65 thoughts on “authLDAP”

1. I installed your plugin in WordPress 3.0.1. I get an error in the option page about an invalid argument supplied for Foreach() in authLDAP.php line 217. I’m not too good with PHP, could you take a look at it?

   1. I’ll dig into this and give you an update later.
      Later:
      Sadly I could not reproduce this issue with a clean and empty install of wordpress 3.0.1. I got an error concerning a Case-sensitivity-issue, but that was not the error you reported. Could you give me some more information about the settings you use?

2. It seems like it might an issue with the pathnames, specifically the uppercase/lowercase letters, between authLDAP in your code and authLdap in the file names in the archive, authldap.zip.

   1. I’ve already fixed that in the new version that you can download at wordpress.org. Thanks for mentioning. Did you get it to work then?

3. I’m new to LDAP so please bear with me. I have the base dn for the LDAP directory containing the uid attribute. All other attributes are stored in a different branch. What’s the proper syntax for specifying which branch of the LDAP directory tree contain the attributes?

   1. authLdap searches an LDAP-Tree recursively. You have to find the common base for the branch your users are stored in and your groups are stored in. So if users have a Distinguished Name of uid=doej,cn=users,dc=example,c=org and groups are stored in cn=myGroup,cn=groups,dc=example,c=org then the common base is dc=example,c=org.

      Then you would set LDAP-URI to ldap://ldapserver.example.com/dc=example,c=org.

      Every other option then only specifies the attributes of user- or group-nodes.

      For more information on that topic have a look http://en.wikipedia.org/wiki/LDAP

4. Just wondering, does authLDAP work with OpenLDAP?

5. It actually does. But due to a broken API I had to fix it. The current version 1.0.1 authenticates perfectly with OpenLDAP.
   I just checked it with a clean WordPress 3.0.1, authLdap 1.0.1 and my OpenLDAP

6. I am having issues trying to limit access to only one group in my OS X Open Directory. Has anyone had success using this plugin against Open Directory? If so, can you post the field values you used? I am running WordPress 3.0.1 and Snow Leopard Server Open Directory. Thanks!

   1. Sorry for answering so late. The comment got stuck in my spam folder.

      As filter use uid=%s.

      As Group attribute you can either use cn which is the Shortname of the group from WorkgroupManager or apple-group-realname (Full name of the group) or gidNumber Which is the group number.

      As Group filter you should then use (&(objectclass=apple-group)(memberUid=%s)).

      Depending on the setting of the group-attribute you then have to give the appropriate values for the group-memberships which are the shortname for cn, the full name for apple-group-realname or the group-number for gidNumber

      When you want to authenticate only one group from your OpenDirectory you have to decide which role the users from that group shall have and simply fill the appropriate group attribute only for that role. Everyone from that OpenDirectory group will then be loged in with that role. Other roles then have to be assigned locally.

7. This plugin looks nice but on a clean fresh install of the latest WordPress on Linux I get this error when activating:

   Warning: require_once(/var/www/aquila/wp/wp-content/plugins/authLdap/ldap.php) [function.require-once]: failed to open stream: No such file or directory in /var/www/aquila/wp/wp-content/plugins/authldap/authLdap.php on line 11

   The server has got a working php/ldap because some other software on it is using LDAP with no problems, with an ActiveDirectory server.

   1. This seems to be case-sensitivity-issue.

      I have fixed that already in the plugin-directory, so downloading the plugin again should resolve the issue.

      Otherwise go to the mentioned line 11 of authldap.php and change the line to
      require_once ABSPATH . 'wp-content/plugins/authldap/ldap.php';
      Important is the lower-case ‘L’ in authldap

8. Thanks, I fixed the folder and include CaSe and it works now.

   Do you have an example setup using MS ActiveDirectory, your example seems more like OpenLDAP and the groups are a bit different in AD?

   1. Thanks for the reply.

      I’m sorry, but I don’t have access to an AD-Server, so I can’t give you any first-hand examples.

