Home > Uncategorized > Group Support Available in SVN Trunk (WordPress 3.0 Only)

Group Support Available in SVN Trunk (WordPress 3.0 Only)

For those of you testing on the 3.0 trunk, I have added basic allow and deny group support for overall blog access.  There is logic in there to handle nested groups as well.  However, I only have the ability to test this against an Active Directory server – so if any of you are connecting to openldap, opendirectory or something else and are willing to test, let me know how it works (or how it doesn’t)!

Categories: Uncategorized Tags:
  1. April 10th, 2010 at 12:33 | #1

    I haven’t tested it yet, but I thought I’d pipe up and make sure you realize that AD and OD (specifically) groups work very differently.

    AD, each user has a “memberOf” attribute that says what groups they are a member of. I believe in the groups there are also fully qualified DNs for each user in that group.

    OD, there is no “memberOf” for the users. You have to look at the group, and even in the group, there’s only an attribute “memberUid” which only lists the UID for members, not a full DN.

    I’m more than happy to test this, as it would be a great asset for a WP3.0 install. But, I’m confused as to how one gets the source. Is the source for group support in WP3.0 version 2.9 (of WPMU-ldap) or is there an alpha of 3.0 (WPMU-ldap) somewhere?

    Thanks!

  2. April 23rd, 2010 at 12:03 | #3

    I’m trying the plugin code from trunk with WordPress 3.0 Beta and getting PHP fatal errors whenever I try and pull up the admin screen:

    PHP Fatal error: Call to undefined function wpmuLdapGroupsGet() in /wp-content/mu-plugins/ldap/lib/wpmu_ldap_admin.functions.php on line 184, referer: https://foo.bar.org/wp-admin/ms-admin.php?page=wpmu_ldap_admin.functions.php

    This is under PHP 5.2.10

  3. April 23rd, 2010 at 12:22 | #4

    I see the problem — wpmuLdapGroupsGet() exists within wpmu_ldap.functions.php, but per line 47 of ldap_auth, that file is only included if LDAP authentication is enabled.

    However, wpmu_ldap_admin.functions.php is calling that function regardless of whether or not the LDAP auth is working. If LDAP auth isn’t enabled, it can’t get to the function and it causes the fatal error. That in turn prevents you from enabling LDAP support at all.

    I tested this by adding a require_once line to wpmu_ldap.functions.php to the top of ldap_auth; that enabled the wpmu_ldap_admin to see the function, which let me enable LDAP auth. After LDAP was enabled I could remove my added “require_once” line and get on with business.

  4. April 23rd, 2010 at 14:58 | #5

    One more quick fix: The LDAP Options > LDAP Group Settings page wasn’t displaying the options I’d saved to the database. This is because “wpmuLdapGroupsGet” on line 386 of wpmu_ldap.functions uses this logic:

    $groups = unserialize(get_site_option($opts[‘siteoption’]));

    The problem is that “get_site_option” automatically unserializes the data for you, so it doesn’t need to be unserialized again (as chronicled here: http://www.andrewnacin.com/2010/04/18/wordpress-serializing-data/)

    As is, $groups ends up being empty, so no text displays on the options page. Changing it to…

    $groups =get_site_option($opts[‘siteoption’]);

    … fixes the problem.

    That said, I still have a bug. While the plugin is able to connect to my LDAP server (as it was under 2.9), I’m unable to add users. I’m using Open LDAP, so the difference between AD and OD groups is likely the problem. I’m going to debug it further and see what I can see.

    Thanks for all your work on this — I greatly appreciate it!

    • April 23rd, 2010 at 15:08 | #6

      I haven’t tested things since it went beta – so I guess I have some work to do. Thanks for the info – i’ll post back once I get things updated.

  5. April 23rd, 2010 at 16:12 | #7

    Excellent — thanks!

  6. April 25th, 2010 at 09:17 | #8

    @Kenneth Newquist

    I made some changes just now to the source. As for your other bugs – where you able to add users in 2.9? Also – does the plugin correctly detect users in the OD groups?

