heiglandreas

Great that you did an update!

The error you report here sounds more like an issue with the TLS-connection, which comes before the authentication part. Are you using a selfsigned certificate for the TLS-setup? Can you do a connect from the server to the LDAP via the commandline?

I’ve done a quick search on the internet and found these answers:

* https://stackoverflow.com/questions/2689629/how-do-i-solve-ldap-start-tls-unable-to-start-tls-connect-error-in-php
* https://php.net/manual/en/function.ldap-start-tls.php#115150

You are especially using an unsupported version of PHP. The given error occurs when you are running the authLDAP-code on PHP 5.3 or earlier. AuthLDAP requires at least PHP 5.4.

PHP 5.3 is out of support since mid-2014! The currently supported versions of PHP are 5.6 and 7.0. And on 1st of December PHP 7.1 will become generally available. So you should think of updating your PHP to at least version 5.6 which will be supported until December 2018.

If those aren’t options you can alter the code of the plugin to adapt it to PHP 5.3 by altering that line 34 in /var/www/html/assure-stack/wp-content/plugins/authldap/src/LdapList.php to read protected $items = array();. There might be more places where a [] needs to be replaced with array() but you’ll need to figure that out.

I can not support that.

The easiest “fix” is to update your PHP-Stack!

• This reply was modified 8 years ago by heiglandreas.

Hi Roy23. Sorry for not getting back to you. I totally missed your last message! I’m terribly sorry about that!

But It’s great that you got it back to work! And thanks for the feedback!

Great to read that!

Thanks for getting back ??

Hi.

The default group-filter will not work in AD environments as AD stores group-memberships in the user-object. The filter needs to be something like this:

(&(objectclass=group)(member=%dn%)) (If I recall correctly)

The debugging messages are added to the default error-log php uses. That might be a separate file or the system log. But that strongly depends on your setup…

Can we do a teamviewer-session or something the like so I can get a better understanding of what’s happening? I just tested with my setup and neither a “!” nor a quotation was an issue. So I’d really love to see what’s going on to get a fix to it!

You can also reach me via Gitter.

Looking forward to hear from you and thanks for your time!

Hi Paolo.

I did some research and before I dig even deeper I need some more information from you. Would it be possible to get some informations from a PHP-Info page?

I’d especially need the PHP-Version and the setting of the variable magic_quotes_gpc.

Thanks for your help in this issue!

Hey Paolo.

Can you replace Line 224 in authLdap.php (which reads $result = authLdap_get_server()->Authenticate($username, $password, $authLDAPFilter);) with $result = authLdap_get_server()->Authenticate($username, htmlspecialchars_decode($password, ENT_QUOTES), $authLDAPFilter);?

That might fix the issue! If so I’ll have to release a new Version ??

Thanks!
I was beginning to run out of ideas!

But yes, no wonder there couldn’t be any groups found when they aren’t in the subtree ??

Nice that you found it yourself! And thanks for letting me know!

Cheers

Andreas

Would you mind setting the GroupFilter like this: (&(objectclass=group)(member="%dn%"))? (Note the added double quotes)

Yes, only the first group will be applied. But that’S not the first LDAP-Group, but the first WordPress-Group the user belongs to. So when the user is in an LDAP-Group that maps to the WP-Admin-group and also in an LDAP-Group that maps to the Author-group in WP, the user will be member of the WP-Admin group.

Do you have debugging enabled? Can you post the debugging entries from the servers log? You could also send them via email if that’s better for you.

Hi bluesoul.

Can you test setting the group-attribute to “dn” instead of “distinguishedName” and when that doesn’t work please set it to “cn” and set under the author-role only “MySecurityGroup” instead of “CN=MySecurityGroup,OU=My OU,DC=corp,DC=domain,DC=int”?

Thanks for helping me out.

Thanks bluesoul for the info! I already had the ‘”‘ in mind but I’m just ATM getting to it ??

Sorry, I think I didn’t make myself clear there ??

The “change password back” was just meant for short time resolution of your current password-issue, not meant as long-term solution!

I’ll have to check what exactly is happening there! I’ve raised an issue in the plugins bugtracker (https://github.com/heiglandreas/authLdap/issues/108). As soon as I have a fix, I’ll be back. Expect something by end of this week! So long I sadly have to advise to not use those characters ??

Well, change the password back on the LDAP? Which character did you use in your password? the ‘!’ or the ‘”‘?