Login using non existant user will take user to critical error page and admin will receive email.

Error Details
=============
An error of type E_ERROR was caused in line 491 of the file /web/public_html/wp-content/plugins/wpdirauth/wpDirAuth.php. Error message: Uncaught TypeError: ldap_get_dn(): Argument #2 ($entry) must be of type LDAP\ResultEntry, bool given in /web/public_html/wp-content/plugins/wpdirauth/wpDirAuth.php:491
Stack trace:
#0 /web/public_html/wp-content/plugins/wpdirauth/wpDirAuth.php(491): ldap_get_dn(Object(LDAP\Connection), false)
#1 /web/public_html/wp-content/plugins/wpdirauth/wpDirAuth.php(1379): wpDirAuth_auth('nonexistentuser', 'SomePassword...')
#2 /web/public_html/wp-includes/class-wp-hook.php(310): wpDirAuth_authenticate(NULL, 'nonexistentuser', 'SomePassword...')
#3 /web/public_html/wp-includes/plugin.php(205): WP_Hook->apply_filters(NULL, Array)
#4 /web/public_html/wp-includes/pluggable.php(618): apply_filters('authenticate', NULL, 'nonexistentuser', 'SomePassword...')
#5 /web/public_html/wp-includes/user.php(106): wp_authenticate('nonexistentuser', 'SomePassword...')
#6 /web/public_html/wp-login.php(1241): wp_signon(Array, true)
#7 {main}
  thrown

WordPress version 6.3.1
Active theme: Newspaper (version 10.4)
Current plugin: wpDirAuth (version 1.10.7)
PHP version 8.1.24

• This topic was modified 1 year, 5 months ago by rwahyudi.

We recently upgraded to WordPress 6.2 (WPMU setup) and adding directory authenticated users was working fine in the previous version, but now when I use that method to add an ldap user I get a critical error message. However the user is still added but they do not receive an email. Since this plugin hasn’t been updated in so long do I just need to find another solution? I should add we moved from RHEL linux 7 to 8 and moved to PHP 8. Any ideas will be much appreciated!

• This topic was modified 1 year, 7 months ago by Andy Morton.

This problem seems to have just surfaced, after using this plugin for many years. After creating a user as a directory-authenticated user, that user can still see and use the password-reset button on their profile page. It used to show a notice that you use your AD password and you can’t reset it from here.

This is causing confusion, people are going in and getting a password reset, and somehow this is interfering with or overriding the wpDirAuthFlag setting. At least it’s causing some confusion.

As a super-admin, I can ALSO change people’s passwords, even though they should be using their AD password.

Is this something I can patch?

Connection is okay and the user data is being copied to wordpress but when i try to login in keeps saying the LDAP users password is wrong. any possible missing config?

line 1831 (version 1.10.5 of wpDirAuth.php) throws an error. The order of the parameters in the implode call is reversed:return sprintf($strMsg,$strUserID,$strSSOID,implode($arySiteMsgParts,', '),$strExtraMsg);?
should be?return sprintf($strMsg,$strUserID,$strSSOID,implode(', ',$arySiteMsgParts),$strExtraMsg);?

I’ll try to patch it for everyone but it’s going to take a bit since it has been more than 3 years since I’ve used SVN. If someone has a good git/github –> svn connector, I’d happily use it.

I’m at a loss here. I’m wondering if it’s my LDAP server, I’m using FreeIPA, I’ve tried a couple of other wordpress LDAP plugins and all have the same results.

The admin user is able to authenticate at the OS level with the ipa_client_install (on Centos8) and ultimately logging into the OS as well. I’m using the same login/pass with your test ldap.php (I found it referenced in another post). I’m not an LDAP expert or anything remotely close so trying to figure out what’s going on is proving a bit of a challenge.

Simple LDAP Test

Trying to authenticate testuser…

Checking uid against regex pattern… success!

Checking user password against regex pattern, min/max lengths… success!

Setting up initial connection with ipa.XXXX.com… success!

Requesting switch to v3 of ldap protocol… success!

Requesting start_tls… success!
Authentication failed
Problem Encountered While Attempting to Authenticate
Errors Encountered

Error at line 303

unable to bind with bind account (admin). Last LDAP error: Invalid credentials

Hello

I can’t manage to get it working with the WP plugin, while it is working fine with your “Simple LDAP test” file.

