WPMU Ldap Plugin

I haven’t tested it yet, but I thought I’d pipe up and make sure you realize that AD and OD (specifically) groups work very differently.

AD, each user has a “memberOf” attribute that says what groups they are a member of. I believe in the groups there are also fully qualified DNs for each user in that group.

OD, there is no “memberOf” for the users. You have to look at the group, and even in the group, there’s only an attribute “memberUid” which only lists the UID for members, not a full DN.

I’m more than happy to test this, as it would be a great asset for a WP3.0 install. But, I’m confused as to how one gets the source. Is the source for group support in WP3.0 version 2.9 (of WPMU-ldap) or is there an alpha of 3.0 (WPMU-ldap) somewhere?

Thanks!

I’m trying the plugin code from trunk with WordPress 3.0 Beta and getting PHP fatal errors whenever I try and pull up the admin screen:

PHP Fatal error: Call to undefined function wpmuLdapGroupsGet() in /wp-content/mu-plugins/ldap/lib/wpmu_ldap_admin.functions.php on line 184, referer: https://foo.bar.org/wp-admin/ms-admin.php?page=wpmu_ldap_admin.functions.php

This is under PHP 5.2.10

I see the problem — wpmuLdapGroupsGet() exists within wpmu_ldap.functions.php, but per line 47 of ldap_auth, that file is only included if LDAP authentication is enabled.

However, wpmu_ldap_admin.functions.php is calling that function regardless of whether or not the LDAP auth is working. If LDAP auth isn’t enabled, it can’t get to the function and it causes the fatal error. That in turn prevents you from enabling LDAP support at all.

I tested this by adding a require_once line to wpmu_ldap.functions.php to the top of ldap_auth; that enabled the wpmu_ldap_admin to see the function, which let me enable LDAP auth. After LDAP was enabled I could remove my added “require_once” line and get on with business.

One more quick fix: The LDAP Options > LDAP Group Settings page wasn’t displaying the options I’d saved to the database. This is because “wpmuLdapGroupsGet” on line 386 of wpmu_ldap.functions uses this logic:

$groups = unserialize(get_site_option($opts['siteoption']));

The problem is that “get_site_option” automatically unserializes the data for you, so it doesn’t need to be unserialized again (as chronicled here: http://www.andrewnacin.com/2010/04/18/wordpress-serializing-data/)

As is, $groups ends up being empty, so no text displays on the options page. Changing it to…

$groups =get_site_option($opts['siteoption']);

… fixes the problem.

That said, I still have a bug. While the plugin is able to connect to my LDAP server (as it was under 2.9), I’m unable to add users. I’m using Open LDAP, so the difference between AD and OD groups is likely the problem. I’m going to debug it further and see what I can see.

Thanks for all your work on this — I greatly appreciate it!

Excellent — thanks!

Re: source changes. Cool — I’ll check that out.

It worked fine under 2.9.x but right now it’s failing to add users (although it can connect to LDAP via the config test). I’m in the process of stepping through the group logic to see what I can see.

Oh and just to clarify I meant that it’s failing under the last iteration of the code; I haven’t checked your latest changes out of SVN yet.

@Aaron

I think I grok the problems I’m having with OpenLDAP and directories and uncovered a few more bugs. My apologies in advance if this is information overload; I’m going to break this up into two comments.

I see four things going on.

1) When “checkGroup” is called in wpmu_ldap.functions.php as part of the “wpmuLdapSearch” function, a list of groups isn’t included as one of the arguments.

e.g.:

——–
if ($server->checkGroup($userDataArray[LDAP_INDEX_DN]) == 0)
——–

instead of something like:

——–
if ($server->checkGroup($userDataArray[LDAP_INDEX_DN]), wpmuLdapGroupsGet(array(‘siteoption’ => ‘ldapGroupAllowLogin’))) == 0)
——–

As a result, $groups is empty, causing the function to return LDAP_GROUP_NOT_SET, which the wpmuLdapSearch doesn’t account for (it’s assuming true/false). (more on this in a bit). I think it would be useful to clarify the error message to say that the user was found, was not part of a valid group.

2) checkGroup doesn’t bind to the LDAP server

While the checkGroup function does look to see if there’s an LDAP connection, and reconnects if its missing, it doesn’t bind the LDAP Browser user to the server, which prevented my queries from going anywhere (as I’m not binding anonymously). Changing the connection logic to use Dock() solved that problem:

——–
if (!$this->connection_handle) {
$this->Dock();
}
——–

3) OpenLDAP stores group information as part of the “memberof” attribute, which “checkGroups” isn’t querying for.

This is where things get a bit more complicated. I haven’t worked with ActiveDirectory, so I don’t know how you go about fetching it’s group memberships, but my search query started off looking like this:

——–
(&(memberof=cn=joecool,ou=SomeOU,o=SomeCollege)(objectclass=organizationalunit))
——–

This didn’t return any results for me. I should note that during debugging I made sure that functions like “DoSearchUsername” were returning valid results — they were, it was just that nothing was making it past the groups authorization logic.

