WPMU Ldap Plugin

Great job, thanks for all of your hard work on this project.

I just tried it out on WordPress MU 2.9.2 and got this error: “Fatal error: Call to undefined function is_super_admin() in /path/to/blog/wp-content/mu-plugins/ldap/lib/wpmu_ldap_admin.functions.php on line 682″

I checked the requirements in the documentation which say that I need WordPress 3.0 for the 3.0 WPMU Ldap plugin.

Thank you for this plugin! Authentication works fine.
I have a little problem with role-assingment: users which login over ldap are member of “subscriber”, in my case, they should be “authors” per default. How can i achieve this task? I use wordpress 3.0 and wpmu Ldap 3.0. Thank you for your help!

Tried this on wordpress 3 and got this error.

Fatal error: Cannot redeclare wp_new_user_notification() (previously declared in C:\Intranet\wp-includes\pluggable.php:1193) in C:\Intranet\wp-content\plugins\ldap\lib\wpmu_ldap_admin.functions.php on line 785

Hello Aaron,
i tried your advise concerning role assignment without luck – all users coming over ldap are subscribers, i have no chance to assign author rights per default on first login. thank you for further help!

I think it’s not quite working with the XML-RPC code, though honestly I’m having a hard time being sure. Pre-3.0, my XML-RPC calls were working fine with a subdirectory-based multiuser install. Now with WP3.0 Multisite, I keep getting “bad login/password” errors returned from xmlrpc.php when I attempt to authenticate. It works fine with the regular admin user, though. Could this be a problem with WPMU-LDAP?

Other than that, this has been a fantastic plugin, and I appreciate all the development work you’ve done on it!

Sorry, forgot to post the actual error: PHP Fatal error: Cannot redeclare username_exists() (previously declared in /www/blog30/wp-includes/registration.php:16) in /www/blog30/wp-includes/registration.php on line 22

This may not be a WPMU-LDAP problem, since username_exists() isn’t called anywhere in the plugin I can see. I’m just not sure what else it could be.

Hi Aaron

Fix bug for and a fix

in the land of single sign on with WP 3.0 I was not getting redirected back the page I was trying to load from the log-in page.

This is because WP have added a “&reauth=1″ to the Querrystring if you try to get to the wp-admin etc. to forse you to log in we don’t need that if we have SSO turned on

So here is my patch to fix this

ln 54 ldap_auth.php

if (get_site_option(‘ldapSSOEnabled’)){
add_action(‘authenticate’, ‘wpmuLdapSSOAuthenticate’, 40, 3);
add_filter(‘login_url’, ‘wpmuLdapSSODisableReauth’); //removes reauth from login URL
}

and I put this function at the bottom of wpmu_ldap.functions.php

/*
when in SSO mode we don’t need to forse a relog in so theis stops that

*/

Function wpmuLdapSSODisableReauth($login_url){
return str_replace(‘&reauth=1′,”,$login_url);
}

Feel free to change the code etc.

but this does work and don’t think it will break anythink

Please add this to the next version

Paul

Aaron,

Very excited to see this latest release supporting groups in AD through the user interface. Along those lines, can you tell me if your plugin is 1). trying to do a lookup to see if a person is in a group or 2). if a person has the group listed in their group membership? Thanks again for the plugin!

Single Sign On (SSO)for wordpress

SSO is all about not having to login to multiple site/applications but rather have the id the logged into you computer being passed the IIS server and using that to log you in.

We tried to keep as simple as possible. Windows Authentication only needs to be set on wp_login.php (to reduce the server load of authenticating all the time). If when you load this page with SSO turn on in WPMU-LDAP we look into the server variables for your username if we find it we then login as that user or call the LDAP server with that id to get your details if it is your first time on the blog.

How to setup SSO on IIS

Follow the standard install for WPMU-LDAP and get it all working

Then create an ID that uses your NT id as the username and make that ID a supper admin

Don’t do this until you are happen that it all works.

To configure Windows Authentication
Open IIS manger
Select root of the site in the left plain
Click the content view at the bottom on the main plain
Select wp-login.php in the main plain
Click the Features view at the bottom on the main plain to get back to the admin icons
Double click the Authentication option in the IIS section
Select Windows Authentication and click enable in the Action panel on the right

That all you need to do with IIS

Now open a non MS browser (firefox)
Now load the WPMU-LDAP control panel and enable SSO
Keep browser open

Now open IE and go to your blog site and try to access wp-admin. If all is well you will get pushed to wp-login we you get login in using the NT id and forwarded to wp-admin or to your profile if you not an admin (see above)

Any new user will automatically get an account

If you try now to logon with and non IE browser you will now get login box popup

Note: there are number of third party tools that will allow setting this up a linux server. These should all work as long as its provide a username in one of these variables

$_SERVER['LOGON_USER'];
$_SERVER['REMOTE_USER'];
$_SERVER['AUTH_USER'];

We have only tested this on IIS 6/7 if you try any other provide please lets know how you get on.

