Create a feature to test wpDirAuth settings

  • Resolved juniorm

    (@juniorm)


    9 years, 3 months ago

    wpDirAuth is working, but I think people who do not know LDAP very well can get really confused. In order to help them, you could add a button to test LDAP authentication.

    I had to manually change source code to dump $results variable in $userDn = @ldap_get_dn($connection, ldap_first_entry($connection, $results)). If results has one or more items, you can get a wrong userDn if you set an incomplete baseDn in wpDirAuth Settings.

    Here is my scenario:

    - I have RedHat 6.5 with OpenLDAP installed and configured with a CA certificate.
- I have WordPress 4.3 and wpDirAuth 1.7.8
- In wpDirAuth settings I had
  Enable Directory Authentication = YES
  Require SSL Login = NO
  Automatically Register Authenticated Users = YES
  Enable SSL Connectivity = Use SSL (ldaps)
  Directory Servers (Domain Controllers) = ldapserver.mycompany.com:636
  Account Filter = uid
  Account Suffix = empty/blank
  BaseDn = "uid=admin,cn=users,cn=accounts,dc=mycompany,dc=com"
  Bind Password = "my admin user password"
  Confirm Password = "my admin user password"
  Authentication Groups = empty/blank
  Institution Name = "My Company"
  Marketing name for Institutional Single-Sign-On ID = empty/blank
  Login Screen Message = A nice message here
  Password Change Message = Another nice message here
  Terms of Service Agreement = NO

    The only problem above was the BaseDN, which was bringing two records in results array at:

    if ( ($results = @ldap_search($connection, $baseDn, $filterQuery, $returnKeys)) !== false ) {

    the first record had an invalid DN containing cn=users,cn=compat,dc=mycompany,dc=com. Later, the ldap_first_entry command was picking the first item of results array, that had this incorrect userDN (cn=users,cn=compat,dc=mycompany,dc=com).

    Since I cannot test connection and authentication in wpDirAuth to figure what is the correct baseDN setting, I had to include some var_dump inside the source code, which is not really nice.

    After debugging it, I figured out that the correct baseDN is

    BaseDN = "cn=users,cn=accounts,dc=mycompany,dc=com".

    My suggestion is that you wpDirAuth developers add a test button, in order to check if BaseDN, Bind DN and Bind Password are correct.

    Another suggestion is to include a field in settings form for redirecting user to a specific URL after a successful authentication.

    https://www.ads-software.com/plugins/wpdirauth/

Viewing 1 replies (of 1 total)
  • Plugin Author Paul Gilzow

    (@gilzow)

    Because everyone’s LDAP/AD setup and structure can vary so greatly, building out test cases that could catch and report the issues accurately would be extremely difficult. I typically suggest using either Apache Directory Studio (https://directory.apache.org/studio/) or softerra’s LDAP browser (https://www.ldapadministrator.com/softerra-ldap-browser.htm) to figure out what settings you need in order to successfully connect and search your LDAP instance. I’ll add a note about using those tools to the README (next version will be pushed shortly after v4.4 of wordpress is released).

    To verify your settings once you have wpDirAuth set up, you can attempt to add an authenticated user.

    At this point, I probably won’t add a redirect after authentication. The plugin’s focus is on authentication, and a redirect is a post-authentication action.

    HOWEVER, if you want that functionality, you could add a filter hook on login_redirect. Assuming that you are wanting to redirect directory authenticated user, inside your callback function, check to see if $user->wpDirAuthFlag is set and true. If it is, return the URL to where you want to redirect them. You can use the example from here to get an idea of what to do: login_redirect example

Viewing 1 replies (of 1 total)
  • The topic ‘Create a feature to test wpDirAuth settings’ is closed to new replies.