      I always use an LDAP-Browser like jXplore to get an insight into the directory structure.

      As Filter I would use somthing like SAMAccountName=%s and as User-ID-Attribute I then would also use SAMAccountName

      As Name-Attribute I would use cn

      Sadly I can not give you any advice on the group-settings in authLdap at the moment. I will try to setup that later the day and give you an update on that.

9. Hi,

   I installed the latest version and the REGEX expression un ldap.php don’t seems to work 🙁 When I print_r() the content of $result, I get this: Array ( [0] => ldap://uid=adminuser,dc=example,c=com:secret@ldap.example.com/dc=basePath,dc=example,c=com [1] => ldap [2] => [3] => [4] => [5] => [6] => uid=adminuser,dc=example,c=com:secret@ldap.example.com [7] => /dc=basePath,dc=example,c=com [8] => /dc=basePath,dc=example,c=com )

   Can anybody help?

10. Hi again,

    after some searching on the web, I found a wonderful PHP function named parse_url(). You should update your code to use it. Here is the output of print_r():
    Array
    (
    [scheme] => ldap
    [host] => ldap.example.com
    [user] => uid=adminuser,dc=example,c=com
    [pass] => secret
    [path] => /dc=basePath,dc=example,c=com
    )
    Also, how should I contact you about the little bugs I find?

    Regards

    1. Thanks for mentioning parse_url().

       The updated code is available for download at the plugin-page.

       Alternatively you can check out the code at github.

       For issues you can use the issue-tracker at github

       Thanks for your feedback.

11. Thanks for the wonderful plugin, Andreas. I am trying to use it with WordPress 3.0.1 on Mac OS X 10.6 server. I have got the same problems as Mark: users are able to login, but are always assigned to Subscriber group no matter what are the settings in authLDAP configuration. Going through the code I have noticed that there is an error in lines 380 and 387. When updating the user role with update_user_meta, you use the meta tag wp301_capabilities. When I changed the tag to wp_capabilities everything started working as designed. As far as I understand there is no such field in metadata as wp301_capabilities, but there is wp_capabilities. Hopefully it will help Mark and other users. I suppose this issue is not platform-dependent.

    Best regards

    1. Hi Alex.

       Thanks for your Comment.

       This actualy is a bug I will fix in the next days.

       Regards

12. hey,

    plugin works fine… but I had to patch authLdap.php for setting capabilities to work correctly.
    wp-3, openldap
    Groups are correctly retrieved, but your plugin tries to set the attribute “capabilities”, which should actually be “wp_capabilities”…else it doesn’t work, at least for me.

    1. Seems like I have to add support for table-prefixes…..

13. Hello Andreas,
    You excellent plugin seems to have one logical problem, which I have recently stumbled upon. I want to restrict the ability to use blogs to a certain group of server users and it seems impossible to do it in the current version of the plugin. The user account is created and user is logged in even if he does not belong to any role defined in authLDAP. I looked at the code and believe that your plugin was designed that way. Don’t you think it would be better to deny login to the users who are not members of any group defined in authLDAP?

    1. Originaly the purpose of the plugin was to grant usage of the blog only to members of certain LDAP-Groups. Therefore only those members should be created upon login as wordpress-users.

       But after looking through the code again I have to admit, that you are right and users are created event though they are not member of an allowed group. That seems to be a design flaw I have to eliminate, as it does not make any sense to create dozens of users that have no rights at all.

       Thanks for pointing out the flaw.

       There will be a new version out soonish 😉

14. And one more minor suggestion, if I may. WordPress requires the users to provide email address when creating an account with wp_create_user(). This account has to be unique. If no user email provided in the Open Directory, authLDAP still tries to create an account giving the user default email account of me@example.com. If another user with no email account tries to login, WordPress rejects account creation because email address me@example.com already exists. I believe that better default value for email would be something like

    $mail=$username . ‘@example.com’; (line 341)

    This will ensure that even the users who don’t have email in directory records will be able to login and enter an email in their profile afterwards.

