Group Support Available in SVN Trunk (WordPress 3.0 Only)
For those of you testing on the 3.0 trunk, I have added basic allow and deny group support for overall blog access. There is logic in there to handle nested groups as well. However, I only have the ability to test this against an Active Directory server – so if any of you are connecting to openldap, opendirectory or something else and are willing to test, let me know how it works (or how it doesn’t)!
Categories: Uncategorized
I haven’t tested it yet, but I thought I’d pipe up and make sure you realize that AD and OD (specifically) groups work very differently.
AD, each user has a “memberOf” attribute that says what groups they are a member of. I believe in the groups there are also fully qualified DNs for each user in that group.
OD, there is no “memberOf” for the users. You have to look at the group, and even in the group, there’s only an attribute “memberUid” which only lists the UID for members, not a full DN.
I’m more than happy to test this, as it would be a great asset for a WP3.0 install. But, I’m confused as to how one gets the source. Is the source for group support in WP3.0 version 2.9 (of WPMU-ldap) or is there an alpha of 3.0 (WPMU-ldap) somewhere?
Thanks!
I’m using a search filter to pull the groups – so if you have OD available, that would be great if you can test.
For now, you’ll have to pull it out of the SVN Trunk – look at the source code heading @ http://wpmuldap.frozenpc.net/download/
I’m trying the plugin code from trunk with WordPress 3.0 Beta and getting PHP fatal errors whenever I try and pull up the admin screen:
PHP Fatal error: Call to undefined function wpmuLdapGroupsGet() in /wp-content/mu-plugins/ldap/lib/wpmu_ldap_admin.functions.php on line 184, referer: https://foo.bar.org/wp-admin/ms-admin.php?page=wpmu_ldap_admin.functions.php
This is under PHP 5.2.10
I see the problem — wpmuLdapGroupsGet() exists within wpmu_ldap.functions.php, but per line 47 of ldap_auth, that file is only included if LDAP authentication is enabled.
However, wpmu_ldap_admin.functions.php is calling that function regardless of whether or not the LDAP auth is working. If LDAP auth isn’t enabled, it can’t get to the function and it causes the fatal error. That in turn prevents you from enabling LDAP support at all.
I tested this by adding a require_once line to wpmu_ldap.functions.php to the top of ldap_auth; that enabled the wpmu_ldap_admin to see the function, which let me enable LDAP auth. After LDAP was enabled I could remove my added “require_once” line and get on with business.
One more quick fix: The LDAP Options > LDAP Group Settings page wasn’t displaying the options I’d saved to the database. This is because “wpmuLdapGroupsGet” on line 386 of wpmu_ldap.functions uses this logic:
$groups = unserialize(get_site_option($opts[‘siteoption’]));
The problem is that “get_site_option” automatically unserializes the data for you, so it doesn’t need to be unserialized again (as chronicled here: http://www.andrewnacin.com/2010/04/18/wordpress-serializing-data/)
As is, $groups ends up being empty, so no text displays on the options page. Changing it to…
$groups =get_site_option($opts[‘siteoption’]);
… fixes the problem.
That said, I still have a bug. While the plugin is able to connect to my LDAP server (as it was under 2.9), I’m unable to add users. I’m using Open LDAP, so the difference between AD and OD groups is likely the problem. I’m going to debug it further and see what I can see.
Thanks for all your work on this — I greatly appreciate it!
I haven’t tested things since it went beta – so I guess I have some work to do. Thanks for the info – i’ll post back once I get things updated.
Excellent — thanks!
@Kenneth Newquist
I made some changes just now to the source. As for your other bugs – where you able to add users in 2.9? Also – does the plugin correctly detect users in the OD groups?
Re: source changes. Cool — I’ll check that out.
It worked fine under 2.9.x but right now it’s failing to add users (although it can connect to LDAP via the config test). I’m in the process of stepping through the group logic to see what I can see.
Oh and just to clarify I meant that it’s failing under the last iteration of the code; I haven’t checked your latest changes out of SVN yet.
@Aaron
I think I grok the problems I’m having with OpenLDAP and directories and uncovered a few more bugs. My apologies in advance if this is information overload; I’m going to break this up into two comments.
I see four things going on.
