Patch (adds role-mapping functionality and custom filters)

I tried your patch because I’d like to use the role-mapping functionality but I can’t login anymore (incorrect password). I’m usig WP 3.9.1 with OpenLDAP 2.4.31 running both on Ubuntu server 14.04 LTS vbox machine.

I see three possible places that message could turn up.

Does it display “WordPress Login Error” or “Directory Authentication Error” before the “Incorrect password”?

Was your user able to log in to 1.7.6 without the patch applied?

What are “Account Filter Expression” and “Account Name Attribute Filter” set to?

I’ll try to look through the code and see if I can figure out what could be wrong, but it is difficult without more information to go on.

It displays Directory Authentication Error: Incorrect password.
Yes, I can login without patch.
Account Filter Expression is default (objectClass=*)
Account Name Attribute Filter is uid

This is the debug info:

Notice: wp_setcookie is deprecated since version 2.5! Use wp_set_auth_cookie() instead. in /var/www/html/wp-includes/functions.php on line 3078

Warning: array_values() expects parameter 1 to be array, string given in /var/www/html/wp-content/plugins/wpdirauth/wpDirAuth.php on line 562

Warning: array_map(): Argument #2 should be an array in /var/www/html/wp-content/plugins/wpdirauth/wpDirAuth.php on line 564

Warning: array_reduce() expects parameter 1 to be array, null given in /var/www/html/wp-content/plugins/wpdirauth/wpDirAuth.php on line 565

Warning: array_merge(): Argument #1 is not an array in /var/www/html/wp-content/plugins/wpdirauth/wpDirAuth.php on line 566

Warning: array_filter() expects parameter 1 to be array, null given in /var/www/html/wp-content/plugins/wpdirauth/wpDirAuth.php on line 567

Warning: array_unique() expects parameter 1 to be array, null given in /var/www/html/wp-content/plugins/wpdirauth/wpDirAuth.php on line 567

Warning: array_values() expects parameter 1 to be array, null given in /var/www/html/wp-content/plugins/wpdirauth/wpDirAuth.php on line 568

So the error is at 473. isInDirectory is true and $isBound is false.

Do you have a single LDAP server? If so, the only way I can see this happening is if ldap_get_dn at 465 returns true, then wpDirAuth_bindtest at 458 returns false.

The list of warnings you give suggests that dirAuthRoleMaps was never initialized as an array. Oops. This is a bug. I wouldn’t have expected bindtest to break as a result, but still, perhaps this patch would fix the issue:

