authLdap

Signed-off-by: Jeff <jeff@gotenzing.com>

+dn: dc=test space,{{ LDAP_BASE_DN }}
+changetype: add
+dc: test space
+description: LDAP Example with space
+objectClass: dcObject
+objectClass: organization
+o: test space
+
+dn: cn=Manager,{{ LDAP_BASE_DN }}
+changetype: add
+cn: Manager
+objectClass: organizationalRole
+
+dn: ou=test,{{ LDAP_BASE_DN }}
+changetype: add
+objectClass: organizationalUnit
+ou: test
+
+dn: uid=user1,{{ LDAP_BASE_DN }}
+changetype: add
+objectClass: account
+objectClass: simpleSecurityObject
+uid: user1
+userPassword: user1
+
+dn: cn=group1,{{ LDAP_BASE_DN }}
+changetype: add
+objectclass: groupOfUniqueNames
+cn: group1
+uniqueMember: uid=user1,{{ LDAP_BASE_DN }}
+
+dn: uid=user2,{{ LDAP_BASE_DN }}
+changetype: add
+objectClass: account
+objectClass: simpleSecurityObject
+uid: user2
+userPassword: user2
+
+dn: cn=group2,{{ LDAP_BASE_DN }}
+changetype: add
+objectclass: groupOfUniqueNames
+cn: group2
+uniqueMember: uid=user2,{{ LDAP_BASE_DN }}
+
+dn: uid=user3,{{ LDAP_BASE_DN }}
+changetype: add
+objectClass: account
+objectClass: simpleSecurityObject
+uid: user3
+userPassword: user!"
+
+dn: cn=group3,{{ LDAP_BASE_DN }}
+changetype: add
+objectclass: groupOfUniqueNames
+cn: group3
+uniqueMember: uid=user2,{{ LDAP_BASE_DN }}
+uniqueMember: uid=user3,{{ LDAP_BASE_DN }}
+
+dn: uid=user 4,{{ LDAP_BASE_DN }}
+changetype: add
+objectClass: account
+objectClass: simpleSecurityObject
+uid: user 4
+userPassword: user!"
+
+dn: cn=group4,{{ LDAP_BASE_DN }}
+changetype: add
+objectclass: groupOfUniqueNames
+cn: group4
+uniqueMember: uid=user 4,{{ LDAP_BASE_DN }}
+
+dn: uid=user 5,dc=test space,{{ LDAP_BASE_DN }}
+changetype: add
+objectClass: account
+objectClass: simpleSecurityObject
+uid: user 5
+userPassword: user!"
+
+dn: cn=group5,{{ LDAP_BASE_DN }}
+changetype: add
+objectclass: groupOfUniqueNames
+cn: group5
+uniqueMember: uid=user 5,dc=test space,{{ LDAP_BASE_DN }}

+.ci
+.github
+build
+config
+dockersetup
+svn
+tests
+vendor
+wp-app
+wd-data
+.distignore
+.editorconfig
+.gitignore
+.phpunit.result.cache
+.svnAccess
+.svnAccess.dist
+build.xml
+composer.json
+composer.lock
+docker-compose.yml
+GPG_KEY
+phpunit.xml.dist
+.git

+root = true
+
+[*]
+charset = utf-8
+tab_width = 4
+trim_trailing_whitespace = true
+indent_size = tab
+indent_style = tab
+insert_final_newline = true
+end_of_line = lf
+
+[*.yml]
+tab_width = 2
+
+[*.xml]
+tab_width = 2
+
+[*.json]
+tab_width = 2

+name: Deploy to WordPress.org
+
+env:
+  SLUG: authldap
+on:
+  release:
+    types: [published]
+jobs:
+  tag:
+    name: New release
+    runs-on: ubuntu-latest
+    environment: deploy_on_release
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: WordPress Plugin Deploy
+        id: deploy
+        uses: 10up/action-wordpress-plugin-deploy@stable
+        with:
+          generate-zip: true
+        env:
+          SVN_USERNAME: ${{ secrets.SVN_USERNAME }}
+          SVN_PASSWORD: ${{ secrets.SVN_PASSWORD }}
+      - name: Upload release asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ github.event.release.upload_url }}
+          asset_path: ${{ steps.deploy.outputs.zip-path }}
+          asset_name: ${{ env.SLUG }}.zip
+          asset_content_type: application/zip
+

+name: CI
+on: [push, pull_request]
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    env:
+      PORT_LDAP: 3389
+      PORT_LDAPS: 6363
+      LDAP_ADMIN_PASSWORD: ${{ secrets.LDAP_ADMIN_PASSWORD }}
+      LDAP_LOG_LEVEL: 0
+    strategy:
+      matrix:
+        # operating-system: [ubuntu-latest, windows-latest, macos-latest]
+        php-versions: [ '7.4', '8.0', '8.1' ]
+    name: Test on ${{ matrix.php-versions }}
+    steps:
+      - uses: actions/checkout@v1
+      - name: Build the docker-compose stack
+        run: docker-compose -f docker-compose.yml up -d
+      - name: Check running containers
+        run: docker ps -a
+      - name: Check logs
+        run: docker-compose logs openldap
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php-versions }}
+          extensions: ldap
+          tools: phive
+      - name: install dependencies
+        run: composer install
+      - name: install tools
+        run: phive install --trust-gpg-keys 4AA394086372C20A phpunit
+      - name: Run Unit-Tests
+        run: ./tools/phpunit --testdox
+  coverage:
+    needs: test
+    runs-on: ubuntu-latest
+    env:
+      PORT_LDAP: 3389
+      PORT_LDAPS: 6363
+      LDAP_ADMIN_PASSWORD: ${{ secrets.LDAP_ADMIN_PASSWORD }}
+      LDAP_LOG_LEVEL: 0
+    continue-on-error: false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Build the docker-compose stack
+        run: docker-compose -f docker-compose.yml up -d
+      - name: Check running containers
+        run: docker ps -a
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: "8.0"
+          coverage: xdebug
+          tools: phive
+      - name: install dependencies
+        run: composer install
+      - name: install tools
+        run: phive install --trust-gpg-keys 4AA394086372C20A phpunit
+      - name: run testsuite
+        run: ./tools/phpunit --testdox --colors=always --coverage-clover clover.xml
+      - name: upload to codecov
+        uses: codecov/codecov-action@v1
+        with:
+          #token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos
+          files: ./clover.xml # optional
+          #flags: unittests # optional
+          #name: codecov-umbrella # optional
+          #fail_ci_if_error: true # optional (default = false)
+          #verbose: true # optional (default = false)