In order to get a list of groups, I had to change the way SetSearchCriterea was querying LDAP in checkGroups() from this:

——–
$this->SetSearchCriteria(“(&(“.get_site_option(‘ldapAttributeMember’,LDAP_DEFAULT_ATTRIBUTE_MEMBER).”=$userDN)(objectclass=”.get_site_option(‘ldapAttributeGroupObjectclass’,LDAP_DEFAULT_ATTRIBUTE_GROUP_OBJECTCLASS).”))”, array(get_site_option(‘ldapAttributeDN’,LDAP_DEFAULT_ATTRIBUTE_DN)));
——

to this:

——–
$attributes_to_get = array (get_site_option(‘ldapAttributeMember’,LDAP_DEFAULT_ATTRIBUTE_MEMBER));

if (get_site_option(‘ldapLinuxWindows’))
$uid = get_site_option(‘ldapAttributeNixSearch’,LDAP_DEFAULT_ATTRIBUTE_NIXSEARCH); //Linux

else

$uid = get_site_option(‘ldapAttributeWinSearch’,LDAP_DEFAULT_ATTRIBUTE_WINSEARCH); //Windows

$this->SetSearchCriteria(“$uid=$userDN”, $attributes_to_get);
——–

This allowed me to return an array with the group information in it, and then I could compare my LDAP group information with the authorized group settings stored in the plugin.

4) checkGroup in wpmu_ldap.functions.php was looking for a “true” response but was receiving an LDAP_IN_GROUP response

In this line checkGroup() is assuming that it will be getting a true/false response from the checkGroup() function of ldapcore.php…

————–
if ($server->checkGroup($userDataArray[LDAP_INDEX_DN]), wpmuLdapGroupsGet(array(‘siteoption’ => ‘ldapGroupAllowLogin’))) == 0)
————–

… but what checkGroup returns is either LDAP_IN_GROUP or LDAP_ERROR_NOT_IN_GROUP.

Elsewhere, when ldap_ro.php uses this LDAP_IN_GROUP/LDAP_ERROR_NOT_IN_GROUP for its allow/deny logic (which also calls checkGroup) so I’m guessing the logic was changed in one place, but not the other.

One quick question — we’re going to be running a non-MU version of WordPress. Ideally I’d like to use the same LDAP plugin in both places, but when I activated the plugin in single-site mode, it throw a PHP fatal error about a conflicting add_user function and wouldn’t activate. I haven’t delved deeply into the WordPress authentication model, but is making this plugin work in both modes easily doable?

You’re welcome! I understand (and appreciate) the priority with MU mode and group mode. I’ll take a gander at a single-user mode as soon as soon as I get a chance.

Thanks again!

I’ll check the latest code out of trunk and try this. Right now I had the setting as “organizationalunit” but “posixgroup” makes sense; I’ll follow-up later today.

Hi
I am testing the current plugin on the beta version of the wordpress-mu.
when i activate the plug-in in get this error
Warning: require_once(ldap/lib/ldap_ro.php) [function.require-once]: failed to open stream: No such file or directory in C:\Inetpub\wwwroot\wp-content\plugins\ldap_auth.php on line 17.

any ideas ???
regards

@Ahmed
Hi gain
i grabbed the latest development trunk in the svn repository and now am getting this new error
Fatal error: Cannot redeclare wp_new_user_notification() (previously declared in C:\Inetpub\wwwroot\wp-includes\pluggable.php:1208) in C:\Inetpub\wwwroot\wp-content\plugins\ldap\lib\wpmu_ldap_admin.functions.php on line 785

regards

i did install it in mu-plugins folder in which i created but all i get on the plugin in wordpress is ” must use plugins” without the edit button to configure or may be i am missing something ????
@Aaron Axelsen

@Aaron Axelsen
I working with multisite mode.

@Ahmed
I AM working with multisite mode. forgot the “AM”

So is there going to be a finalized version of the plugin for WP 3.0 soon? Thank you Aaron.

@Aaron Axelsen
Hi aaron
after installing a new environment i got everything working but the ldap plugin does not get the email part from the ldap server in which wordpress login screen give a message

“ERROR is already associated with another account. All accounts (including the admin account) must have an unique email address”.’

The user does not exist in wordpress and the only problem is how to enable the plugin to read the mail part of the ldap query.
am using wordpress 3 rc3 and the latest plugin 112

@Aaron Axelsen
Hi again
the account used for admin has a different email address and i am trying with different user names ” i have hundreds of them with different e mail addresses” as i get the same error. the attribute is right as i do an ldap search from a linux box and check the attribute for the test users. the problem is when a user log in i get the error i mensioned before then when i log in with admin account and get into the users page i see the user exist and on the user details there is no e mail address and there happens the problem becouse when another user tries to log in wordpress will issue an error as two users cant have the same e mail address which is in this case “nothing” or empty field. i dont know if it is an ldap plugin issue or wordpress issue but it was working on my other 2.84 wordpress-mu server. does it have anything to do with php ldap extension may be ??? i am thinking of installing an older version of both wordpress and ldap plugin as there isnt better ldap plugin than this one.

Hi Aaron,

Plugin could not be activated because it triggered a fatal error. Fatal error: Cannot redeclare wp_new_user_notification() (previously declared in /some/path/wp-includes/pluggable.php:xxxx) in /some/path/wp-content/plugins/plugin/plugin.php on line xxx

I am not sure what actually caused this error. But after doing some research, I found out that this maybe the cause: http://core.trac.wordpress.org/ticket/9915

Again I am not completely sure. Please let me know your opinion. Thanks.

Oops nevermind Aaron. I just noticed this issue has already been mentioned here already. Sorry for repeating it.

@Aaron Axelsen
Hi Aaron
it is working now. thanx alot for your time and help

Hi
i just wonder if it is possible on the Attribute Mapping and on the e mail attribute to write more than one attribute as on my ldap server the staff have the “mail” attribute and the students have “studentmail” attribute. is it possible to be implemented. is there any thing that i can change in the code. if it is not possible then can i put the e mail as “UID@domain.com” where UID is the user ID from LDAP.
Greatest Regards