    💡 It would be also nice if in future authLDAP become aware of network installation of WordPress! 😉

    Thank you again for your great plugin and support!

    1. You might 😉

       That is an excellent suggestion and will be considered in the next release.

       Thanks for the input.

15. Hi Andreas,

    you have a typo in your example for the first filter “(&(objectclass=posixAccout)((!(uid=%s)(mail=%s)))”

    It is posixAccount. (And perhaps objectClass)

    Nice Greetings
    Sven

16. Hi Andreas, thanks so much for creating this nicely flexible plug-in. I’m struggling a bit to get it to work and have enabled debugging. However, I’m not seeing any debugging information. Can you tell me where I can find the errors so I can tell where it’s failing?

    Thanks.

    1. As a matter of fact, the plugin did not provide any debugging information up to version 1.1.0. The debug-flag you can set has been legacy-code that was used in pre PHP5-times to get some sensible informations from the plugin. But during the refactoring for PHP5 I decided to use Exceptions and these are catched in the authLdap.php-file in line 303. As soon as an Exception is thrown, something went wrong and an authentication can not be granted.

       So you could go to line 303 (Version 1.1.0) of the file authldap.php and insert a trigger_Error($e->getMessage()) (or something along that line) before the return false. That way you would be informed of everything that does not work correctly in the LDAP-Backend.

       In Version 1.1.1 the debug-flag now enables exactly that behaviour. So from now on you should be able to see LDAP-Problems as User-Notice in your error-log.

17. Fantastic plugin… Once I took care of mod_security, that is….
    Quick question:
    Does this support LDAPS? I can’t seem to get it to work with anything other than LDAP on port 389. Is there a way to patch the config, or am I missing something?

    Let me know.

    -Nate

    1. Hi. Sorry for the late reply, You were stuck in the spam folder :-/

       As far as I know, you have to provide a port-number to the LDAP-URI like ldaps://ldap.example.com:636/. But I have not tested LDAPS yet.

       I will look into that in a short time and let you know the results.
       – Andreas

       [edit]
       I just changed the way the LDAPS-Scheme is handled. So with the new version of the authLdap-plugin you should be able to connect to ldaps-Servers – but still not tested!!

18. Andreas,
    I’m glad to see this plugin and thanks for writing it. I do have an issue, though, that I can’t seem to figure out :\ I’m authenticating against Apple Open Directory as Mark above is, and your comment was helpful, but I’m still unsuccessful.

    As you know, the groups are like CN=groups,CN=groupname and users are in CN=users. I’ve created an OD group named “wp-admins”, for example, and added the users to WordPress accordingly.

    There are my current settings. If you (or someone) could give a nudge in the right direction, I’d greatly appreciate it.
    My LDAP URI is: ldap://tdxs1.dsdk12.schoollocal/dc=tdxs1,dc=dsdk12,dc=schoollocal
    Name-Attribute: cn
    Second Name Attribute: givenName
    User-ID Attribute: uid
    Group-Attribute: cn
    Group-Filter: (&(objectclass=apple-group)(memberUid=%s))
    Admin Group Membership: wp-admins

    1. Hi Josh.

       What exactly is the problem? Are users able to log in but certain informations are not set? Or isn’t even a login possible? Have you enabled debugging? If so, what did the logfiles say?

       The provided Information looks good to me, but what struck me was … and added the users to WordPress accordingly. as you would not need to add the users to wordpress manually – the plugin will add the users on their first login.

       Feel free to send me logfiles via private mail

19. Hello Andreas, it is me again :-). I wonder if it is possible to make authLDAP aware of WordPress network installation? Currently, even if authLDAP is network activated, new blogs get blank settings. It would be great if Network Admin could define/enforce default authentication settings for newly created blogs. If authLDAP could also set which group of users can create blogs, the blog network would become entirely self-service: if user wants a blog and is allowed to have one, he can create it himself and use server LDAP accounts for subscribers. I am a server admin and not very familiar with WordPress internals, so I do not know if any of this possible. If it is, it would greatly simplify my work and work of WordPress network administrator.