+<?xml version="1.0" encoding="UTF-8"?>
+<phive xmlns="https://phar.io/phive">
+  <phar name="phpunit" version="^9.5.21" installed="9.5.21" location="./tools/phpunit" copy="true"/>
+  <phar name="phpcs" version="^3.7.1" installed="3.7.1" location="./tools/phpcs" copy="true"/>
+  <phar name="phpcbf" version="^3.7.1" installed="3.7.1" location="./tools/phpcbf" copy="true"/>
+</phive>

+username = svnUsername
+password = svnPassword
\ No newline at end of file

+Copyright <YEAR> <COPYRIGHT HOLDER>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file

@@ -4,12 +4,12 @@
 
 
 Use your existing LDAP as authentication-backend for your wordpress!
 Use your existing LDAP as authentication-backend for your wordpress!
 
 
-[![Build Status](https://travis-ci.org/heiglandreas/authLdap.svg?branch=master)](https://travis-ci.org/heiglandreas/authLdap)
+[![Build Status](https://github.com/heiglandreas/authLdap/workflows/CI/badge.svg)](https://github.com/heiglandreas/authLdap/workflows/CI)
 [![WordPress Stats](https://img.shields.io/wordpress/plugin/dt/authldap.svg)](https://wordpress.org/plugins/authldap/stats/)
 [![WordPress Stats](https://img.shields.io/wordpress/plugin/dt/authldap.svg)](https://wordpress.org/plugins/authldap/stats/)
 [![WordPress Version](https://img.shields.io/wordpress/plugin/v/authldap.svg)](https://wordpress.org/plugins/authldap/)
 [![WordPress Version](https://img.shields.io/wordpress/plugin/v/authldap.svg)](https://wordpress.org/plugins/authldap/)
 [![WordPress testet](https://img.shields.io/wordpress/v/authldap.svg)](https://wordpress.org/plugins/authldap/)
 [![WordPress testet](https://img.shields.io/wordpress/v/authldap.svg)](https://wordpress.org/plugins/authldap/)
 [![Code Climate](https://codeclimate.com/github/heiglandreas/authLdap/badges/gpa.svg)](https://codeclimate.com/github/heiglandreas/authLdap)
 [![Code Climate](https://codeclimate.com/github/heiglandreas/authLdap/badges/gpa.svg)](https://codeclimate.com/github/heiglandreas/authLdap)
-[![Test Coverage](https://codeclimate.com/github/heiglandreas/authLdap/badges/coverage.svg)](https://codeclimate.com/github/heiglandreas/authLdap)
+[![codecov](https://codecov.io/gh/heiglandreas/authLdap/branch/master/graph/badge.svg?token=AYAhEeWtRQ)](https://codecov.io/gh/heiglandreas/authLdap)
 
 
 So what are the differences to other Wordpress-LDAP-Authentication-Plugins?
 So what are the differences to other Wordpress-LDAP-Authentication-Plugins?
 
 
@@ -48,8 +48,8 @@ wonderfull plugin of Alistair Young from http://www.weblogs.uhi.ac.uk/sm00ay/?p=
 * **LDAP Uri** This is the URI where your ldap-backend can be reached. More information are actually on the Configuration page
 * **LDAP Uri** This is the URI where your ldap-backend can be reached. More information are actually on the Configuration page
 * **Filter** This is the real McCoy! The filter you define here specifies how a user will be found. Before applying the filter a %s will be replaced with the given username. This means, when a user logs in using ‘foobar’ as username the following happens:
 * **Filter** This is the real McCoy! The filter you define here specifies how a user will be found. Before applying the filter a %s will be replaced with the given username. This means, when a user logs in using ‘foobar’ as username the following happens:
 
 
-    * **uid=%s** check for any LDAP-Entry that has an attribute ‘uid’ with value ‘foobar’
-    * **(&(objectclass=posixAccount)((!(uid=%s)(mail=%s)))** check for any LDAP-Entry that has an attribute ‘objectclass’ with value ‘posixAccout’ and either a UID- or a mail-attribute with value ‘foobar’
+    * **uid=%1$s** check for any LDAP-Entry that has an attribute ‘uid’ with value ‘foobar’
+    * **(&(objectclass=posixAccount)(|(uid=%1$s)(mail=%1$s)))** check for any LDAP-Entry that has an attribute ‘objectclass’ with value ‘posixAccout’ and either a UID- or a mail-attribute with value ‘foobar’
 
 
     This filter is rather powerfull if used wisely.
     This filter is rather powerfull if used wisely.
 
