Home > Releases > WPMU Ldap 3.0 Released!

WPMU Ldap 3.0 Released!

After much work and preparation, the 3.0 plugin is ready to go.  Most of the kinks should be worked out of it, but if you notice anything please let me know!  Just like the previous versions, the plugin must be installed in the “mu-plugins” folder.  The only difference with WP 3.0, is that the folder does not exist by default.  You will need to create the “mu-plugins” folder under “wp-content”.  Drop the files in there and you should be good to go!

The plugin also now supports basic group authentication for both allow and deny groups.  Thanks to the help of Ken Newquist, we were able to test this extensively across both Active Directory and OpenLDAP platforms.  Example configurations are available on the Documentation page.

Other fixes and changes included in this release:

  • Basic deny/allow group logic
  • Changed bulk add logic to not automatically create blogs if the option is enabled – wordpress does not support this functionality
  • Fixed issues with connection check not working when plugin is not enabled
  • Fixed typo in default ldaps port in the documentation
  • Fixed issue where local users would still attempt to authenticate against ldap
  • Added better error checking on failure when adding users from the add user menu

The plugin can be download from the Sourceforge project page.  As always, I hope you enjoy it and please report any problems or suggestions you might have!

Categories: Releases Tags:
  1. June 22nd, 2010 at 08:37 | #1

    Great job, thanks for all of your hard work on this project.

    I just tried it out on WordPress MU 2.9.2 and got this error: “Fatal error: Call to undefined function is_super_admin() in /path/to/blog/wp-content/mu-plugins/ldap/lib/wpmu_ldap_admin.functions.php on line 682″

    I checked the requirements in the documentation which say that I need WordPress 3.0 for the 3.0 WPMU Ldap plugin.

  2. Aaron Axelsen
    June 22nd, 2010 at 08:43 | #2

    @Joe Lencioni
    Correct – the 3.0 plugin requires WordPress 3.0 – it will not work on 2.9.2

  3. July 8th, 2010 at 15:44 | #3

    Thank you for this plugin! Authentication works fine.
    I have a little problem with role-assingment: users which login over ldap are member of “subscriber”, in my case, they should be “authors” per default. How can i achieve this task? I use wordpress 3.0 and wpmu Ldap 3.0. Thank you for your help!

    • Aaron Axelsen
      July 9th, 2010 at 06:50 | #4

      You should be able to update the wordpress ‘default_user_role’ site option to be author instead of subscriber – see if that does the trick for you. Change the “Dashboard User Default Role” on the admin options screen for wordpress

  4. EA
    July 9th, 2010 at 05:27 | #5

    Tried this on wordpress 3 and got this error.

    Fatal error: Cannot redeclare wp_new_user_notification() (previously declared in C:\Intranet\wp-includes\pluggable.php:1193) in C:\Intranet\wp-content\plugins\ldap\lib\wpmu_ldap_admin.functions.php on line 785

    • Aaron Axelsen
      July 9th, 2010 at 06:43 | #6

      please re-read the above post. The plugin must be installed in “mu-plugins”

  5. July 11th, 2010 at 09:01 | #7

    Hello Aaron,
    i tried your advise concerning role assignment without luck – all users coming over ldap are subscribers, i have no chance to assign author rights per default on first login. thank you for further help!

    • Aaron Axelsen
      July 12th, 2010 at 06:42 | #8

      Until I get a chance to tweak the code, try going through ldap/lib/wpmu_ldap.functions.php and change $new_role = ‘subscriber’ to be author

  6. July 13th, 2010 at 11:49 | #9

    I think it’s not quite working with the XML-RPC code, though honestly I’m having a hard time being sure. Pre-3.0, my XML-RPC calls were working fine with a subdirectory-based multiuser install. Now with WP3.0 Multisite, I keep getting “bad login/password” errors returned from xmlrpc.php when I attempt to authenticate. It works fine with the regular admin user, though. Could this be a problem with WPMU-LDAP?

    Other than that, this has been a fantastic plugin, and I appreciate all the development work you’ve done on it!

  7. July 13th, 2010 at 11:52 | #10

    Sorry, forgot to post the actual error: PHP Fatal error: Cannot redeclare username_exists() (previously declared in /www/blog30/wp-includes/registration.php:16) in /www/blog30/wp-includes/registration.php on line 22

    This may not be a WPMU-LDAP problem, since username_exists() isn’t called anywhere in the plugin I can see. I’m just not sure what else it could be.

    • Aaron Axelsen
      July 22nd, 2010 at 07:00 | #11

      I think this may be a WP core issue – since I’m not doing anything specific with that.

  8. Paul Bearne
    July 20th, 2010 at 13:36 | #12

    Hi Aaron

    Fix bug for and a fix :-)

    in the land of single sign on with WP 3.0 I was not getting redirected back the page I was trying to load from the log-in page.