    Thanks again for the your responsiveness, support and maintenance of the plugin.

    1. Hi Alex.

       Nice thought! I wasn’t aware of the network-abilities of wordpress until I dug into this 😉

       That definitely is a cool thing and I will try to get it up and running! But I can not promise you a date! But first tests are promising.

       I’ll keep you informed.

20. Hi Andreas Heigl ;

    Today I installed your plugin integrated with wordpress , I like to configure the ldap but when I try login the page show a error message . I like to see the log debug, where I looking for this files.

    Thank you

    1. Hi.

       What is the error-message that you get? By default the debug log is simply appended to PHPs error-log.

       Regards.

       Andreas

21. Hi
    I need only users that have the
    ldap-attribute userClass=staff

    is there a way to specify this in the settings? I assume its slightly different from a group?
    If there isn’t, could you direct me to the place in the code I could put it in temporarily.
    thanks
    elvis

    1. Hi elvis.

       Thats rather easy as you only need to adapt the filter for the users.

       You could use something like the following:
       (&(objectclass=posixAccout)(userClass=staff)((!(uid=%s)(mail=%s)))

       This would allow only users with the LDAP-Attribute userClass=staff to log into your wordpress.

       But if you want to identify the – lets say Admins – by this attribute, I sadly have to admit, that that is currently not possible.

       I hope that helps

       Regards

       Andreas

22. Hi,
    Got this plugin working.

    Just one little issue (that may or may not be related to this plugin). When I have a username < 4 chars it fails to create the user. We are not running the multisite install. Any ideas on how to reduce this min length issue?

    Thanks

    Joe

23. Hello,

    Ive trying to use this plugin with WP4.6 and already installed it and set the appropriate settings.

    But Im missing a bind-user (as our LDAP requires one) and even though testing without bind-user: when I try to login via wp-login there is no ldap connection to the server. So maybe the plugin aint working at all? Do have to change something?

    I have activated debugging, and cant see anything either. Where shall the debug-messages go?

    regards
    Robert

    1. Hi Robert.

       The Debug log should show up in the PHP-error log (which mostly shows up in the Webservers error-log)

       The bind-user is set in the LDAP-URI. The comment for the LDAP-URI contains an example. It should be something like ldap://cn=binduser,dc=admingroup,dc=example,dc=com:bindpassword@ldapserver.example.com/dc=example,dc=com.

       Please give me a short feedback whether that works or not to get that sorted out quickly. You can also use https://gitter.im/heiglandreas/authLdap for feedback.

       Cheers

       Andreas

24. Hello,

    thanks for the really fast reply 🙂

    Problem is the password, it contains special characters not allowed in URLs. But this password is used multiple times in other places, I would like to avoid changing it. Some other way to store it (maybe in php-script?)

    regards
    Robert

    1. You’re welcome.

       Even though it’s called an LDAP-URI you should be able to set the password with special characters. It should be used “as is”. Alternative solution would be to use URL_Encode to encode it. But that would currently mean to alter the file ldap.php to add the corresponding urldecode. As that’s not done currently the password should be used as you type it. Currently forbidden characters are ‘:’, ‘@’ and ‘ ‘ (space). When you have one of these you need to use the urlencode-version.

       For that you can replace line 56 in ldap.php with this line: $url = array_map(function ($item) { return urldecode($item); }, parse_url($URI));

       That’s currently not implemented, but i’ll add that ASAP as it makes absolute sense! So when you can wait 2 days, there’l be a new release that has URL-decode-functionality 😉

       Cheers

       Andreas

25. Hi Andrea,

    i have installed your plugin and was able to make it work, except for the group mapping. I am using openDJ ldap and my objectClass is “groupOfNames” and the member attribute is “member”. Given those are my attribute names, should my filter be —

    (&(objectClass=groupOfNames)(member=%s))

    1. From a first glance that looks correct. When the content of “member” is the User-ID Attribute that’s perfect, when it’s the DN you should use %dn% instead of the %s though.