 
@@ -92,4 +92,4 @@ wonderfull plugin of Alistair Young from http://www.weblogs.uhi.ac.uk/sm00ay/?p=
     <a href="https://github.com/heiglandreas/authLdap/issues/65">issue 65</a>
     <a href="https://github.com/heiglandreas/authLdap/issues/65">issue 65</a>
     where <a href="https://github.com/wtfiwtz">wtfiwtz</a> shows how to implement that feature.
     where <a href="https://github.com/wtfiwtz">wtfiwtz</a> shows how to implement that feature.
     </dd>
     </dd>
-    </dl>
\ No newline at end of file
+    </dl>

+.row {
+	overflow: hidden;
+	padding-top: 10px;
+}
+
+.element {
+	float: right;
+	text-align: left;
+}
+
+.authldap-options input[type=text] {
+	width: 100%;
+}

+<?php
+
+/*
+Plugin Name: AuthLDAP
+Plugin URI: https://github.com/heiglandreas/authLdap
+Description: This plugin allows you to use your existing LDAP as authentication base for WordPress
+Version: 2.5.2
+Author: Andreas Heigl <andreas@heigl.org>
+Author URI: http://andreas.heigl.org
+License: MIT
+License URI: https://opensource.org/licenses/MIT
+*/
+
+// phpcs:disable PSR1.Files.SideEffects
+
+use Org_Heigl\AuthLdap\LdapList;
+use Org_Heigl\AuthLdap\LdapUri;
+use Org_Heigl\AuthLdap\Manager\Ldap;
+use Org_Heigl\AuthLdap\UserRoleHandler;
+use Org_Heigl\AuthLdap\Wrapper\LdapFactory;
+
+require_once __DIR__ . '/src/Wrapper/LdapInterface.php';
+require_once __DIR__ . '/src/Exception/Error.php';
+require_once __DIR__ . '/src/Exception/InvalidLdapUri.php';
+require_once __DIR__ . '/src/Exception/Error.php';
+require_once __DIR__ . '/src/Exception/InvalidLdapUri.php';
+require_once __DIR__ . '/src/Exception/MissingValidLdapConnection.php';
+require_once __DIR__ . '/src/Exception/SearchUnsuccessfull.php';
+require_once __DIR__ . '/src/Manager/Ldap.php';
+require_once __DIR__ . '/src/Wrapper/Ldap.php';
+require_once __DIR__ . '/src/Wrapper/LdapFactory.php';
+require_once __DIR__ . '/src/LdapList.php';
+require_once __DIR__ . '/src/LdapUri.php';
+require_once __DIR__ . '/src/UserRoleHandler.php';
+
+function authLdap_debug($message)
+{
+	if (authLdap_get_option('Debug')) {
+		error_log('[AuthLDAP] ' . $message, 0);
+	}
+}
+
+
+function authLdap_addmenu()
+{
+	if (!is_multisite()) {
+		add_options_page(
+			'AuthLDAP',
+			'AuthLDAP',
+			'manage_options',
+			basename(__FILE__),
+			'authLdap_options_panel'
+		);
+	} else {
+		add_submenu_page(
+			'settings.php',
+			'AuthLDAP',
+			'AuthLDAP',
+			'manage_options',
+			'authldap',
+			'authLdap_options_panel'
+		);
+	}
+}
+
+function authLdap_get_post($name, $default = '')
+{
+	return isset($_POST[$name]) ? $_POST[$name] : $default;
+}
+
+function authLdap_options_panel()
+{
+	// inclusde style sheet
+	wp_enqueue_style('authLdap-style', plugin_dir_url(__FILE__) . 'authLdap.css');
+
+	if (($_SERVER['REQUEST_METHOD'] == 'POST') && array_key_exists('ldapOptionsSave', $_POST)) {
+		$new_options = [
+			'Enabled' => authLdap_get_post('authLDAPAuth', false),
+			'CachePW' => authLdap_get_post('authLDAPCachePW', false),
+			'URI' => authLdap_get_post('authLDAPURI'),
+			'URISeparator' => authLdap_get_post('authLDAPURISeparator'),
+			'StartTLS' => authLdap_get_post('authLDAPStartTLS', false),
+			'Filter' => authLdap_get_post('authLDAPFilter'),
+			'NameAttr' => authLdap_get_post('authLDAPNameAttr'),
+			'SecName' => authLdap_get_post('authLDAPSecName'),
+			'UidAttr' => authLdap_get_post('authLDAPUidAttr'),
+			'MailAttr' => authLdap_get_post('authLDAPMailAttr'),
+			'WebAttr' => authLdap_get_post('authLDAPWebAttr'),
+			'Groups' => authLdap_get_post('authLDAPGroups', []),
+			'GroupSeparator' => authLdap_get_post('authLDAPGroupSeparator', ','),
+			'Debug' => authLdap_get_post('authLDAPDebug', false),
+			'GroupBase' => authLdap_get_post('authLDAPGroupBase'),
+			'GroupAttr' => authLdap_get_post('authLDAPGroupAttr'),
+			'GroupFilter' => authLdap_get_post('authLDAPGroupFilter'),
+			'DefaultRole' => authLdap_get_post('authLDAPDefaultRole'),
+			'GroupEnable' => authLdap_get_post('authLDAPGroupEnable', false),
+			'GroupOverUser' => authLdap_get_post('authLDAPGroupOverUser', false),
+			'DoNotOverwriteNonLdapUsers' => authLdap_get_post('authLDAPDoNotOverwriteNonLdapUsers', false),
+			'UserRead' => authLdap_get_post('authLDAPUseUserAccount', false),
+		];
+		if (authLdap_set_options($new_options)) {
+			echo "<div class='updated'><p>Saved Options!</p></div>";
+		} else {
+			echo "<div class='error'><p>Could not save Options!</p></div>";
+		}
+	}
+
+	// Do some initialization for the admin-view
+	$authLDAP = authLdap_get_option('Enabled');
+	$authLDAPCachePW = authLdap_get_option('CachePW');
+	$authLDAPURI = authLdap_get_option('URI');
+	$authLDAPURISeparator = authLdap_get_option('URISeparator');
+	$authLDAPStartTLS = authLdap_get_option('StartTLS');
+	$authLDAPFilter = authLdap_get_option('Filter');
+	$authLDAPNameAttr = authLdap_get_option('NameAttr');
+	$authLDAPSecName = authLdap_get_option('SecName');
+	$authLDAPMailAttr = authLdap_get_option('MailAttr');
+	$authLDAPUidAttr = authLdap_get_option('UidAttr');