    This is because WP have added a “&reauth=1″ to the Querrystring if you try to get to the wp-admin etc. to forse you to log in we don’t need that if we have SSO turned on

    So here is my patch to fix this

    ln 54 ldap_auth.php

    if (get_site_option(‘ldapSSOEnabled’)){
    add_action(‘authenticate’, ‘wpmuLdapSSOAuthenticate’, 40, 3);
    add_filter(‘login_url’, ‘wpmuLdapSSODisableReauth’); //removes reauth from login URL
    }

    and I put this function at the bottom of wpmu_ldap.functions.php

    /*
    when in SSO mode we don’t need to forse a relog in so theis stops that

    */

    Function wpmuLdapSSODisableReauth($login_url){
    return str_replace(‘&reauth=1′,”,$login_url);
    }

    Feel free to change the code etc.

    but this does work and don’t think it will break anythink

    Please add this to the next version

    Paul

    • Aaron Axelsen
      July 22nd, 2010 at 06:52 | #13

      Paul – I can get this added to the next release. Would you be willing to write up a little something for this site on SSO, how to configure it and how it works? That would be very helpful as several people have asked for more detail – which I don’t have regarding it. Thanks!

  9. Lance Grigsby
    July 22nd, 2010 at 09:28 | #14

    Aaron,

    Very excited to see this latest release supporting groups in AD through the user interface. Along those lines, can you tell me if your plugin is 1). trying to do a lookup to see if a person is in a group or 2). if a person has the group listed in their group membership? Thanks again for the plugin!

  10. Paul Bearne
    July 22nd, 2010 at 12:17 | #15

    Single Sign On (SSO)for wordpress

    SSO is all about not having to login to multiple site/applications but rather have the id the logged into you computer being passed the IIS server and using that to log you in.

    We tried to keep as simple as possible. Windows Authentication only needs to be set on wp_login.php (to reduce the server load of authenticating all the time). If when you load this page with SSO turn on in WPMU-LDAP we look into the server variables for your username if we find it we then login as that user or call the LDAP server with that id to get your details if it is your first time on the blog.

    How to setup SSO on IIS

    Follow the standard install for WPMU-LDAP and get it all working

    Then create an ID that uses your NT id as the username and make that ID a supper admin

    Don’t do this until you are happen that it all works.

    To configure Windows Authentication
    Open IIS manger
    Select root of the site in the left plain
    Click the content view at the bottom on the main plain
    Select wp-login.php in the main plain
    Click the Features view at the bottom on the main plain to get back to the admin icons
    Double click the Authentication option in the IIS section
    Select Windows Authentication and click enable in the Action panel on the right

    That all you need to do with IIS

    Now open a non MS browser (firefox)
    Now load the WPMU-LDAP control panel and enable SSO
    Keep browser open

    Now open IE and go to your blog site and try to access wp-admin. If all is well you will get pushed to wp-login we you get login in using the NT id and forwarded to wp-admin or to your profile if you not an admin (see above)

    Any new user will automatically get an account

    If you try now to logon with and non IE browser you will now get login box popup

    Note: there are number of third party tools that will allow setting this up a linux server. These should all work as long as its provide a username in one of these variables

    $_SERVER[‘LOGON_USER’];
    $_SERVER[‘REMOTE_USER’];
    $_SERVER[‘AUTH_USER’];

    We have only tested this on IIS 6/7 if you try any other provide please lets know how you get on.

    Paul Bearne

    Feel free to edit etc.

  11. Joss Winn
    July 27th, 2010 at 03:54 | #16

    @Aaron Axelsen

    Just to note that since upgrading to WP 3 and v3 of this plugin, login for XML-RPC clients (iPhone/Android) no longer works for me, either. It works fine for locally created users though.

  12. July 27th, 2010 at 10:52 | #17

    @Joss Winn

    That does seem to be the case. Local users authenticate fine. I’m not sure if WP3 changed something that simply made WPMU-LDAP incompatible with XML-RPC calls. Not sure how that would happen. Can anyone verify that they CAN make a successful XML-RPC login through LDAP?

    • Aaron Axelsen
      July 28th, 2010 at 06:39 | #18

      Can you try this again with either the latest svn version? Or change the following and give it a try:

      Line 94 of lib/wpmu_ldap.functions.php
      Change: require ( ABSPATH . WPINC . ‘/registration.php’ );
      To: require_once( ABSPATH . WPINC . ‘/registration.php’ );

  13. Aaron Axelsen
    July 28th, 2010 at 06:40 | #19

    @Paul Bearne
    Thanks Paul! I’ll get this posted on the site.

