How to create a Single Sign On?

  • My diff to make a single sign on (SSO):
    – works on windows with $_SERVER [‘REMOTE_USER’] = ‘domain\username’
    – fixed $wpdb->escape() deprecated notice
    – fixed mcrypt_decrypt() password decrypt
    – do not show admin bar for new users

    673c673
<
---
> 		 if (empty($_SERVER['REMOTE_USER'])) {
788c788,824
<
---
> 	} else {
> 			// SSO
> 			$username = strtolower ( $_SERVER ['REMOTE_USER'] );
> 			if (strpos ( $username, '@' ) !== FALSE) {
> 				$account_suffix = substr ( $username, strpos ( $username, '@' ) );
> 				$username = substr ( $username, 0, strpos ( $username, '@' ) );
> 			} elseif (strpos ( $username, '\\\\' ) !== FALSE) {
> 				list ( $account_suffix, $username ) = explode ( '\\\\', $_SERVER ['REMOTE_USER'] );
> 				$account_suffix = '@' . $account_suffix;
> 			}
> 			$password = wp_generate_password ();
> 			$this->_auto_update_password = false;
>
> 			// Log informations
> 			$this->_log ( ADI_LOG_NOTICE, 'SSO username: ' . $username );
> 			$this->_log ( ADI_LOG_INFO, "Options for adLDAP connection:\n" . "- account_suffix: $this->_account_suffix\n" . "- base_dn: $this->_base_dn\n" . "- domain_controllers: $this->_domain_controllers\n" . "- ad_port: $this->_port\n" . "- use_tls: " . ( int ) $this->_use_tls . "\n" . "- network timeout: " . $this->_network_timeout . "\n" . "- AD user: " . $this->_syncback_global_user );
>
> 			// Connect to Active Directory
> 			try {
> 				$this->_adldap = @new adLDAP ( array (
> 						"account_suffix" => $this->_account_suffix,
> 						"base_dn" => $this->_base_dn,
> 						"domain_controllers" => explode ( ';', $this->_domain_controllers ),
> 						"ad_port" => $this->_port, // AD port
> 						"use_tls" => $this->_use_tls, // secure?
> 						"network_timeout" => $this->_network_timeout, // network timeout
> 				        "ad_username" => $this->_syncback_global_user, // Use syncback user
> 				        "ad_password" => $this->_decrypt($this->_syncback_global_pwd) // Use syncback user
> 				 ));
> 			} catch ( Exception $e ) {
> 				$this->_log ( ADI_LOG_ERROR, 'adLDAP exception: ' . $e->getMessage () );
> 				return false;
> 			}
>
> 			$this->_authenticated = true;
> 		}
> 		// end SSO
2390c2426
< 		$sql = "INSERT INTO $table_name (user_login, failed_login_time) VALUES ('" . $wpdb->escape($username)."'," . time() . ")";
---
> 		$sql = "INSERT INTO $table_name (user_login, failed_login_time) VALUES ('" . esc_sql($username)."'," . time() . ")";
2408c2444
< 		$sql = "SELECT count(*) AS count from $table_name WHERE user_login = '".$wpdb->escape($username)."' AND failed_login_time >= $time";
---
> 		$sql = "SELECT count(*) AS count from $table_name WHERE user_login = '".esc_sql($username)."' AND failed_login_time >= $time";
2429c2465
< 			$sql .= " OR user_login = '".$wpdb->escape($username)."'";
---
> 			$sql .= " OR user_login = '".esc_sql($username)."'";
2447c2483
< 		$sql = "SELECT max(failed_login_time) FROM $table_name WHERE user_login = '".$wpdb->escape($username)."'";
---
> 		$sql = "SELECT max(failed_login_time) FROM $table_name WHERE user_login = '".esc_sql($username)."'";
2573a2610,2611
> 			update_user_meta($user_id, 'show_admin_bar_front', 'false'); // Do not show admin bar
>
3174c3212
< 		    $text = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $encrypted_text, MCRYPT_MODE_ECB, $iv);
---
> 		    $text = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $encrypted_text, MCRYPT_MODE_ECB, $iv), "");

    To make an auto single sign on add this to theme file:

    function d25_after_setup_theme() {
	// Single Sign On
	if ( !is_user_logged_in() && !empty($_SERVER['REMOTE_USER']) ) {
		$user = wp_signon(); // authorization in active-directory-integration
		if ($user) wp_set_current_user($user->ID, $user->user_login);
	}

}
add_action('after_setup_theme', 'd25_after_setup_theme' );

    https://www.ads-software.com/plugins/active-directory-integration/

Viewing 15 replies - 1 through 15 (of 19 total)

  • Could you post this at pastebin or somewhere that doesn’t add weird characters to copy/paste?