+	$authLDAPWebAttr = authLdap_get_option('WebAttr');
+	$authLDAPGroups = authLdap_get_option('Groups');
+	$authLDAPGroupSeparator = authLdap_get_option('GroupSeparator');
+	$authLDAPDebug = authLdap_get_option('Debug');
+	$authLDAPGroupBase = authLdap_get_option('GroupBase');
+	$authLDAPGroupAttr = authLdap_get_option('GroupAttr');
+	$authLDAPGroupFilter = authLdap_get_option('GroupFilter');
+	$authLDAPDefaultRole = authLdap_get_option('DefaultRole');
+	$authLDAPGroupEnable = authLdap_get_option('GroupEnable');
+	$authLDAPGroupOverUser = authLdap_get_option('GroupOverUser');
+	$authLDAPDoNotOverwriteNonLdapUsers = authLdap_get_option('DoNotOverwriteNonLdapUsers');
+	$authLDAPUseUserAccount = authLdap_get_option('UserRead');
+
+	$tChecked = ($authLDAP) ? ' checked="checked"' : '';
+	$tDebugChecked = ($authLDAPDebug) ? ' checked="checked"' : '';
+	$tPWChecked = ($authLDAPCachePW) ? ' checked="checked"' : '';
+	$tGroupChecked = ($authLDAPGroupEnable) ? ' checked="checked"' : '';
+	$tGroupOverUserChecked = ($authLDAPGroupOverUser) ? ' checked="checked"' : '';
+	$tStartTLSChecked = ($authLDAPStartTLS) ? ' checked="checked"' : '';
+	$tDoNotOverwriteNonLdapUsers = ($authLDAPDoNotOverwriteNonLdapUsers) ? ' checked="checked"' : '';
+	$tUserRead = ($authLDAPUseUserAccount) ? ' checked="checked"' : '';
+
+	$roles = new WP_Roles();
+
+	$action = $_SERVER['REQUEST_URI'];
+	if (!extension_loaded('ldap')) {
+		echo '<div class="warning">The LDAP-Extension is not available on your '
+			. 'WebServer. Therefore Everything you can alter here does not '
+			. 'make any sense!</div>';
+	}
+
+	include dirname(__FILE__) . '/view/admin.phtml';
+}
+
+/**
+ * get a LDAP server object
+ *
+ * throws exception if there is a problem connecting
+ *
+ * @conf boolean authLDAPDebug true, if debugging should be turned on
+ * @conf string  authLDAPURI LDAP server URI
+ *
+ * @return Org_Heigl\AuthLdap\LdapList LDAP server object
+ */
+function authLdap_get_server()
+{
+	static $_ldapserver = null;
+	if (is_null($_ldapserver)) {
+		$authLDAPDebug = authLdap_get_option('Debug');
+		$authLDAPURI = explode(
+			authLdap_get_option('URISeparator', ' '),
+			authLdap_get_option('URI')
+		);
+		$authLDAPStartTLS = authLdap_get_option('StartTLS');
+
+		//$authLDAPURI = 'ldap:/foo:bar@server/trallala';
+		authLdap_debug('connect to LDAP server');
+		require_once dirname(__FILE__) . '/src/LdapList.php';
+		$_ldapserver = new LdapList();
+		foreach ($authLDAPURI as $uri) {
+			$_ldapserver->addLdap(new Ldap(
+				new LdapFactory(),
+				LdapUri::fromString($uri),
+				$authLDAPStartTLS
+			));
+		}
+	}
+	return $_ldapserver;
+}
+
+
+/**
+ * This method authenticates a user using either the LDAP or, if LDAP is not
+ * available, the local database
+ *
+ * For this we store the hashed passwords in the WP_Database to ensure working
+ * conditions even without an LDAP-Connection
+ *
+ * @param null|WP_User|WP_Error
+ * @param string $username
+ * @param string $password
+ * @param boolean $already_md5
+ * @return boolean true, if login was successfull or false, if it wasn't
+ * @conf boolean authLDAP true, if authLDAP should be used, false if not. Defaults to false
+ * @conf string authLDAPFilter LDAP filter to use to find correct user, defaults to '(uid=%s)'
+ * @conf string authLDAPNameAttr LDAP attribute containing user (display) name, defaults to 'name'
+ * @conf string authLDAPSecName LDAP attribute containing second name, defaults to ''
+ * @conf string authLDAPMailAttr LDAP attribute containing user e-mail, defaults to 'mail'
+ * @conf string authLDAPUidAttr LDAP attribute containing user id (the username we log on with), defaults to 'uid'
+ * @conf string authLDAPWebAttr LDAP attribute containing user website, defaults to ''
+ * @conf string authLDAPDefaultRole default role for authenticated user, defaults to ''
+ * @conf boolean authLDAPGroupEnable true, if we try to map LDAP groups to Wordpress roles
+ * @conf boolean authLDAPGroupOverUser true, if LDAP Groups have precedence over existing user roles
+ */
+function authLdap_login($user, $username, $password, $already_md5 = false)
+{
+	// don't do anything when authLDAP is disabled
+	if (!authLdap_get_option('Enabled')) {
+		authLdap_debug(
+			'LDAP disabled in AuthLDAP plugin options (use the first option in the AuthLDAP options to enable it)'
+		);
+		return $user;
+	}
+
+	// If the user has already been authenticated (only in that case we get a
+	// WP_User-Object as $user) we skip LDAP-authentication and simply return
+	// the existing user-object
+	if ($user instanceof WP_User) {
+		authLdap_debug(sprintf(
+			'User %s has already been authenticated - skipping LDAP-Authentication',
+			$user->get('nickname')
+		));
+		return $user;
+	}
+
+	authLdap_debug("User '$username' logging in");
+
+	if ($username == 'admin') {
+		authLdap_debug('Doing nothing for possible local user admin');
+		return $user;
+	}
+
+	global $wpdb, $error;
+	try {
+		$authLDAP = authLdap_get_option('Enabled');
+		$authLDAPFilter = authLdap_get_option('Filter');
