block internal authentication

  • I’m missing the option to restrict the authentication to external services. This plugin currently creates too much effort when users have left the company.
    Besides of that the plugin seems to do a good job.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Paul Ryan

    (@figureone)

    How would that help though? If their email account is also tied into the same external authentication, when they are removed from it, they can’t access their email anymore, and thus can’t reset their WordPress password to regain access. (This is assuming you are using the default behavior, where WordPress accounts are linked to external accounts via email.)

    Thread Starter tabbsomat

    (@tabbsomat)

    Thank you, Paul, for your quick response.
    Our users authenticate with user name, only, omitting the domain part. I have concerns about the password hash stored in WordPress for users from the directory….

    Besides of that: there’s always a risk that admin users create ordinary wordpress users accidently or intentionally. It is difficult do differentiate between these users and those from the directory. I want to have it clear: local users should be ignored.

    I like the strict behavior of the simple ldap plugin in this case. Since that plugin has not been maintained for a while it has become incompatible to current versions of WP. Hence I have started to research for more recent ldap plugins. The Authorizer seems to fit best so far ??

    Plugin Author Paul Ryan

    (@figureone)

    We’ll look into adding an option to disable local (WordPress) authentication, but just be aware that it can make your WordPress admin unreachable if something happens to your LDAP server.

    Also FYI, no LDAP user passwords are stored in the WordPress database; when a new LDAP user authenticates, they get a random password assigned using wp_generate_password():
    https://github.com/uhm-coe/authorizer/blob/master/src/authorizer/class-authorization.php#L210
    https://developer.www.ads-software.com/reference/functions/wp_generate_password/

    Plugin Author Paul Ryan

    (@figureone)

    Will track that feature request here:
    https://github.com/uhm-coe/authorizer/issues/89

    Thread Starter tabbsomat

    (@tabbsomat)

    Thank you Paul, I’d still be happy to get that feature. ??

    Of course, once restricted to external authentication there’s no way to authenticate without having the external data source available – that is exactly my expected behavior.

    On the other hand: WordPress Administrators chosing LDAP as Directory always should be able to find their ways to bypass WordPress and to fix potential issues with their directories.

    Regarding the password hashes: Accidently created local users have valid hashes. As long issue 89 hasn’t been implemented I continue to run a regular job checking for changed hashes in the database and updating them to a unusable one.

    Thanks again and have a nice day,
    Thomas

    • This reply was modified 4 years, 8 months ago by tabbsomat.
    Plugin Author Paul Ryan

    (@figureone)

    Aloha, version 2.9.12 is out now with the “Disable WordPress logins” feature. Please test it out and let us know if you have any feedback.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘block internal authentication’ is closed to new replies.