1) When “checkGroup” is called in wpmu_ldap.functions.php as part of the “wpmuLdapSearch” function, a list of groups isn’t included as one of the arguments.
e.g.:
——–
if ($server->checkGroup($userDataArray[LDAP_INDEX_DN]) == 0)
——–
instead of something like:
——–
if ($server->checkGroup($userDataArray[LDAP_INDEX_DN]), wpmuLdapGroupsGet(array(‘siteoption’ => ‘ldapGroupAllowLogin’))) == 0)
——–
As a result, $groups is empty, causing the function to return LDAP_GROUP_NOT_SET, which the wpmuLdapSearch doesn’t account for (it’s assuming true/false). (more on this in a bit). I think it would be useful to clarify the error message to say that the user was found, was not part of a valid group.
2) checkGroup doesn’t bind to the LDAP server
While the checkGroup function does look to see if there’s an LDAP connection, and reconnects if its missing, it doesn’t bind the LDAP Browser user to the server, which prevented my queries from going anywhere (as I’m not binding anonymously). Changing the connection logic to use Dock() solved that problem:
——–
if (!$this->connection_handle) {
$this->Dock();
}
——–
3) OpenLDAP stores group information as part of the “memberof” attribute, which “checkGroups” isn’t querying for.
This is where things get a bit more complicated. I haven’t worked with ActiveDirectory, so I don’t know how you go about fetching it’s group memberships, but my search query started off looking like this:
——–
(&(memberof=cn=joecool,ou=SomeOU,o=SomeCollege)(objectclass=organizationalunit))
——–
This didn’t return any results for me. I should note that during debugging I made sure that functions like “DoSearchUsername” were returning valid results — they were, it was just that nothing was making it past the groups authorization logic.
In order to get a list of groups, I had to change the way SetSearchCriterea was querying LDAP in checkGroups() from this:
——–
$this->SetSearchCriteria(“(&(“.get_site_option(‘ldapAttributeMember’,LDAP_DEFAULT_ATTRIBUTE_MEMBER).”=$userDN)(objectclass=”.get_site_option(‘ldapAttributeGroupObjectclass’,LDAP_DEFAULT_ATTRIBUTE_GROUP_OBJECTCLASS).”))”, array(get_site_option(‘ldapAttributeDN’,LDAP_DEFAULT_ATTRIBUTE_DN)));
——
to this:
——–
$attributes_to_get = array (get_site_option(‘ldapAttributeMember’,LDAP_DEFAULT_ATTRIBUTE_MEMBER));
if (get_site_option(‘ldapLinuxWindows’))
$uid = get_site_option(‘ldapAttributeNixSearch’,LDAP_DEFAULT_ATTRIBUTE_NIXSEARCH); //Linux
else
$uid = get_site_option(‘ldapAttributeWinSearch’,LDAP_DEFAULT_ATTRIBUTE_WINSEARCH); //Windows
$this->SetSearchCriteria(“$uid=$userDN”, $attributes_to_get);
——–
This allowed me to return an array with the group information in it, and then I could compare my LDAP group information with the authorized group settings stored in the plugin.
4) checkGroup in wpmu_ldap.functions.php was looking for a “true” response but was receiving an LDAP_IN_GROUP response
In this line checkGroup() is assuming that it will be getting a true/false response from the checkGroup() function of ldapcore.php…
————–
if ($server->checkGroup($userDataArray[LDAP_INDEX_DN]), wpmuLdapGroupsGet(array(‘siteoption’ => ‘ldapGroupAllowLogin’))) == 0)
————–
… but what checkGroup returns is either LDAP_IN_GROUP or LDAP_ERROR_NOT_IN_GROUP.
Elsewhere, when ldap_ro.php uses this LDAP_IN_GROUP/LDAP_ERROR_NOT_IN_GROUP for its allow/deny logic (which also calls checkGroup) so I’m guessing the logic was changed in one place, but not the other.
One quick question — we’re going to be running a non-MU version of WordPress. Ideally I’d like to use the same LDAP plugin in both places, but when I activated the plugin in single-site mode, it throw a PHP fatal error about a conflicting add_user function and wouldn’t activate. I haven’t delved deeply into the WordPress authentication model, but is making this plugin work in both modes easily doable?
@Kenneth Newquist
Thanks for the other info above – i’ll be investigating in the near future. The top priority has been making sure the plugin functions with mu mode, and to get some group functionality in there. I have not really thought about what might have to change for it to work in single user mode. If you do get around to it, any thoughts/suggestions/findings are welcome.
You’re welcome! I understand (and appreciate) the priority with MU mode and group mode. I’ll take a gander at a single-user mode as soon as soon as I get a chance.
Thanks again!
Ken – I’m working through your suggestions above – and the only real one I have a problem with is #3. (The rest should be modified in the trunk)
Did you update the group attribute and group object class on the attribute mapping page when trying this? From what I’m seeing, for non-ad server the group attribute should be “uniquemember” and the object class should be”groupofuniquenames”.