  7. April 25th, 2010 at 17:34 | #9

    Re: source changes. Cool — I’ll check that out.

    It worked fine under 2.9.x but right now it’s failing to add users (although it can connect to LDAP via the config test). I’m in the process of stepping through the group logic to see what I can see.

  8. April 25th, 2010 at 17:35 | #10

    Oh and just to clarify I meant that it’s failing under the last iteration of the code; I haven’t checked your latest changes out of SVN yet.

  9. April 26th, 2010 at 15:38 | #11

    @Aaron

    I think I grok the problems I’m having with OpenLDAP and directories and uncovered a few more bugs. My apologies in advance if this is information overload; I’m going to break this up into two comments.

    I see four things going on.

    1) When “checkGroup” is called in wpmu_ldap.functions.php as part of the “wpmuLdapSearch” function, a list of groups isn’t included as one of the arguments.

    e.g.:

    ——–
    if ($server->checkGroup($userDataArray[LDAP_INDEX_DN]) == 0)
    ——–

    instead of something like:

    ——–
    if ($server->checkGroup($userDataArray[LDAP_INDEX_DN]), wpmuLdapGroupsGet(array(‘siteoption’ => ‘ldapGroupAllowLogin’))) == 0)
    ——–

    As a result, $groups is empty, causing the function to return LDAP_GROUP_NOT_SET, which the wpmuLdapSearch doesn’t account for (it’s assuming true/false). (more on this in a bit). I think it would be useful to clarify the error message to say that the user was found, was not part of a valid group.

    2) checkGroup doesn’t bind to the LDAP server

    While the checkGroup function does look to see if there’s an LDAP connection, and reconnects if its missing, it doesn’t bind the LDAP Browser user to the server, which prevented my queries from going anywhere (as I’m not binding anonymously). Changing the connection logic to use Dock() solved that problem:

    ——–
    if (!$this->connection_handle) {
    $this->Dock();
    }
    ——–

  10. April 26th, 2010 at 15:39 | #12

    3) OpenLDAP stores group information as part of the “memberof” attribute, which “checkGroups” isn’t querying for.

    This is where things get a bit more complicated. I haven’t worked with ActiveDirectory, so I don’t know how you go about fetching it’s group memberships, but my search query started off looking like this:

    ——–
    (&(memberof=cn=joecool,ou=SomeOU,o=SomeCollege)(objectclass=organizationalunit))
    ——–

    This didn’t return any results for me. I should note that during debugging I made sure that functions like “DoSearchUsername” were returning valid results — they were, it was just that nothing was making it past the groups authorization logic.

    In order to get a list of groups, I had to change the way SetSearchCriterea was querying LDAP in checkGroups() from this:

    ——–
    $this->SetSearchCriteria(“(&(“.get_site_option(‘ldapAttributeMember’,LDAP_DEFAULT_ATTRIBUTE_MEMBER).”=$userDN)(objectclass=”.get_site_option(‘ldapAttributeGroupObjectclass’,LDAP_DEFAULT_ATTRIBUTE_GROUP_OBJECTCLASS).”))”, array(get_site_option(‘ldapAttributeDN’,LDAP_DEFAULT_ATTRIBUTE_DN)));
    ——

    to this:

    ——–
    $attributes_to_get = array (get_site_option(‘ldapAttributeMember’,LDAP_DEFAULT_ATTRIBUTE_MEMBER));

    if (get_site_option(‘ldapLinuxWindows’))
    $uid = get_site_option(‘ldapAttributeNixSearch’,LDAP_DEFAULT_ATTRIBUTE_NIXSEARCH); //Linux

    else

    $uid = get_site_option(‘ldapAttributeWinSearch’,LDAP_DEFAULT_ATTRIBUTE_WINSEARCH); //Windows

    $this->SetSearchCriteria(“$uid=$userDN”, $attributes_to_get);
    ——–

    This allowed me to return an array with the group information in it, and then I could compare my LDAP group information with the authorized group settings stored in the plugin.