Paul Bearne

Feel free to edit etc.

@Aaron Axelsen

Just to note that since upgrading to WP 3 and v3 of this plugin, login for XML-RPC clients (iPhone/Android) no longer works for me, either. It works fine for locally created users though.

@Joss Winn

That does seem to be the case. Local users authenticate fine. I’m not sure if WP3 changed something that simply made WPMU-LDAP incompatible with XML-RPC calls. Not sure how that would happen. Can anyone verify that they CAN make a successful XML-RPC login through LDAP?

I made the require_once change given above to fix the conflict with the feedwordpress plugin and it seems to have solved the XMLRPC login problem, too. Thank you.

Works GREAT now. Thank you! I’m glad it wasn’t a huge change.

First great plugin!

Now the question….Since updating to 3.0.1 LDAP users are not automatically created if a super user adds them in the sites menu. Instead a local user is created.

If you create an additional blog for an existing user, it works perfectly. Also, the add user in the super admin menu works as expected.

Any ideas? I didn’t see anything in the logs.

@Paul Bearne Thanks for the write-up, that gave me enough hint for what needs to be done to get it working on a linux box.

If anyone is interested, I’m using mod_auth_kerb on apache to get the same functionality as the “Windows Authentication” on IIS.

You must have a functional kerberos setup before doing that. I went with the samba/winbind route. It’s not the leanest way to get kerberos working but it’s simpler than trying to get just kerberos working correctly on its own. A side benefit to this setup is the ability to use AD accounts to grant permissions to the file system if you need to open-up access to ssh/themes/plugins to some users. To get the linux box joined to the domain, I followed this Gentoo guide: http://en.gentoo-wiki.com/wiki/Active_Directory_with_Samba_and_Winbind

Once you have the system joined, you can use the ‘net ads keytab create’ command to create the basic keytab file. The file should be /etc/krb5.keytab. Then run ‘net ads keytab add HTTP’ to add the HTTP service principal.

Now configure apache to load mod_auth_kerb. Then add the following to the .htaccess in the root of your wpmu install:

&ltFiles wp-login.php&gt
AuthType Kerberos
AuthName “DOMAIN.LOCAL”
KrbAuthRealms DOMAIN.LOCAL
KrbServiceName HTTP/hostname.domain.local
Krb5Keytab /etc/krb5.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
Require valid-user
&lt/Files&gt

Unfortunately mod_auth_kerb uses the userPrincipalName rather than the windows DOMAIN\USERNAME format when it sets the REMOTE_USER variable. So I added the follwing to wpmuLdapSSOGetUser() function in wpmu_ldap.functions.php:

if (strpos($username, ‘@’) !== FALSE) {
$username = substr($username, 0, strpos($username, ‘@’));
}

It goes below the other if block that strips the domain from the other format.

I’m using WordPress v3.0.1 (with multisite enabled) with this LDAP authentication plugin. Works great. However, I turned on the XML-RPC publishing protocol so I could publish via the WordPress iPhone app. When I added my site in the iPhone app, it gave me a “500 server error.” My apache error_log says:

PHP Fatal error: Cannot redeclare username_exists()

So I made the change you suggested on line 94 of lib/wpmu_ldap.functions.php and that resolved it. Thank you Aaron!!

I just installed WPMU Ldap 3.0 on my wordpress 3.01 site, which I just upgraded from 2.84. It works, although I have not tried the groups feature yet.

I overwrote the old WPMU ldap files with the new ones.

Once again, I had to edit ldap_core.php to remove the variable ($proto) that sets the server string to either ldaps:// or ldap:// so that ldap_core.php just makes the connection as ldap.example.com instead of ldaps://ldap.example.com or ldap://ldap.example.com, which seems to be what works with our corporate ldap server.

Hi
i just wonder if it is possible on the Attribute Mapping and on the e mail attribute to write more than one attribute as on my ldap server the staff have the “mail” attribute and the students have “studentmail” attribute. is it possible to be implemented. is there any thing that i can change in the code. if it is not possible then can i put the e mail as “UID@domain.com” where UID is the user ID from LDAP.
Greatest Regards

Hi,
Great plugin! I just started using this plugin and must say that it blows other LDAP plugins out of the water. I found one small problem though: when trying to give users with editor privileges access to add LDAP users I found it impossible to change the way the plugin is written. To get around this I used current_user_can( ‘add_users’ ) instead of is_admin() and I changed add_submenu_page() to use ‘add_users’ as the capability instead of 9 (which is deprecated along with user levels.)