Can you give that a go?
@Aaron Axelsen
It looks like it may also be a group attribute of “memberuid” and an object class of “posixgroup”.
I’ll check the latest code out of trunk and try this. Right now I had the setting as “organizationalunit” but “posixgroup” makes sense; I’ll follow-up later today.
Hi
I am testing the current plugin on the beta version of the wordpress-mu.
when i activate the plug-in in get this error
Warning: require_once(ldap/lib/ldap_ro.php) [function.require-once]: failed to open stream: No such file or directory in C:\Inetpub\wwwroot\wp-content\plugins\ldap_auth.php on line 17.
any ideas ???
regards
@Ahmed
Hi gain
i grabbed the latest development trunk in the svn repository and now am getting this new error
Fatal error: Cannot redeclare wp_new_user_notification() (previously declared in C:\Inetpub\wwwroot\wp-includes\pluggable.php:1208) in C:\Inetpub\wwwroot\wp-content\plugins\ldap\lib\wpmu_ldap_admin.functions.php on line 785
regards
The plugin still needs to be installed in the “mu-plugins” folder. It doesn’t exist by default, so you’ll have to create it.
i did install it in mu-plugins folder in which i created but all i get on the plugin in wordpress is ” must use plugins” without the edit button to configure or may be i am missing something ????
@Aaron Axelsen
@Ahmed
Did you enable multisite mode or are you using wordpress 3.0 in single blog mode? At this time, the plugin will only support multisite mode
@Aaron Axelsen
I working with multisite mode.
@Ahmed
I AM working with multisite mode. forgot the “AM”
@Ahmed
So – just to confirm, your have the plugin installed according to whats listed here? http://wpmuldap.tuxdocs.net/documentation/
If that’s the case, what is your environment? Is ldap enabled in php? I’ve never seen any issues where the plugin admin screens don’t load after dropping in the plugin.
So is there going to be a finalized version of the plugin for WP 3.0 soon? Thank you Aaron.
That’s the plan. The trunk now works for the most part, just working with a few volunteers to iron out any last issues
@Aaron Axelsen
Hi aaron
after installing a new environment i got everything working but the ldap plugin does not get the email part from the ldap server in which wordpress login screen give a message
“ERROR is already associated with another account. All accounts (including the admin account) must have an unique email address”.’
The user does not exist in wordpress and the only problem is how to enable the plugin to read the mail part of the ldap query.
am using wordpress 3 rc3 and the latest plugin 112
Ahmed: Does the admin account you setup on the blog use the same email address of the account you are trying to login with? Otherwise, is your ldap server using a non standard attribute for email?
The attribute settings screen allows you to configure what attributes are used for the ldap queries.
@Aaron Axelsen
Hi again
the account used for admin has a different email address and i am trying with different user names ” i have hundreds of them with different e mail addresses” as i get the same error. the attribute is right as i do an ldap search from a linux box and check the attribute for the test users. the problem is when a user log in i get the error i mensioned before then when i log in with admin account and get into the users page i see the user exist and on the user details there is no e mail address and there happens the problem becouse when another user tries to log in wordpress will issue an error as two users cant have the same e mail address which is in this case “nothing” or empty field. i dont know if it is an ldap plugin issue or wordpress issue but it was working on my other 2.84 wordpress-mu server. does it have anything to do with php ldap extension may be ??? i am thinking of installing an older version of both wordpress and ldap plugin as there isnt better ldap plugin than this one.
Grab the latest svn source and try again – i think i found a bug that was causing your issue.
Hi Aaron,
Plugin could not be activated because it triggered a fatal error. Fatal error: Cannot redeclare wp_new_user_notification() (previously declared in /some/path/wp-includes/pluggable.php:xxxx) in /some/path/wp-content/plugins/plugin/plugin.php on line xxx
I am not sure what actually caused this error. But after doing some research, I found out that this maybe the cause: http://core.trac.wordpress.org/ticket/9915
Again I am not completely sure. Please let me know your opinion. Thanks.
Oops nevermind Aaron. I just noticed this issue has already been mentioned here already. Sorry for repeating it.
@Aaron Axelsen
Hi Aaron
it is working now. thanx alot for your time and help
Hi
i just wonder if it is possible on the Attribute Mapping and on the e mail attribute to write more than one attribute as on my ldap server the staff have the “mail” attribute and the students have “studentmail” attribute. is it possible to be implemented. is there any thing that i can change in the code. if it is not possible then can i put the e mail as “UID@domain.com” where UID is the user ID from LDAP.
Greatest Regards