    4) checkGroup in wpmu_ldap.functions.php was looking for a “true” response but was receiving an LDAP_IN_GROUP response

    In this line checkGroup() is assuming that it will be getting a true/false response from the checkGroup() function of ldapcore.php…

    ————–
    if ($server->checkGroup($userDataArray[LDAP_INDEX_DN]), wpmuLdapGroupsGet(array(‘siteoption’ => ‘ldapGroupAllowLogin’))) == 0)
    ————–

    … but what checkGroup returns is either LDAP_IN_GROUP or LDAP_ERROR_NOT_IN_GROUP.

    Elsewhere, when ldap_ro.php uses this LDAP_IN_GROUP/LDAP_ERROR_NOT_IN_GROUP for its allow/deny logic (which also calls checkGroup) so I’m guessing the logic was changed in one place, but not the other.

  11. April 27th, 2010 at 13:35 | #13

    One quick question — we’re going to be running a non-MU version of WordPress. Ideally I’d like to use the same LDAP plugin in both places, but when I activated the plugin in single-site mode, it throw a PHP fatal error about a conflicting add_user function and wouldn’t activate. I haven’t delved deeply into the WordPress authentication model, but is making this plugin work in both modes easily doable?

  12. April 27th, 2010 at 13:46 | #14

    @Kenneth Newquist
    Thanks for the other info above – i’ll be investigating in the near future. The top priority has been making sure the plugin functions with mu mode, and to get some group functionality in there. I have not really thought about what might have to change for it to work in single user mode. If you do get around to it, any thoughts/suggestions/findings are welcome.

  13. April 27th, 2010 at 14:40 | #15

    You’re welcome! I understand (and appreciate) the priority with MU mode and group mode. I’ll take a gander at a single-user mode as soon as soon as I get a chance.

    Thanks again!

  14. May 9th, 2010 at 22:33 | #16

    Ken – I’m working through your suggestions above – and the only real one I have a problem with is #3. (The rest should be modified in the trunk)

    Did you update the group attribute and group object class on the attribute mapping page when trying this? From what I’m seeing, for non-ad server the group attribute should be “uniquemember” and the object class should be”groupofuniquenames”.

    Can you give that a go?

  15. May 9th, 2010 at 22:46 | #17

    @Aaron Axelsen
    It looks like it may also be a group attribute of “memberuid” and an object class of “posixgroup”.

  16. June 3rd, 2010 at 11:08 | #18

    I’ll check the latest code out of trunk and try this. Right now I had the setting as “organizationalunit” but “posixgroup” makes sense; I’ll follow-up later today.

  17. June 12th, 2010 at 05:21 | #19

    Hi
    I am testing the current plugin on the beta version of the wordpress-mu.
    when i activate the plug-in in get this error
    Warning: require_once(ldap/lib/ldap_ro.php) [function.require-once]: failed to open stream: No such file or directory in C:\Inetpub\wwwroot\wp-content\plugins\ldap_auth.php on line 17.

    any ideas ???
    regards

  18. June 12th, 2010 at 05:28 | #20

    @Ahmed
    Hi gain
    i grabbed the latest development trunk in the svn repository and now am getting this new error
    Fatal error: Cannot redeclare wp_new_user_notification() (previously declared in C:\Inetpub\wwwroot\wp-includes\pluggable.php:1208) in C:\Inetpub\wwwroot\wp-content\plugins\ldap\lib\wpmu_ldap_admin.functions.php on line 785

    regards

    • Aaron Axelsen
      June 15th, 2010 at 00:00 | #21

      The plugin still needs to be installed in the “mu-plugins” folder. It doesn’t exist by default, so you’ll have to create it.

  19. Ahmed
    June 15th, 2010 at 02:53 | #22

    i did install it in mu-plugins folder in which i created but all i get on the plugin in wordpress is ” must use plugins” without the edit button to configure or may be i am missing something ????
    @Aaron Axelsen

  20. Aaron Axelsen
    June 15th, 2010 at 06:23 | #23

    @Ahmed
    Did you enable multisite mode or are you using wordpress 3.0 in single blog mode? At this time, the plugin will only support multisite mode

  21. Ahmed
    June 15th, 2010 at 06:55 | #24

    @Aaron Axelsen
    I working with multisite mode.

