wpandi

Currently not but I will come back to you whenever that should be the case. ??

Thanks a lot! ??

And you were right again!

I mixed the identification of existing users up, I matched the wrong fields. After fixing this (setting the right “User-ID Attribute”) now the user is recognized as “old and existing” on repeated login and the rights revocation via removing the corresponding LDAP group works, too!

Thanks again for patiently pointing me to the right places!

Hi Andreas,

thanks for your quick reply and your support! I’m sorry to have bothered you with this as it’s my mistake. Your comment “an issue with finding the new user” pointed me to the solution: some time in the past the underlying LDAP management obviously changed from setting the user supplied e-mail for a new user to “mail” and “mailPrimaryAddress” in the directory to setting it only to “mailPrimaryAddress”. But I had AuthLDAP configured to look into “mail”…

Digging into this with your hints I stumbled upon another thing: a user who has been an author but got this right revoked (and therefore is in no WordPress-related group in LDAP anymore) can still login (this is expected) but continues to have his old rights (which I did not expect, as I’ve set “LDAP Groups override role of existing users?” to yes). I expected the old right/group-membership to get deleted then, resetting the user to “subscriber”?! What is more, the user is recognized as not having an entry in the WP-Database but the creation of said entry fails then as of course the entry is already there?

[30-Jan-2021 09:04:49 UTC] [AuthLDAP] User '[email protected]' logging in
[30-Jan-2021 09:04:49 UTC] [AuthLDAP] about to do LDAP authentication
[30-Jan-2021 09:04:49 UTC] [AuthLDAP] connect to LDAP server
[30-Jan-2021 09:04:49 UTC] [AuthLDAP] LDAP authentication successfull
[30-Jan-2021 09:04:49 UTC] [AuthLDAP] Array
(
    [administrator] => 5078
    [editor] => 5081
    [author] => 5079
    [contributor] => 5080
    [subscriber] => 5083
)

[30-Jan-2021 09:04:49 UTC] [AuthLDAP] Array
(
    [administrator] => 5078
    [editor] => 5081
    [author] => 5079
    [contributor] => 5080
    [subscriber] => 5083
)

[30-Jan-2021 09:04:49 UTC] [AuthLDAP] Group Filter: "(&(objectClass=posixGroup)(uniqueMember=uid=existinguser1,ou=Users,ou=MyOrg,dc=int,dc=my-org,dc=de))"
[30-Jan-2021 09:04:49 UTC] [AuthLDAP] Group Base: 
[30-Jan-2021 09:04:49 UTC] [AuthLDAP] LDAP groups: []
[30-Jan-2021 09:04:49 UTC] [AuthLDAP] Role from LDAP group: 
[30-Jan-2021 09:04:49 UTC] [AuthLDAP] role from group mapping: 
[30-Jan-2021 09:04:49 UTC] [AuthLDAP] no role yet, set default role
[30-Jan-2021 09:04:49 UTC] [AuthLDAP] The LDAP user does not have an entry in the WP-Database, a new WP account will be created
[30-Jan-2021 09:04:49 UTC] [AuthLDAP] Error creating user : Diese E-Mail-Adresse wird bereits verwendet!

What’s the best way to show the configuration of AuthLDAP here for you?

Thanks!

• This reply was modified 4 years, 1 month ago by wpandi.