26. Hi Andreas,

    what to do if there is an ‘@’ sign inside the password of the bind user? Is there a way to escape it?

    1. There will be in the upcomming version I already wanted to publish end of last year. You can fetch the plugin from https://github.com/heiglandreas/authLdap/archive/master.zip and install that as it already contains that change. The next official release will contain that change.

       You will then need to URL-encode the password of the bind-user.

27. Hi Andreas

    Does your plugin work for WP 4.7.3 as well? There is only a not that it is tested up to 4.6.1.

    Thanks for a quick response.

    BR
    -urs

    1. Hi Urs.

       The plugin is working with 4.7.3 as well (just checked).

28. Hello Andreas,

    Is this plugin supposed to be working with ActiveDirectory too? I’m not managing to get the bind working…

    1. Hey Julien.

       Yes, the plugin works with AD as well. Can you send me more details on your config via Mail to andreas (AT) heigl (DOT) org? I’ll then try to find the issue!

       Cheers

29. Hello Andreas,

    i woud like to ask you, wether your plugin is also suitable for the wordpress multisite setup? I only find the settings for authldap in the dedicated wordpress site, and not in the global network dashboard.
    Thanks, and regards,
    Axel

    1. It currently isn’t out of the box. I never got round to implementing it and it wasn’t a requested feature. I might have a look at how to do that during this weekend so I might be able to give you a feedback how and when that might work…

30. Hello,

    Your plugin is exactly what i am looking for but unfortunately i cannot get it to work. any help would be greatly appreciated.

    Error:(Time on logs are not accurate, not sure if that has anything to do with it)

    [13-Oct-2017 03:17:44 UTC] [AuthLDAP] User ‘userid’ logging in
    [13-Oct-2017 03:17:44 UTC] [AuthLDAP] about to do LDAP authentication
    [13-Oct-2017 03:17:44 UTC] [AuthLDAP] connect to LDAP server
    [13-Oct-2017 03:17:44 UTC] [AuthLDAP] LDAP authentication failed with exception: no result found

    LDAP URI:ldap://myglobalname.com:3268/cn=userid,password,DC=domain,DC=mycorp,DC=com

    Filter: (cn=%)
    Name: givenName
    Last: sn
    UserID Attribute: cn
    Mail: mail

    Group Attribute: distinguishedName

    Group Filter: (&(objectClass=group)(dn=%))

    Mapped group to Subscriber group: CN=groupname,OU=Groups,OU=common,DC=domain,DC=mycorp,DC=com

    1. Hi.

       I‘m pretty sure your LDAP-URI needs to look like this:

       ldap://userid:password@myglobalname.com:3268/DC=domain,DC=mycorp,DC=com
       

       Where „userid“ should be something like „cn=userid,DC=domain,DC=mycorp,DC=com“. When you are using ActiveDirectory as backend you might also able to just use „userid“

31. Thanks for your reply!

    I am now getting this error: LDAP Authentication failed with exception: bind was not successful: Invalid Credentials

    i tried both cn and userid (lets say my user id is “test” and password is “pass123” here is how i am inputing the LDAP URI –

    ldap://cn=test:pass123@myglobalname.com:3268/DC=domain,DC=mycorp,DC=com

    also tried this, with same error –
    ldap://userid=test:pass123@myglobalname.com:3268/DC=domain,DC=mycorp,DC=com

    1. Try
       ldap://test:pass123@myglobalname.com:3268/DC=domain,DC=mycorp,DC=com or ldap://cn=test,DC=domain,DC=mycorp,DC=com:pass123@myglobalname.com:3268/DC=domain,DC=mycorp,DC=com.

       The username needs to be either a complete Distinguished Name (DN) or – when you are using ActiveDirectory as backend – just the user-ID (that is stored in ActiveDirectory in the attribute sAMAccountName)

32. Getting the same error with both, we are using forest schema version 47, is there maybe a unique way it needs to be for this schema version?