+		$authLDAPNameAttr = authLdap_get_option('NameAttr');
+		$authLDAPSecName = authLdap_get_option('SecName');
+		$authLDAPMailAttr = authLdap_get_option('MailAttr');
+		$authLDAPUidAttr = authLdap_get_option('UidAttr');
+		$authLDAPWebAttr = authLdap_get_option('WebAttr');
+		$authLDAPDefaultRole = authLdap_get_option('DefaultRole');
+		$authLDAPGroupEnable = authLdap_get_option('GroupEnable');
+		$authLDAPGroupOverUser = authLdap_get_option('GroupOverUser');
+		$authLDAPUseUserAccount = authLdap_get_option('UserRead');
+
+		if (!$username) {
+			authLdap_debug('Username not supplied: return false');
+			return false;
+		}
+
+		if (!$password) {
+			authLdap_debug('Password not supplied: return false');
+			$error = __('<strong>Error</strong>: The password field is empty.');
+			return false;
+		}
+		// First check for valid values and set appropriate defaults
+		if (!$authLDAPFilter) {
+			$authLDAPFilter = '(uid=%s)';
+		}
+		if (!$authLDAPNameAttr) {
+			$authLDAPNameAttr = 'name';
+		}
+		if (!$authLDAPMailAttr) {
+			$authLDAPMailAttr = 'mail';
+		}
+		if (!$authLDAPUidAttr) {
+			$authLDAPUidAttr = 'uid';
+		}
+
+		// If already_md5 is TRUE, then we're getting the user/password from the cookie. As we don't want
+		// to store LDAP passwords in any
+		// form, we've already replaced the password with the hashed username and LDAP_COOKIE_MARKER
+		if ($already_md5) {
+			if ($password == md5($username) . md5($ldapCookieMarker)) {
+				authLdap_debug('cookie authentication');
+				return true;
+			}
+		}
+
+		// Remove slashes as noted on https://github.com/heiglandreas/authLdap/issues/108
+		$password = stripslashes_deep($password);
+
+		// No cookie, so have to authenticate them via LDAP
+		$result = false;
+		try {
+			authLdap_debug('about to do LDAP authentication');
+			$result = authLdap_get_server()->Authenticate($username, $password, $authLDAPFilter);
+		} catch (Exception $e) {
+			authLdap_debug('LDAP authentication failed with exception: ' . $e->getMessage());
+			return false;
+		}
+
+		// Make optional querying from the admin account #213
+		if (!authLdap_get_option('UserRead')) {
+			// Rebind with the default credentials after the user has been loged in
+			// Otherwise the credentials of the user trying to login will be used
+			// This fixes #55
+			authLdap_get_server()->bind();
+		}
+
+		if (true !== $result) {
+			authLdap_debug('LDAP authentication failed');
+			// TODO what to return? WP_User object, true, false, even an WP_Error object...
+			// all seem to fall back to normal wp user authentication
+			return;
+		}
+
+		authLdap_debug('LDAP authentication successful');
+		$attributes = array_values(
+			array_filter(
+				apply_filters(
+					'authLdap_filter_attributes',
+					[
+						$authLDAPNameAttr,
+						$authLDAPSecName,
+						$authLDAPMailAttr,
+						$authLDAPWebAttr,
+						$authLDAPUidAttr,
+					]
+				)
+			)
+		);
+
+		try {
+			$attribs = authLdap_get_server()->search(
+				sprintf($authLDAPFilter, $username),
+				$attributes
+			);
+			// First get all the relevant group informations so we can see if
+			// whether have been changes in group association of the user
+			if (!isset($attribs[0]['dn'])) {
+				authLdap_debug('could not get user attributes from LDAP');
+				throw new UnexpectedValueException('dn has not been returned');
+			}
+			if (!isset($attribs[0][strtolower($authLDAPUidAttr)][0])) {
+				authLdap_debug('could not get user attributes from LDAP');
+				throw new UnexpectedValueException('The user-ID attribute has not been returned');
+			}
+
+			$dn = $attribs[0]['dn'];
+			$realuid = $attribs[0][strtolower($authLDAPUidAttr)][0];
+		} catch (Exception $e) {
+			authLdap_debug('Exception getting LDAP user: ' . $e->getMessage());
+			return false;
+		}
+
+		$uid = authLdap_get_uid($realuid);
+
+		// This fixes #172
+		if (true == authLdap_get_option('DoNotOverwriteNonLdapUsers', false)) {
+			if (!get_user_meta($uid, 'authLDAP')) {
+				return null;
+			}
+		}
+
+		$roles = [];
+
+		// we only need this if either LDAP groups are disabled or
+		// if the WordPress role of the user overrides LDAP groups
+		if (!$authLDAPGroupEnable || !$authLDAPGroupOverUser) {
+			$roles[] = authLdap_user_role($uid);
+			// TODO, this needs to be revised, it seems, like authldap is taking only the first role
+			// even if in WP there are assigned multiple.
+		}
+
+		// do LDAP group mapping if needed
+		// (if LDAP groups override worpress user role, $role is still empty)
+		if (empty($roles) && $authLDAPGroupEnable) {
+			$roles = authLdap_groupmap($realuid, $dn);
+			authLdap_debug('role from group mapping: ' . json_encode($roles));
+		}
+
+		// if we don't have a role yet, use default role
+		if (empty($roles) && !empty($authLDAPDefaultRole)) {
+			authLdap_debug('no role yet, set default role');
+			$roles[] = $authLDAPDefaultRole;
+		}
+
+		if (empty($roles)) {
+			// Sorry, but you are not in any group that is allowed access
+			trigger_error('no group found');