I’m trying to replicate the ldap.php settings on the plugin configuration page, with no success.

Here are the settings used in ldap.php (I have modified personal data) :

$strTestUser = 'abc12345';
/**
 * User's password
 */
$strTestPass = 'thepassword';
/**
 * Items you MUST change
 */
$aryRequired = array(
    //account to use for binding
    'bindaccount'   => 'abc12345',
    //bind account password
    'bindpass'      => 'thepassword',
    // ldap server address
    'ldapserver'   => 'ldap.network.lan',
    //ldap port
    'ldapport'      => 389,
    //LDAP domain
    'addomain'      => 'network.lan',
    //base dn for searching
    'basedn'        => 'OU=FOO,OU=BAR,DC=FOO,DC=lan',
);

/**
 * Items you /can/ change.  The defaults are shown.  To use, create an array with these keys and pass in as the second
 * parameter upon construction of the LDAP_Test object

$aryOptions = array(
    //should be we use LDAP v3?
    'useldap3'          => true,
    //Use ldaps instead of tls
    'useldaps'          => false,
    // use TLS?
    'starttls'          => false,
    //uid search filter
    'uidfilter'         => 'sAMAccountName=',
    //email filter
    'emailfilter'       => 'proxyAddresses=smtp:',
    // regex pattern for valid uid, negated
    'uidpattern'        => '/[^[email protected]]+/',
    // regex pattern for passwords, negated
    'passwordpattern'   => '/[^A-z0-9(*&)=?|^}\/_>#:-[\052];]~,\[<.]+/',
    // minimum password length
    'passwordmin'       => 8,
    //maximum password length
    'passwordmax'       => 26,
);

And the way I replicate those settings on the plugin page :
https://www.linkpicture.com/q/screenshot-10.0.75.1-2020.08.17-11_08_42.png

The ldap.php page says : abc12345 authenticated successfully!

And when I try to log in on WP, it says (in French) that the login is not valid.

Am I missing something ?

• This topic was modified 4 years, 7 months ago by clemorphy.

Hi,

First things first – thanks for the plugin. It’s easy to use and does a great job.

I’m just having one slight issue with it.

We run a multisite where users could potentially want (or be part of) two sites.

We’ve used the setting to add new users to the system on their first log in (which everybody loves).

But if you’re already a user of one site – we get an error if you try to sign up to another (as a subscriber for example).

Is there a way to check if a user exists, and add them add them to the current site rather than get the error?

Thanks
Laura

Thanks
Laura

Your help text under the Directory Servers input states that LDAPS will ignore the port but that is untrue. Your code strips off the port which causes our LDAP searches to fail and no one can log in if we use LDAPS. But if your code is modified starting at line 366 of wpDirAuth.php from this:

if (strstr($dc, ':')) list($dc, $port) = explode(':', $dc);

        switch($enableSsl){
            case 1:
                $connection = ldap_connect($protocol.$dc);
                break;
            case 2:
            case 0:
            default:
                if(isset($port)){
                    $connection = ldap_connect($dc,$port);
                } else {
                    $connection = ldap_connect($dc);
                }
                break;

        }

To this:

if (strstr($dc, ':')) list($tlsDC, $port) = explode(':', $dc);

        switch($enableSsl){
            case 1:
                $connection = ldap_connect($protocol.$dc);
                break;
            case 2:
            case 0:
            default:
                if(isset($port)){
                    $connection = ldap_connect($tlsDC,$port);
                } else {
                    $connection = ldap_connect($dc);
                }
                break;

        }

Then everything works fine for us. We use a non standard port. After the modification the port is included when connecting and everything works fine.

Hi, we have a problem with Wordfence brute force protection not blocking failed logins when wpDirAuth is used. The combination worked on one site, on the other it started to work when I changed ‘Enable SSL Connectivity’ to ‘Use TLS’ in wpDirAuth settings. On the third site (most vital site) that did not fix the problem. The problem is exactly the same as here. Could you come up with a quick fix for the problem, otherwise we may be forced to change the this otherwise good ldap plugin to an other one.
-VeM-

Hi,
I’m a new using this plugin and wondering what the page:

Add New Directory Authentication User

is for? I don’t understand it.

