Group integration with Active Directory

  • Resolved bluesoul

    (@bluesoul)


    8 years, 5 months ago

    Hi there,

    I’ve managed to get the plugin authenticating against Active Directory, which is wonderful, most plugins can’t manage that. My remaining issue is filtering on a security group. I don’t really speak LDAP but I’ve given my best approximation of what settings it’s looking for. This is what I have and it will not authenticate against any group.

    Map LDAP Groups to WordPress Roles: Yes
    Default Role: None (Deny Access)
    LDAP Groups override role of existing users: No
    Group-Attribute: distinguishedName
    Group-Separator: ;
    Group-Filter: (&(objectclass=group)(member=%dn%))

    Under the Role, I have this under Author:
    CN=MySecurityGroup,OU=My OU,DC=corp,DC=domain,DC=int

    Unfortunately even when I added ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7); to ldap.php it won’t show me the exact nature of the response so I’m not sure what the problem is. Any advice would be appreciated if you’ve happened to set this up in an AD environment. Thanks.

    EDIT: I was able to run my query against AD and it came back with a list of groups, so this is super close to working, I’m just not sure how the group objects are returned natively.

    https://www.ads-software.com/plugins/authldap/

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author heiglandreas

    (@heiglandreas)

    Hi bluesoul.

    Can you test setting the group-attribute to “dn” instead of “distinguishedName” and when that doesn’t work please set it to “cn” and set under the author-role only “MySecurityGroup” instead of “CN=MySecurityGroup,OU=My OU,DC=corp,DC=domain,DC=int”?

    Thanks for helping me out.

    Thread Starter bluesoul

    (@bluesoul)

    We’re very much on the same wavelength, I’ve tried both of those already with no change. $role is coming back empty, even though when I take the string from the debug output and run it, I get back 13 security groups.

    Thread Starter bluesoul

    (@bluesoul)

    Looking through the code:

    // Check whether the user is member of one of the groups that are
    // allowed acces to the blog. If the user is not member of one of
    // The groups throw her out! ;-)
    // If the user is member of more than one group only the first one
    // will be taken into account!

    Is this correct? Only the first group to be returned will apply?

    EDIT: $groups[‘count’] is also returning 0. $authLDAPGroupFilter looks correct, so the problematic point is $groups = authLdap_get_server()->search(sprintf($authLDAPGroupFilter, $username), array($authLDAPGroupAttr));. I will continue debugging with that in mind.

    Plugin Author heiglandreas

    (@heiglandreas)

    Yes, only the first group will be applied. But that’S not the first LDAP-Group, but the first WordPress-Group the user belongs to. So when the user is in an LDAP-Group that maps to the WP-Admin-group and also in an LDAP-Group that maps to the Author-group in WP, the user will be member of the WP-Admin group.

    Do you have debugging enabled? Can you post the debugging entries from the servers log? You could also send them via email if that’s better for you.

    Thread Starter bluesoul

    (@bluesoul)

    Yeah, I’ll redact a little bit.

    [Wed Jun 01 13:41:59.014899 2016] [:error] [pid 14530] [client 172.17.6.54:64752] [AuthLDAP] Array\n(\n    [administrator] => \n    [editor] => \n    [author] => CN={snip},OU={snip},DC={snip},DC={snip},DC={snip},DC={snip}\n    [contributor] => \n    [subscriber] => \n)\n, referer: https://ogweb/wp-login.php
[Wed Jun 01 13:41:59.014936 2016] [:error] [pid 14530] [client 172.17.6.54:64752] [AuthLDAP] Array\n(\n    [administrator] => \n    [editor] => \n    [author] => CN={snip},OU={snip},DC={snip},DC={snip},DC={snip},DC={snip}\n    [contributor] => \n    [subscriber] => \n)\n, referer: https://ogweb/wp-login.php
[Wed Jun 01 13:41:59.014968 2016] [:error] [pid 14530] [client 172.17.6.54:64752] [AuthLDAP] Group Filter: "(&(objectclass=group)(member=CN={snip},OU={snip},OU={snip},OU={snip},OU={snip},DC={snip},DC={snip},DC={snip},DC={snip}))", referer: https://ogweb/wp-login.php
[Wed Jun 01 13:41:59.015457 2016] [:error] [pid 14530] [client 172.17.6.54:64752] [AuthLDAP] Role from LDAP group: , referer: https://ogweb/wp-login.php
[Wed Jun 01 13:41:59.015473 2016] [:error] [pid 14530] [client 172.17.6.54:64752] [AuthLDAP] role from group mapping: , referer: https://ogweb/wp-login.php
[Wed Jun 01 13:41:59.015484 2016] [:error] [pid 14530] [client 172.17.6.54:64752] PHP Notice:  no group found in /{{snip}}/wp-content/plugins/authldap/authLdap.php on line 302, referer: https://ogweb/wp-login.php
[Wed Jun 01 13:41:59.015500 2016] [:error] [pid 14530] [client 172.17.6.54:64752] [AuthLDAP] user is not in any group that is allowed access, referer: https://ogweb/wp-login.php

    Of note, if I take the string it generates under Group Filter, and run it as an LDAP query through either ldifde or AD Users & Computers, I get the expected result of 13 security groups. But if I do a print_r($groups) all it returns is [count] => 0.

    Plugin Author heiglandreas

    (@heiglandreas)

    Would you mind setting the GroupFilter like this: (&(objectclass=group)(member="%dn%"))? (Note the added double quotes)

    Thread Starter bluesoul

    (@bluesoul)

    [Wed Jun 01 14:15:46.594836 2016] [:error] [pid 13255] [client 172.17.6.54:49250] PHP Warning: ldap_search(): Search: Bad search filter in /{snip}/wp-content/plugins/authldap/ldap.php on line 190, referer: https://ogweb/wp-login.php
    [Wed Jun 01 14:15:46.594878 2016] [:error] [pid 13255] [client 172.17.6.54:49250] [AuthLDAP] Exception getting LDAP group attributes: no result found, referer: https://ogweb/wp-login.php

    EDIT: It turned into a real mess with double quotes:

    [Wed Jun 01 14:15:46.594800 2016] [:error] [pid 13255] [client 172.17.6.54:49250] [AuthLDAP] Group Filter: “(&(objectclass=group)(member=\\\\\\”CN=snip,OU=snip,DC=etc\\\\\\”))”, referer: https://ogweb/wp-login.php

    Thread Starter bluesoul

    (@bluesoul)

    Solved.

    The issue was with the LDAP URI. I set it too tight, as security groups and users are in different OUs off of my base domain.

    So, incorrect:

    ldap://CN=ldap.bind,CN=Managed Service Accounts,DC=snip,DC=snip,DC=snip,DC=snip:password@domaincontroller/OU=Users,DC=snip,DC=snip,DC=snip,DC=snip

    Correct:

    ldap://CN=ldap.bind,CN=Managed Service Accounts,DC=snip,DC=snip,DC=snip,DC=snip:password@domaincontroller/DC=snip,DC=snip,DC=snip,DC=snip

    Plugin Author heiglandreas

    (@heiglandreas)

    Thanks!
    I was beginning to run out of ideas!

    But yes, no wonder there couldn’t be any groups found when they aren’t in the subtree ??

    Nice that you found it yourself! And thanks for letting me know!

    Cheers

    Andreas

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Group integration with Active Directory’ is closed to new replies.