshooting i replaced the return-statement at the end of the function:
    `return $authorized;`
    with these line (returns the admin-userobj and sets the admin-rights)
    `$_zp_current_admin_obj = Zenphoto_Authority::getAnAdmin(array('``user`=' => 'admin','`valid`=' => 1));
    $authorized = $_zp_current_admin_obj->getRights();
    return $authorized;
    But index.php is calling the password.php instead of calling setThemeColumn(), it basically isn't doing the checkAccess(..) function.
    Maybe you can give me hint to get this done?
  • I should have mentioned that the class defined in external_auth is intended to be a base for a class you define--your class extends the external auth one. Then you make your own methods which retrn the appropriate data.

    There are some filter hooks that you use to intercept the logon stuff.

    zp_register_filter('authorization_cookie', 'MyBBcheck');
    zp_register_filter('zp_logout', 'MyBB_auth::logout');
    zp_register_filter('login_link', 'MyBB_auth::link');
    I guess I can share those methods from the proprietary implementation since they are pretty generic:

    // Filter to provide an external login link
    static function link() {
    return '/'.trim(getOption('MyBB_auth_bb'),'/').'/member.php?action=login';

    // filter to provide log out the user if he was authenticated by an external source
    static function logout($location, $user) {
    if(!is_bool($user->logout_link)) {
    $location = '/'.trim(getOption('MyBB_auth_bb'),'/').'/member.php?action=logout&logoutkey='.$user->logout_link;
    return $location;

    * Provides a link on the Zenphoto logon form for logging in via MyBB
    * @param $handler_list
    static function alt_login_handler($handler_list) {
    $handler_list[getOption('MyBB_auth_bb_name')] = array('script'=>'/'.trim(getOption('MyBB_auth_bb'),'/').'/member.php', 'params'=>array('action'=>'login'));
    return $handler_list;
    * This is the cookie authorization filter function
    * @param bit $authorization
    function MyBBcheck($authorization) {
    $myBB = new MyBB_auth();
    return $myBB->check($authorization);
  • I would also like to note that we have had other requests for LDAP authorizations, so your work will be greatly appreciated by the community when it is done.

    I am sorry I am not very available at the moment. But I will try to check in from time to time.

    It might help if you create an account on GitHub for this effort, then perhaps we can make it a collaborative effort.
  • @spelth:

    I've emailed the full MyBB plugin to your mail address in your forum profile. If you do not get it let me know and we will find another way to deliver it.

    I obtained permission from the person who contracted it to share it with you. An example always helps.
  • @sbillard: I finished the MS Active Directory integration today, both - the AD and OpenLDAP authentication are working.
    In addition i created a github account (same username), should i create my own project or is there a possibility to use the zenphoto project?
  • Congratulations. I know that this will be well received.

    We usually prefer that the developer maintain code when we have not means for testing. So your GitHub repository account sounds the right way to go.

    We can add a link on our site to your repository so that others will have an easy time finding it. If you would prefer we could instead link to a WEB page that you create describing the plugin.

    Just let us know what you wish.
  • The plugin can be found under

    When it is activated the images won't be created in the cache and they are displayed as empty (i use an external datasource, with the few images in my test-environment i see all pics).
    Can you give me a hint what is missing?
  • I have made some comments as issues on your repository.
Sign In or Register to comment.