+			authLdap_debug('user is not in any group that is allowed access');
+			return false;
+		} else {
+			$wp_roles = new WP_Roles();
+			// not sure if this is needed, but it can't hurt
+
+			// Get rid of unexisting roles.
+			foreach ($roles as $k => $v) {
+				if (!$wp_roles->is_role($v)) {
+					unset($k);
+				}
+			}
+
+			// check if single role or an empty array provided
+			if (empty($roles)) {
+				trigger_error('no group found');
+				authLdap_debug('role is invalid');
+				return false;
+			}
+		}
+
+		// from here on, the user has access!
+		// now, lets update some user details
+		$user_info = [];
+		$user_info['user_login'] = $realuid;
+		$user_info['user_email'] = '';
+		$user_info['user_nicename'] = '';
+
+		// first name
+		if (isset($attribs[0][strtolower($authLDAPNameAttr)][0])) {
+			$user_info['first_name'] = $attribs[0][strtolower($authLDAPNameAttr)][0];
+		}
+
+		// last name
+		if (isset($attribs[0][strtolower($authLDAPSecName)][0])) {
+			$user_info['last_name'] = $attribs[0][strtolower($authLDAPSecName)][0];
+		}
+
+		// mail address
+		if (isset($attribs[0][strtolower($authLDAPMailAttr)][0])) {
+			$user_info['user_email'] = $attribs[0][strtolower($authLDAPMailAttr)][0];
+		}
+
+		// website
+		if (isset($attribs[0][strtolower($authLDAPWebAttr)][0])) {
+			$user_info['user_url'] = $attribs[0][strtolower($authLDAPWebAttr)][0];
+		}
+		// display name, nickname, nicename
+		if (array_key_exists('first_name', $user_info)) {
+			$user_info['display_name'] = $user_info['first_name'];
+			$user_info['nickname'] = $user_info['first_name'];
+			$user_info['user_nicename'] = sanitize_title_with_dashes($user_info['first_name']);
+			if (array_key_exists('last_name', $user_info)) {
+				$user_info['display_name'] .= ' ' . $user_info['last_name'];
+				$user_info['nickname'] .= ' ' . $user_info['last_name'];
+				$user_info['user_nicename'] .= '_' . sanitize_title_with_dashes($user_info['last_name']);
+			}
+		}
+		$user_info['user_nicename'] = substr($user_info['user_nicename'], 0, 50);
+
+		// optionally store the password into the wordpress database
+		if (authLdap_get_option('CachePW')) {
+			// Password will be hashed inside wp_update_user or wp_insert_user
+			$user_info['user_pass'] = $password;
+		} else {
+			// clear the password
+			$user_info['user_pass'] = '';
+		}
+
+		// add uid if user exists
+		if ($uid) {
+			// found user in the database
+			authLdap_debug('The LDAP user has an entry in the WP-Database');
+			$user_info['ID'] = $uid;
+			unset($user_info['display_name'], $user_info['nickname']);
+			$userid = wp_update_user($user_info);
+		} else {
+			// new wordpress account will be created
+			authLdap_debug('The LDAP user does not have an entry in the WP-Database, a new WP account will be created');
+
+			$userid = wp_insert_user($user_info);
+		}
+
+		// if the user exists, wp_insert_user will update the existing user record
+		if (is_wp_error($userid)) {
+			authLdap_debug('Error creating user : ' . $userid->get_error_message());
+			trigger_error('Error creating user: ' . $userid->get_error_message());
+			return $userid;
+		}
+
+		// Update user roles.
+		$user = new \WP_User($userid);
+
+		/**
+		 * Add hook for custom User-Role assignment
+		 *
+		 * @param WP_User $user This user-object will be returned. Can be modified as necessary in the actions.
+		 * @param array $roles
+		 */
+		do_action('authldap_user_roles', $user, $roles);
+
+		/**
+		 * Add hook for custom updates
+		 *
+		 * @param int $userid User ID.
+		 * @param array $attribs [0] Attributes retrieved from LDAP for the user.
+		 */
+		do_action('authLdap_login_successful', $userid, $attribs[0]);
+
+		authLdap_debug('user id = ' . $userid);
+
+		// flag the user as an ldap user so we can hide the password fields in the user profile
+		update_user_meta($userid, 'authLDAP', true);
+
+		// return a user object upon positive authorization
+		return $user;
+	} catch (Exception $e) {
+		authLdap_debug($e->getMessage() . '. Exception thrown in line ' . $e->getLine());
+		trigger_error($e->getMessage() . '. Exception thrown in line ' . $e->getLine());
+	}
+}
+
+/**
+ * Get user's user id
+ *
+ * Returns null if username not found
+ *
+ * @param string $username username
+ * @param string user id, null if not found
+ */
+function authLdap_get_uid($username)
+{
+	global $wpdb;
+
+	// find out whether the user is already present in the database
+	$uid = $wpdb->get_var(
+		$wpdb->prepare(
+			"SELECT ID FROM {$wpdb->users} WHERE user_login = %s",
+			$username
+		)
+	);
+	if ($uid) {
+		authLdap_debug("Existing user, uid = {$uid}");
+		return $uid;
+	} else {
+		return null;
+	}
+}
+
+/**
+ * Get the user's current role
+ *
+ * Returns empty string if not found.
+ *
+ * @param int $uid wordpress user id
+ * @return string role, empty if none found
+ */
+function authLdap_user_role($uid)
+{
+	global $wpdb, $wp_roles;
+
+	if (!$uid) {
+		return '';
+	}
+
+	/** @var array<string, bool> $usercapabilities */