TIA

/nimmer

…though judging from the quick responses on the support threads, obviously it is not. Maybe push a minor update so the notices go away?

Hi, one of our LDAP users has changed his password in the Windows environment an is now unable to login into WordPress. Can you give me a hint how to resolve this issue? I am using the latest version of wpDirAuth.

Hi, is there a way to accomplish a login method where one could use either samaccountname or mail address when login (samaccountname would be the actual username in both cases)? -VeM-

Using 1.10.5. Apologies if this is fixed in a later version.

In wpDirAuth’s “Add Dir Auth User” page on the network admin panel, you are presented with a list of all of the network’s blogs and the default user role to give to the user. This list appears to use the default WordPress user roles, and shows them even for sites without these roles. The list should instead show the available user roles per-blog, and pre-select the default user role for each blog (defined in its options).

Currently I guess the tool will try to put the user into non-existent roles on blogs where these roles don’t exist. I don’t know if this actually works, or throws an error, but it’s definitely wrong.

Hi

We have wpdirauth installed on our multi-site install of word press 5.0.3.
We have noticed that when we change the BASE DN setting on one site it changes it across other sites on the install. This is causing some users to be unable to login to their site as the BASE DN has been changed through the /wp-admin of another site.
I was under the impression that when it is changed on 1 site on a multisite install that it would only affect that site. We are a university so we have sites which are for staff and students, others that are restricted to just staff. Its when we restrict the BASE DN so that only staff can access the site that it stops the students logging into sites they have access to.

Andy advice would be appreciated.
Many thanks

With the recent updates to WP 5.X, we’ve encountered a few more buggy scenarios. To figure this out, I’m hoping to understand how the plugin makes a few decisions.

Right now, I have the plugin activated on a multisite install (network activated). This has worked great. However, I was using an ancient plugin to help with default accounts. Because a new users should be able to log into any of our sites and be given a specified user role. The problem was that they were being redirected to sites where they had already logged in (and away from this new site). It wouldn’t create a new user for them (with the appropriate role) on the new site.
The plugin says that it will create the user with the lowest possible role, but how is that determined? If I create a new role, do you have a plugin recommendation for ensuring that it creates the account at the proper level? Thanks.

Hi

We recently had an issue where someone set the option to “NO” for “Enable Directory Authentication?” in the wpDirAuth settings on our multisite install.
This obviously broke the LDAP binding but I am wanting to find out who changed this setting in the first place.

Is there any auditing on who changed these settings as I understand this is accessible only by Super Admins and there are only 17 of them at our end.

Thanks,
Praveen

Hi,
wpDirAuth Directory Authentication Options: Plugin Conflict.
Sorry, but your PHP install does not seem to have access to the LDAP features.
wpDirAuth is now running in safe mode.’

Quote from the PHP manual LDAP section:

LDAP support in PHP is not enabled by default. You will need to use the –with-ldap[=DIR] configuration option when compiling PHP to enable LDAP support. DIR is the LDAP base install directory. To enable SASL support, be sure –with-ldap-sasl[=DIR] is used, and that sasl.h exists on the system.

Can I how to do? Thank you.

Dear Sir,

Below I given my configuration but unable to login through my active directory account.

WordPress Settings

Enable Directory Authentication? : Yes

Require SSL Login? : No

Automatically Register Authenticated Users? : Yes

Directory Settings

Enable SSL Connectivity? : No

Directory Servers (Domain Controllers) : act.lan

Account Filter : samAccountName

Account Suffix : act.lan

Base DN : OU=ACT Users,DC=act,DC=lan

Bind DN : CN=Administrator,CN=Users,DC=act,DC=lan

Bind Password : ********

Confirm Password : *******

Authentication Groups : IT_Support_Admins

Cookie Settings

Cookie Expiration Time : 1

Branding Settings

Institution Name : ACT

Marketing name for Institutional Single-Sign-On ID : ACT

Login Screen Message : ACT members can login directly using their institutional password.

Password Change Message : To change a ACT password, please refer to the official institutional password policy.