    User ‘test’ logging in
    about to do LDAP authentication
    connect to LDAP server
    LDAP authentication failed with exception: bind was not successfull: Invalid credentials

    1. That looks like the credentials for the user test where not correct. Would you mind sending me the details for the user test to andreas AT heigl DOT org?

33. Hi, we are getting this working with our AD with good success – great plug in!

    We have a number of custom roles to map. However, we’re seeing that even though the log shows the groups getting parsed OK, its not mapping the roles – it just seems to update the primary role with the last role in the list, rather then add the user to each role – VID beyond and vid leaders.

    Any ideas – feel like we’re really close!

    from the log…

    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] User ‘james’ logging in
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] about to do LDAP authentication
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] connect to LDAP server
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] LDAP authentication successfull
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] Existing user, uid = 6
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] Array
    (
    [administrator] =>
    [editor] =>
    [author] =>
    [contributor] =>
    [subscriber] =>
    [employer] =>
    [newbie] =>
    [VID Leaders] => VID Leaders
    [VID Beyond] => VID Beyond
    )

    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] Array
    (
    [administrator] =>
    [editor] =>
    [author] =>
    [subscriber] =>
    [contributor] =>
    [newbie] =>
    [employer] =>
    [VID Beyond] => VID Beyond
    [VID Leaders] => VID Leaders
    )

    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] Group Filter: “(&(objectCategory=group)(name=VID *)(member=CN=James,DC=not really,DC=co,DC=uk))”
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] LDAP groups: [“VID Leaders”,”VID Beyond”]
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] Role from LDAP group: VID Beyond
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] role from group mapping: VID Beyond
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] The LDAP user has an entry in the WP-Database
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] user id = 6

    1. Currently the plugin only adds a user to one group. And that’s the first matching group. There are ideas to change that but that’s not yet finished. Well, not even started…

34. Hi,
    I am researching for a plugin to use with WP Multisite and LDAP at a college. I see that this question has been asked before but it wasn’t answered. Is that functionality available with this plugin?

    Thanks in advance!
    Audrey

    1. As of version 2.0.0 multisite is available. Though the main question is how you want this functionality to work. With the current implementation you can (or have to – depending on your use-case) use different configurations for each site. With a hack you can also enable one configuration to be shared over all sites.

       Or do you have a different use-case? Then feel free to add it as an issue to https://github.com/heiglandreas/authLdap.

35. Hi,

    I’m trying your plugin (Version 2.0.3 ) using the latest WordPress version (4.9.4) and I can’t connect to my LDAPS server, I get the below error:

    [AuthLDAP] User ‘my_username’ logging in, referer: http://my_website/wp-login.php?loggedout=true
    [AuthLDAP] about to do LDAP authentication, referer: http://my_website/wp-login.php?loggedout=true
    [AuthLDAP] connect to LDAP server, referer: http://my_website/wp-login.php?loggedout=true
    [AuthLDAP] No bind successfull. Exception thrown in line 68, referer: http://my_website/wp-login.php?loggedout=true

    The URI used is:

    ldaps://CN=ldap_username,OU=settings_01,OU=settings_02,OU=settings_03,DC=settings_04,DC=settings_05,DC=com:password@my_ldaps_server:port/DC=settings_04,DC=settings_05,DC=com

    Any thoughts on how to handle it? Do you think it’s related to the ldapS? Does the plugin support ldapS?

    Thanks!

    1. The plugin does support LDAPS though using it with self-signed certificates is nasty! So first question: Are you using self-signed certificates?

       Another issue might be the password. Do you have any special characters in it that should be URL encoded? Like f.e. ‘:’ or ‘@’ or ‘&’ or ‘?’. If so you should put them into the URL in a URL-Encoded way.

       For further questions feel free to contact me via email at andreas AT heigl DOT org

Comments are closed.