corgi

We are still running the 3.6 series but yes, we are still using and enjoying this plugin 7 months later.

Wishing you all the best for 2014!

The plugin could be easily modified to be given a super user DN and password to be able to search the directory without anonymous bind.

We don’t use the superuser’s credentials, we use an account with limited read permission. This is even slightly more secure than anonymous bind because a rogue programme installed on any of our internal computers wouldn’t be able to access the directory without knowing at least the limited read account’s name and password.

I have felt this is less secure that providing limited attribute read access to perform anonymous searches since a DN and password would need to be stored someone on clear text in order for the plugin to use it.

Yet, at the same time, many places that cover administration of Active Directory, and even common sense, say that allowing any sort of anonymous bind is incredibly insecure.

I’m aware that giving every app root access to the directory is somewhat commonplace in the Unix world (that’s why things like RBAC on Solaris exist), but can’t you just throw a large “WARNING: YOU CAN GET OWNED IF YOU PUT ADMIN CREDENTIALS HERE” alert at the top of a config page and add the ability to bind using credentials? Some people may not be good enough at PHP or LDAP library code to know how to add this themselves, and you’re also making installing updates harder.

I’m seeing the same thing on WP 3.4.1 on Fedora 17 using PHP 5.4.5 and pgsql-lib 9.1.4. Changing line 80 of pg4wp/driver_pgsql.php to the name of our database solved the issue.

Edit: We’re also using PG4WP 1.3.0.