Terms of Services Agreement : Yes

We have our users split between 2 CNs, so the base DNs are different.
For example, cn=apples,dc=abc,dc=com AND cn=oranges,dc=abc,dc=com
How can I specify to search both? leaving off the cn does not work, and cn=* does not work.
To specify both, I leave off the cn= and it works fine.
Thanks!

• This topic was modified 6 years, 5 months ago by czinn. Reason: Found my own solution

Hi, would it be possible to have both ‘Automatically Register Authenticated Users’ and ‘Authentication Groups’ -options active? Now a user whose account hasn’t been added through ‘Add Dir Auth User’ by site admin cannot login. We are using multisite installation, WP 4.9.8, PHP 7.0.32. -VeM-

Hi,
I am almost ready to run with my multisite but I’m encountering what seems to be a small issue. I’m not sure if it’s related to your plugin or not so I thought I put this out there to see.

Your plugin seems to working just fine on all browsers except Chrome. The error that is being logged into the debug file says…

PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in D:\Webs\blogs.fcps.net\wp-content\plugins\wpdirauth\wpDirAuth.php on line 378

This wouldn’t be a problem for me necessarily if Chrome wasn’t such a popular browser. Hopefully, you can shine some light not he issue.

Is there a way to specify a custom error message when a login fails? I currently get:

wpDirAuth Directory Authentication Error: wpDirAuth config error: No directory server available for authentication, OR pre-binding credentials denied.

Which I understand, but It would be nice if my end users could just see something like “Login failed, please try again.”

Any way to configure this?

Thanks!

I network activated this plugin but the settings for it only appear on the individual sites. Shouldn’t I be able to see settings in the admin view?

We just need to see a sample screenshot of a configuration, so we can follow it with ours. Please provide a sample of the configuration of Directory Settings as I do not see any samples on the site.

I realise this topic has cropped up before but my situation is totally different, so rather the hijack an old thread I’m starting a new one.

We have two Active Directory domains, one being a subdomain of the other, eg. corp.com and aus.corp.com

I have setup wpdirauth to target the global catalogue on port 3268 using a domain controller in the top level domain (i.e. corp.com) as that was the only way I could get information out of both top level and subdomains.

Testing with ldapsearch under Linux, I can see that when querying LDAP using ‘samAccountName=BLAH’ a lot more information comes back for user account in the top level domain than does for the subdomain, which is expected as less information is published to the global catalogue.

My question is, what is wpdirauth expecting to find? Something is obviously not present in the global catalogue that is needed as when users in the aus.corp.com subdomain domain attempt to login they all receive this error:

Directory authentication initially succeeded, but no valid profile was found (“get entries” procedure). [(samAccountName=adltest)]

Many thanks in advance of any help you can give me!

Hi, we’re preparing to update to PHP 7, and I’m running preliminary checks of our code using the PHP Compatibility Checker plugin. wpDirAuth is throwing one warning when tested with PHP 7.2. The details are below:

FILE: [path redacted]/wp-content/plugins/wpdirauth/wpDirAuth.php
———————————————————————–
FOUND 0 ERRORS AND 1 WARNING AFFECTING 1 LINE
———————————————————————–
2190 | WARNING | Function create_function() is deprecated since PHP 7.2; Use an anonymous function instead
———————————————————————–

• This topic was modified 6 years, 11 months ago by model13.

Our current LDAP plugin hasn’t had an update for 5 years, and we are looking into setting up a new LDAP plugin for our multi-site WordPress website for user logins. We wanted to know if your plugin handled multi-site environments well, and if there was any support for it past installation.

Thank you.

-Chris

Been using the plugin for awhile. Generally works great. However, there are a few users who have been unable to login lately (this error has been present with several versions of the plugin). They get a “something went wrong” error or a blank screen. In the logs, I see:

PHP Fatal error:  Uncaught ArgumentCountError: Too few arguments to function wp_set_password(), 1 passed in /www/site/wp-content/plugins/wpdirauth/wpDirAuth.php on line 274 and exactly 2 expected in /www/site/wp-includes/pluggable.php:2402
Stack trace

There’s a bit more to the error after that, but wanted to see if you’ve got an ideas.