  22. Ahmed
    June 15th, 2010 at 06:56 | #25

    @Ahmed
    I AM working with multisite mode. forgot the “AM”

  23. Aaron Axelsen
    June 15th, 2010 at 07:20 | #26

    @Ahmed
    So – just to confirm, your have the plugin installed according to whats listed here? http://wpmuldap.tuxdocs.net/documentation/

    If that’s the case, what is your environment? Is ldap enabled in php? I’ve never seen any issues where the plugin admin screens don’t load after dropping in the plugin.

  24. CodeZero
    June 16th, 2010 at 10:37 | #27

    So is there going to be a finalized version of the plugin for WP 3.0 soon? Thank you Aaron.

    • Aaron Axelsen
      June 17th, 2010 at 06:39 | #28

      That’s the plan. The trunk now works for the most part, just working with a few volunteers to iron out any last issues

  25. June 16th, 2010 at 16:48 | #29

    @Aaron Axelsen
    Hi aaron
    after installing a new environment i got everything working but the ldap plugin does not get the email part from the ldap server in which wordpress login screen give a message

    “ERROR is already associated with another account. All accounts (including the admin account) must have an unique email address”.’

    The user does not exist in wordpress and the only problem is how to enable the plugin to read the mail part of the ldap query.
    am using wordpress 3 rc3 and the latest plugin 112

    • Aaron Axelsen
      June 17th, 2010 at 06:40 | #30

      Ahmed: Does the admin account you setup on the blog use the same email address of the account you are trying to login with? Otherwise, is your ldap server using a non standard attribute for email?

      The attribute settings screen allows you to configure what attributes are used for the ldap queries.

  26. June 17th, 2010 at 14:06 | #31

    @Aaron Axelsen
    Hi again
    the account used for admin has a different email address and i am trying with different user names ” i have hundreds of them with different e mail addresses” as i get the same error. the attribute is right as i do an ldap search from a linux box and check the attribute for the test users. the problem is when a user log in i get the error i mensioned before then when i log in with admin account and get into the users page i see the user exist and on the user details there is no e mail address and there happens the problem becouse when another user tries to log in wordpress will issue an error as two users cant have the same e mail address which is in this case “nothing” or empty field. i dont know if it is an ldap plugin issue or wordpress issue but it was working on my other 2.84 wordpress-mu server. does it have anything to do with php ldap extension may be ??? i am thinking of installing an older version of both wordpress and ldap plugin as there isnt better ldap plugin than this one.

    • Aaron Axelsen
      June 18th, 2010 at 07:10 | #32

      Grab the latest svn source and try again – i think i found a bug that was causing your issue.

  27. CodeZero
    June 18th, 2010 at 15:14 | #33

    Hi Aaron,

    Plugin could not be activated because it triggered a fatal error. Fatal error: Cannot redeclare wp_new_user_notification() (previously declared in /some/path/wp-includes/pluggable.php:xxxx) in /some/path/wp-content/plugins/plugin/plugin.php on line xxx

    I am not sure what actually caused this error. But after doing some research, I found out that this maybe the cause: http://core.trac.wordpress.org/ticket/9915

    Again I am not completely sure. Please let me know your opinion. Thanks.

  28. CodeZero
    June 18th, 2010 at 15:20 | #34

    Oops nevermind Aaron. I just noticed this issue has already been mentioned here already. Sorry for repeating it.

  29. June 19th, 2010 at 03:44 | #35

    @Aaron Axelsen
    Hi Aaron
    it is working now. thanx alot for your time and help

  30. November 4th, 2010 at 03:29 | #36

    Hi
    i just wonder if it is possible on the Attribute Mapping and on the e mail attribute to write more than one attribute as on my ldap server the staff have the “mail” attribute and the students have “studentmail” attribute. is it possible to be implemented. is there any thing that i can change in the code. if it is not possible then can i put the e mail as “UID@domain.com” where UID is the user ID from LDAP.
    Greatest Regards

  1. No trackbacks yet.