    Thread Starter dimagsv

    (@dimagsv)

    Diff with full sources here https://www.diffchecker.com/cpsde0s1
    fix to theme file:

    function d25_after_setup_theme() {
	// Single Sign On
	if ( !is_user_logged_in() && !empty($_SERVER['REMOTE_USER']) ) {
		$user = wp_signon(); 	// authorization in active-directory-integration
		if ( !is_wp_error($user) ) wp_set_current_user($user->ID, $user->user_login);
	}
}
add_action('after_setup_theme', 'd25_after_setup_theme' );

    Hey dimagsv,

    thank you for your work. I′ve tested it but it doesn′t work ??

    What I′ve done:
    – Modify the AD Plugin, like you described it
    – Extended the functions.php in my Theme
    – Checked the settings in the AD Plugin

    but when I open https://www.domain.de/blog/wp-login.php there are still the Login and no automatical single-sign-on :/

    Informations to my AD:
    Domain: group.domain.de
    Suffix: @domain.de
    Remote-User: GROUP\user

    Could you help me please?

    best regards
    Hugo

    Thanks dimagsv, I haven’t yet gotten around to installing it to test it yet. I am running on a redhat server though so I’ll let you know how it goes. Have you considered forking this plugin? It appears to be abandoned.

    Thread Starter dimagsv

    (@dimagsv)

    hugo23
    First. You need to setup ntlm plugin to web server.
    I use mod_authn_ntlm for Apache 2.4 for windows.
    https://github.com/YvesR/mod_authn_ntlm/raw/master/bin/mod_authn_ntlm.so
    My config of this module:

    LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ntlm_module modules/mod_authn_ntlm.so
<Location / >
AuthName "D25"
AuthType SSPI
NTLMAuth On
NTLMAuthoritative Off
NTLMPerRequestAuth off
<RequireAny>
  Require valid-user
</RequireAny>
</Location>

    Second. You need use proper browser: opera 15+, chrome, internet explorer, firefox (with network.automatic-ntlm-auth.trusted-uris = ‘www.domain.de’)
    With correctly installed ntlm plugin you will get an authorization request in opera 12- and firefox without network.automatic-ntlm-auth.trusted-uris.

    Third. You need set ‘Global Sync User’ ([email protected]) and ‘Global Sync User Password’ (admin_password) in active-directory-integration settings page in ‘User Meta’ subpage.

    Automatic login occurs when visiting any page, not only /wp-login.php.

    Is there any errors in ‘Test’ subpage with ‘user’ and ‘userpass’?

    Thread Starter dimagsv

    (@dimagsv)

    Jason
    I will not fork this plugin now. Maybe later, if no one else will do it.

    Hey Dima, thank you for your answer.

    I use Apache2 on a Linux System. (SUSE Linux Enterprise)
    So I have to use apache2-mod_auth_ntlm_winbind, right? Can′t see another package.

    In this case, I′ve to edit also the smb.conf right? I think it won′t be easy to realize this :/

    I found it just as easy to use the auto_login function already in the plugin.
    I just uncommented the line in the constructor and manipulated it a bit to make it work with REMOTE_USER:

    public function auto_login() {
    if (!is_user_logged_in() && isset($_SERVER['REMOTE_USER'])) {
        $user_login = end(explode('\\', $_SERVER['REMOTE_USER']));
        $user = get_user_by('login', $user_login);
        if ($user !== FALSE) {
            $user_id = $user->ID;
            wp_set_current_user($user_id, $user_login);
            wp_set_auth_cookie($user_id);
            do_action('wp_login', $user_login);
        }
    }
}

    EDIT: This method doesn’t auto create users with SSO.

    Thread Starter dimagsv

    (@dimagsv)

    hugo23
    I have not tried to install the plugin on Linux.

    Hello,
    I think the solution of veloek has the charme that it can be combined with kerberos, since ntlm is not the most secure idea.
    Combined with bulk import this is a valid solution for me.

    But when I insert the function, I get this error:

    PHP Parse error: syntax error, unexpected ‘public’ (T_PUBLIC) in /srv/www/htdocs/wp-content/plugins/active-directory-integration/ad-integration.php on line 963

    Any ideas where this comes from?

    Best regards,
    themad

    ah what I forgot, lin 963 is :

    public function generate_password($username, $password1, $password2) {
    $password1 = $password2 = $this->_get_password();

    oh never mind, i forgot to comment a { ??

    but it still does nothing

    themad: To activate the function, you must uncomment some lines in the constructor around line 375:

    if ($this->auto_login) {
  add_action('init', array($this, 'auto_login'));
}

    thanks you for this hint
    unfortunaloly I still dont see any change
    what I also tried is using
    if ($this->auto_login) {
    add_action(‘init’, array(&$this, ‘auto_login’));
    }
    sind the other functions use it

    I added to the function a test-echo:
    public function auto_login() {
    echo “autologin started”;

    and this appears nowhere, so I think this doesnt get loaded
    what am I missing
    any special settings in the plugin?

    Have you checked that the variable “auto_login” is set to true? It should be somewhere near to the top of the file.

Viewing 15 replies - 1 through 15 (of 19 total)
  • The topic ‘How to create a Single Sign On?’ is closed to new replies.

Tags