<br />
--- /var/www/www.dev.comtek.co.uk/wp-content/plugins/wpdirauth/wpDirAuth.php    2014-04-10 22:05:26.000000000 +0100<br />
+++ /var/www/new.www.comtek.co.uk/wp-content/plugins/wpdirauth/wpDirAuth.php    2014-06-23 21:55:34.000000000 +0100<br />
@@ -558,9 +558,9 @@<br />
       * @return array List of LDAP attributes<br />
       */<br />
     function wpDirAuth_attribsToLookup()<br />
     {<br />
-        $filters=array_values(get_site_option('dirAuthRoleMaps'));<br />
+        $filters=array_values( is_array(get_site_option('dirAuthRoleMaps')) ? get_site_option('dirAuthRoleMaps') : array() );<br />
         $attrs=array_reduce(<br />
             array_map('wpDirAuth_attribsNeeded', $filters),<br />
             "array_merge", array() );<br />
         $attrs=array_merge($attrs, array_values(unserialize(WPDIRAUTH_LDAP_RETURN_KEYS)), wpDirAuth_attribsNeeded(get_site_option('dirAuthRoleMapBase')) );<br />
@@ -618,9 +618,9 @@<br />
             $roleMapBaseDn = get_site_option('dirAuthBaseDn');<br />
         $roleMapBaseDn=wpDirAuth_substituteLDAPValues($roleMapBaseDn, $userAttribs);<br />
         $roleMapBaseDn=$roleMapBaseDn[0];</p>
<p>-        foreach(get_site_option('dirAuthRoleMaps') as $role=>$roleFilter)<br />
+        foreach( (is_array(get_site_option('dirAuthRoleMaps')) ? get_site_option('dirAuthRoleMaps') : array()) as $role=>$roleFilter)<br />
         {<br />
             if(!strlen($roleFilter))<br />
                 continue;<br />
             $expanded=wpDirAuth_substituteLDAPValues($roleFilter, $userAttribs);<br />
@@ -746,8 +746,9 @@<br />
             $institution      = wpDirAuth_sanitize($_POST['dirAuthInstitution']);<br />
             $strAuthGroups    = wpDirAuth_sanitize($_POST['dirAuthGroups']);<br />
             $strMarketingSSOID= wpDirAuth_sanitize($_POST['dirAuthMarketingSSOID']);<br />
             $roleMapBaseDn    = wpDirAuth_sanitize($_POST['dirAuthRoleMapBase']);<br />
+            $roleMaps=array();<br />
             foreach($wp_roles->role_objects as $roleObject) {<br />
                 $roleName=$roleObject->name;<br />
                 $tmp=$_POST['dirAuthRoleMaps_'.$roleName];<br />
                 if($tmp)<br />
@@ -819,9 +820,9 @@<br />
             $strAuthGroups      = wpDirAuth_sanitize(get_site_option('dirAuthGroups'));<br />
             $strMarketingSSOID  = wpDirAuth_sanitize(get_site_option('dirAuthMarketingSSOID'));<br />
             //Require unsanitised data.<br />
             $roleMapBaseDn      = get_site_option('dirAuthRoleMapBase');<br />
-            $roleMaps           = get_site_option('dirAuthRoleMaps');<br />
+            $roleMaps           = is_array(get_site_option('dirAuthRoleMaps')) ? get_site_option('dirAuthRoleMaps') : array();</p>
<p>             // Have to be allowed to contain some HTML<br />
             $loginScreenMsg  = wpDirAuth_sanitize(get_site_option('dirAuthLoginScreenMsg'), true);<br />
             $changePassMsg   = wpDirAuth_sanitize(get_site_option('dirAuthChangePassMsg'), true);<br />

Okay, this forum doesn’t like my spacing. The patched file is here:

https://plugins.trac.www.ads-software.com/raw-attachment/ticket/2190/wpDirAuth.2.php

Ok, now login works, but:
– Authentication Groups doesn’t work: user can’t login although it belongs to the authorized group. Also the original version has this issue.
– I can’t see name and mail attribute in the WP user panel, but only uid (I can see them in the original version).
– Role mapping doesn’t work: I’d like to map “group1” in “editor” role with Role-map base DN: ou=groups,dc=mydomain,dc=com and Role Mapping for Editor: (cn=group1)

ps: I have a single LDAP server

Ok, now login works, but:
– Authentication Groups doesn’t work: user can’t login although it belongs to the authorized group. Also the original version has this issue.

Yeah, I never had this working either. The code looks quite specific (it requires memberOf in the user object to contain the DN of a group with a specific CN).

A workaround would be to have a ‘Account Filter Expression’ something like “(memberOf=cn=mygroup,dc=example,dc=com)”

– I can’t see name and mail attribute in the WP user panel, but only uid (I can see them in the original version).

Okay, this is another bug.

The fix is to change:
function wpDirAuth_retrieveUserDetails($userAttribs){
into
function wpDirAuth_retrieveUserDetails($aryUserDetails){

Please note that the details are only synchronised at first login, so you’ll need to delete the user.

– Role mapping doesn’t work: I’d like to map “group1” in “editor” role with Role-map base DN: ou=groups,dc=mydomain,dc=com and Role Mapping for Editor: (cn=group1)

(cn=group1) will always be true (assuming that group exists).

Perhaps you want (&(cn=group1)(member=%dn)) or (&(cn=group1)(memberUid=%uid)) ? Its been a while since I wrote this, but I think one of those would work.

Hi, I’m back again. I have an issue with the “editor” role mapping. Other roles are ok, but the “editor” one is always mapped as subscriber.
I’ve got 3 users and 3 groups, group1 is subscribers, group2 is contributors and group3 is editors,.

Finally it works, it needs to login twice for correct role identification.