+	$usercapabilities = get_user_meta($uid, "{$wpdb->prefix}capabilities", true);
+	if (!is_array($usercapabilities)) {
+		return '';
+	}
+
+	/** @var array<string, array{name: string, capabilities: array<mixed>} $editable_roles */
+	$editable_roles = $wp_roles->roles;
+
+	// By using this approach we are now using the order of the roles from the WP_Roles object
+	// and not from the capabilities any more.
+	$userroles = array_keys(array_intersect_key($editable_roles, $usercapabilities));
+	$role = ($userroles !== []) ? $userroles[0] : '';
+
+	authLdap_debug("Existing user's role: {$role}");
+	return $role;
+}
+
+/**
+ * Get LDAP groups for user and map to role
+ *
+ * @param string $username
+ * @param string $dn
+ * @return string role, empty string if no mapping found, first found role otherwise
+ * @conf array authLDAPGroups, associative array, role => ldap_group
+ * @conf string authLDAPGroupBase, base dn to look up groups
+ * @conf string authLDAPGroupAttr, ldap attribute that holds name of group
+ * @conf string authLDAPGroupFilter, LDAP filter to find groups. can contain %s and %dn% placeholders
+ */
+function authLdap_groupmap($username, $dn)
+{
+	$authLDAPGroups = authLdap_sort_roles_by_capabilities(
+		authLdap_get_option('Groups')
+	);
+	$authLDAPGroupBase = authLdap_get_option('GroupBase');
+	$authLDAPGroupAttr = authLdap_get_option('GroupAttr');
+	$authLDAPGroupFilter = authLdap_get_option('GroupFilter');
+	$authLDAPGroupSeparator = authLdap_get_option('GroupSeparator');
+	if (!$authLDAPGroupAttr) {
+		$authLDAPGroupAttr = 'gidNumber';
+	}
+	if (!$authLDAPGroupFilter) {
+		$authLDAPGroupFilter = '(&(objectClass=posixGroup)(memberUid=%s))';
+	}
+	if (!$authLDAPGroupSeparator) {
+		$authLDAPGroupSeparator = ',';
+	}
+
+	if (!is_array($authLDAPGroups) || count(array_filter(array_values($authLDAPGroups))) == 0) {
+		authLdap_debug('No group names defined');
+		return '';
+	}
+
+	try {
+		// To allow searches based on the DN instead of the uid, we replace the
+		// string %dn% with the users DN.
+		$authLDAPGroupFilter = str_replace(
+			'%dn%',
+			ldap_escape($dn, '', LDAP_ESCAPE_FILTER),
+			$authLDAPGroupFilter
+		);
+		authLdap_debug('Group Filter: ' . json_encode($authLDAPGroupFilter));
+		authLdap_debug('Group Base: ' . $authLDAPGroupBase);
+		$groups = authLdap_get_server()->search(
+			sprintf($authLDAPGroupFilter, ldap_escape($username, '', LDAP_ESCAPE_FILTER)),
+			[$authLDAPGroupAttr],
+			$authLDAPGroupBase
+		);
+	} catch (Exception $e) {
+		authLdap_debug('Exception getting LDAP group attributes: ' . $e->getMessage());
+		return '';
+	}
+
+	$grp = [];
+	for ($i = 0; $i < $groups ['count']; $i++) {
+		if ($authLDAPGroupAttr == "dn") {
+			$grp[] = $groups[$i]['dn'];
+		} else {
+			for ($k = 0; $k < $groups[$i][strtolower($authLDAPGroupAttr)]['count']; $k++) {
+				$grp[] = $groups[$i][strtolower($authLDAPGroupAttr)][$k];
+			}
+		}
+	}
+
+	authLdap_debug('LDAP groups: ' . json_encode($grp));
+
+	// Check whether the user is member of one of the groups that are
+	// allowed acces to the blog. If the user is not member of one of
+	// The groups throw her out! ;-)
+	$roles = [];
+	foreach ($authLDAPGroups as $key => $val) {
+		$currentGroup = explode($authLDAPGroupSeparator, $val);
+		// Remove whitespaces around the group-ID
+		$currentGroup = array_map('trim', $currentGroup);
+		if (0 < count(array_intersect($currentGroup, $grp))) {
+			$roles[] = $key;
+		}
+	}
+
+	// Default: If the user is member of more than one group only the first one
+	// will be taken into account!
+	// This filter allows you to return multiple user roles. WordPress
+	// supports this functionality, but not natively via UI from Users
+	// overview (you need to use a plugin). However, it's still widely used,
+	// for example, by WooCommerce, etc. Use if you know what you're doing.
+	if (apply_filters('authLdap_allow_multiple_roles', false) === false && count($roles) > 1) {
+		$roles = array_slice($roles, 0, 1);
+	}
+
+	authLdap_debug("Roles from LDAP group: " . json_encode($roles));
+	return $roles;
+}
+
+/**
+ * This function disables the password-change fields in the users preferences.
+ *
+ * It does not make sense to authenticate via LDAP and then allow the user to
+ * change the password only in the wordpress database. And changing the password
+ * LDAP-wide can not be the scope of Wordpress!
+ *
+ * Whether the user is an LDAP-User or not is determined using the authLDAP-Flag
+ * of the users meta-informations
+ *
+ * @return false, if the user whose prefs are viewed is an LDAP-User, true if
+ * he isn't
+ * @conf boolean authLDAP
+ */
+function authLdap_show_password_fields($return, $user)
+{
+	if (!$user) {
+		return true;
+	}
+
+	if (get_user_meta($user->ID, 'authLDAP')) {
+		return false;
+	}
+
+	return $return;
+}
+
+/**
+ * This function disables the password reset for a user.
+ *
+ * It does not make sense to authenticate via LDAP and then allow the user to
+ * reset the password only in the wordpress database. And changing the password