  14. Joss Winn
    July 28th, 2010 at 15:51 | #20

    I made the require_once change given above to fix the conflict with the feedwordpress plugin and it seems to have solved the XMLRPC login problem, too. Thank you.

  15. August 1st, 2010 at 22:11 | #21

    Works GREAT now. Thank you! I’m glad it wasn’t a huge change.

  16. August 7th, 2010 at 08:38 | #22

    First great plugin!

    Now the question….Since updating to 3.0.1 LDAP users are not automatically created if a super user adds them in the sites menu. Instead a local user is created.

    If you create an additional blog for an existing user, it works perfectly. Also, the add user in the super admin menu works as expected.

    Any ideas? I didn’t see anything in the logs.

  17. Christian Liem
    September 3rd, 2010 at 19:27 | #23

    @Paul Bearne Thanks for the write-up, that gave me enough hint for what needs to be done to get it working on a linux box.

    If anyone is interested, I’m using mod_auth_kerb on apache to get the same functionality as the “Windows Authentication” on IIS.

    You must have a functional kerberos setup before doing that. I went with the samba/winbind route. It’s not the leanest way to get kerberos working but it’s simpler than trying to get just kerberos working correctly on its own. A side benefit to this setup is the ability to use AD accounts to grant permissions to the file system if you need to open-up access to ssh/themes/plugins to some users. To get the linux box joined to the domain, I followed this Gentoo guide: http://en.gentoo-wiki.com/wiki/Active_Directory_with_Samba_and_Winbind

    Once you have the system joined, you can use the ‘net ads keytab create’ command to create the basic keytab file. The file should be /etc/krb5.keytab. Then run ‘net ads keytab add HTTP’ to add the HTTP service principal.

    Now configure apache to load mod_auth_kerb. Then add the following to the .htaccess in the root of your wpmu install:

    &ltFiles wp-login.php&gt
    AuthType Kerberos
    AuthName “DOMAIN.LOCAL”
    KrbAuthRealms DOMAIN.LOCAL
    KrbServiceName HTTP/hostname.domain.local
    Krb5Keytab /etc/krb5.keytab
    KrbMethodNegotiate on
    KrbMethodK5Passwd on
    Require valid-user
    &lt/Files&gt

    Unfortunately mod_auth_kerb uses the userPrincipalName rather than the windows DOMAIN\USERNAME format when it sets the REMOTE_USER variable. So I added the follwing to wpmuLdapSSOGetUser() function in wpmu_ldap.functions.php:

    if (strpos($username, ‘@’) !== FALSE) {
    $username = substr($username, 0, strpos($username, ‘@’));
    }

    It goes below the other if block that strips the domain from the other format.

  18. September 23rd, 2010 at 08:34 | #24

    I’m using WordPress v3.0.1 (with multisite enabled) with this LDAP authentication plugin. Works great. However, I turned on the XML-RPC publishing protocol so I could publish via the WordPress iPhone app. When I added my site in the iPhone app, it gave me a “500 server error.” My apache error_log says:

    PHP Fatal error: Cannot redeclare username_exists()

    So I made the change you suggested on line 94 of lib/wpmu_ldap.functions.php and that resolved it. Thank you Aaron!!

  19. Mark
    September 30th, 2010 at 14:43 | #25

    I just installed WPMU Ldap 3.0 on my wordpress 3.01 site, which I just upgraded from 2.84. It works, although I have not tried the groups feature yet.

    I overwrote the old WPMU ldap files with the new ones.

    Once again, I had to edit ldap_core.php to remove the variable ($proto) that sets the server string to either ldaps:// or ldap:// so that ldap_core.php just makes the connection as ldap.example.com instead of ldaps://ldap.example.com or ldap://ldap.example.com, which seems to be what works with our corporate ldap server.

  20. Ahmed
    November 21st, 2010 at 12:59 | #26

    Hi
    i just wonder if it is possible on the Attribute Mapping and on the e mail attribute to write more than one attribute as on my ldap server the staff have the “mail” attribute and the students have “studentmail” attribute. is it possible to be implemented. is there any thing that i can change in the code. if it is not possible then can i put the e mail as “UID@domain.com” where UID is the user ID from LDAP.
    Greatest Regards

  21. Sam Margulies
    February 21st, 2011 at 14:01 | #27

    Hi,
    Great plugin! I just started using this plugin and must say that it blows other LDAP plugins out of the water. I found one small problem though: when trying to give users with editor privileges access to add LDAP users I found it impossible to change the way the plugin is written. To get around this I used current_user_can( ‘add_users’ ) instead of is_admin() and I changed add_submenu_page() to use ‘add_users’ as the capability instead of 9 (which is deprecated along with user levels.)

  1. No trackbacks yet.