4.2.3 broke login

  • Resolved davidegiunchidiennea

    (@davidegiunchidiennea)


    8 years, 3 months ago

    I’ve just upgraded to aiowps 4.2.3 but there’s a big problem: it broke the login of every ldap-users.
    We use “Simple LDAP Login” v 1.6.0 (latest) to make users login via LDAP/AD, all the users that reside in AD cannot login in wp after aiowps upgrade: they get a generic “password mismatch” error on wp-login.php .
    If i try to login with a “normal” user (a user that not reside in AD) it works good.

    Actually i’ve found that i can bypass the problem by overwrite “wp-security-user-login.php” with the 4.2.2 version (the previous one).

    I’m actually investigating the problem to get a better fix.

    If you find an official fix, please let me know.
    regards

Viewing 4 replies - 1 through 4 (of 4 total)

  • Hi David,

    4.2.3 changed the way authenticate hooks are altered by the plugin. Before, AIOWPSF replaced one of default hooks added by WordPress core with its own version and this implementation unfortunately failed to support login via email.

    Since 4.2.3, all default WordPress hooks attached to authenticate method are retained and AIOWPSF adds extra hooks before (to check if user IP is locked) and after (to perform all other checks). So I would actually expect less friction between AIOWPSF and other plugins that hooks into users authentication process.

    I don’t know Simple LDAP Login, so if you can investigate the issue further, it would be great. Anyway, I might have a look on it when I have some time.

    Cheers,
    ?eslav

    Thread Starter davidegiunchidiennea

    (@davidegiunchidiennea)

    I’ve fix the error and create a pull request:

    https://github.com/Arsenal21/all-in-one-wordpress-security/pull/68

    The problem appear if somebody use a plugin that must remote validate a users, es: ldap,ad,openid ecc…
    I think that will be correct if you release this fix asap, as other users might facing this blocking problem.

    Thank you,
    Regards

    Hi,

    The problem appear if somebody use a plugin that must remote validate a users, es: ldap,ad,openid ecc…

    I would not generalize too much. The problem appears with “Simple LDAP Login”, because it hooks to authenticate filter with priority 1 (ie. very, very early). The problematic AIOWPSF routine that you patched is hooked with the same priority, but for a reason: if an IP is locked, the login attempt should be terminated as soon as possible to spare system resources in case of brute-force attack.

    Your patch is fine and I would merge it if I could, but I think an even better solution is to issue a PR to “Simple LDAP Login” requesting modification of their hook priority to a value slightly higher than 1. This way, AIOWPSF will be able to block login attempts from locked IPs before LDAP authentication is performed.

    Cheers,
    ?eslav

    We will incorporate this change in the next release of the plugin.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘4.2.3 broke login’ is closed to new replies.