+ * LDAP-wide can not be the scope of Wordpress!
+ *
+ * Whether the user is an LDAP-User or not is determined using the authLDAP-Flag
+ * of the users meta-informations
+ *
+ * @author chaplina (https://github.com/chaplina)
+ * @conf boolean authLDAP
+ * @return false, if the user is an LDAP-User, true if he isn't
+ */
+function authLdap_allow_password_reset($return, $userid)
+{
+	if (!(isset($userid))) {
+		return true;
+	}
+
+	if (get_user_meta($userid, 'authLDAP')) {
+		return false;
+	}
+	return $return;
+}
+
+/**
+ * Sort the given roles by number of capabilities
+ *
+ * @param array $roles
+ *
+ * @return array
+ */
+function authLdap_sort_roles_by_capabilities($roles)
+{
+	global $wpdb;
+	$myRoles = get_option($wpdb->get_blog_prefix() . 'user_roles');
+
+	authLdap_debug(print_r($roles, true));
+	uasort($myRoles, 'authLdap_sortByCapabilitycount');
+
+	$return = [];
+
+	foreach ($myRoles as $key => $role) {
+		if (isset($roles[$key])) {
+			$return[$key] = $roles[$key];
+		}
+	}
+
+	authLdap_debug(print_r($return, true));
+	return $return;
+}
+
+/**
+ * Sort according to the number of capabilities
+ *
+ * @param $a
+ * @param $b
+ */
+function authLdap_sortByCapabilitycount($a, $b)
+{
+	if (count($a['capabilities']) > count($b['capabilities'])) {
+		return -1;
+	}
+	if (count($a['capabilities']) < count($b['capabilities'])) {
+		return 1;
+	}
+
+	return 0;
+}
+
+/**
+ * Load AuthLDAP Options
+ *
+ * Sets and stores defaults if options are not up to date
+ */
+function authLdap_load_options($reload = false)
+{
+	static $options = null;
+
+	// the current version for options
+	$option_version_plugin = 1;
+
+	$optionFunction = 'get_option';
+	if (is_multisite()) {
+		$optionFunction = 'get_site_option';
+	}
+	if (is_null($options) || $reload) {
+		$options = $optionFunction('authLDAPOptions', []);
+	}
+
+	// check if option version has changed (or if it's there at all)
+	if (!isset($options['Version']) || ($options['Version'] != $option_version_plugin)) {
+		// defaults for all options
+		$options_default = [
+			'Enabled' => false,
+			'CachePW' => false,
+			'URI' => '',
+			'URISeparator' => ' ',
+			'Filter' => '', // '(uid=%s)'
+			'NameAttr' => '', // 'name'
+			'SecName' => '',
+			'UidAttr' => '', // 'uid'
+			'MailAttr' => '', // 'mail'
+			'WebAttr' => '',
+			'Groups' => [],
+			'Debug' => false,
+			'GroupAttr' => '', // 'gidNumber'
+			'GroupFilter' => '', // '(&(objectClass=posixGroup)(memberUid=%s))'
+			'DefaultRole' => '',
+			'GroupEnable' => true,
+			'GroupOverUser' => true,
+			'Version' => $option_version_plugin,
+			'DoNotOverwriteNonLdapUsers' => false,
+		];
+
+		// check if we got a version
+		if (!isset($options['Version'])) {
+			// we just changed to the new option format
+			// read old options, then delete them
+			$old_option_new_option = [
+				'authLDAP' => 'Enabled',
+				'authLDAPCachePW' => 'CachePW',
+				'authLDAPURI' => 'URI',
+				'authLDAPFilter' => 'Filter',
+				'authLDAPNameAttr' => 'NameAttr',
+				'authLDAPSecName' => 'SecName',
+				'authLDAPUidAttr' => 'UidAttr',
+				'authLDAPMailAttr' => 'MailAttr',
+				'authLDAPWebAttr' => 'WebAttr',
+				'authLDAPGroups' => 'Groups',
+				'authLDAPDebug' => 'Debug',
+				'authLDAPGroupAttr' => 'GroupAttr',
+				'authLDAPGroupFilter' => 'GroupFilter',
+				'authLDAPDefaultRole' => 'DefaultRole',
+				'authLDAPGroupEnable' => 'GroupEnable',
+				'authLDAPGroupOverUser' => 'GroupOverUser',
+			];
+			foreach ($old_option_new_option as $old_option => $new_option) {
+				$value = get_option($old_option, null);
+				if (!is_null($value)) {
+					$options[$new_option] = $value;
+				}
+				delete_option($old_option);
+			}
+			delete_option('authLDAPCookieMarker');
+			delete_option('authLDAPCookierMarker');
+		}
+
+		// set default for all options that are missing
+		foreach ($options_default as $key => $default) {
+			if (!isset($options[$key])) {
+				$options[$key] = $default;
+			}
+		}
+
+		// set new version and save
+		$options['Version'] = $option_version_plugin;
+		update_option('authLDAPOptions', $options);
+	}
+	return $options;
+}
+
+/**
+ * Get an individual option
+ */
+function authLdap_get_option($optionname, $default = null)
+{
+	$options = authLdap_load_options();
+	if (isset($options[$optionname]) && $options[$optionname]) {
+		return $options[$optionname];
+	}
+
+	if (null !== $default) {
+		return $default;
+	}
+
+	//authLdap_debug('option name invalid: ' . $optionname);
+	return null;
+}
+
+/**
+ * Set new options
+ */
+function authLdap_set_options($new_options = [])
+{
+	// initialize the options with what we currently have
+	$options = authLdap_load_options();
+
+	// set the new options supplied
+	foreach ($new_options as $key => $value) {
+		$options[$key] = $value;
+	}
+
+	// store options
+	$optionFunction = 'update_option';
+	if (is_multisite()) {
+		$optionFunction = 'update_site_option';
+	}
+	if ($optionFunction('authLDAPOptions', $options)) {
+		// reload the option cache
+		authLdap_load_options(true);
+
+		return true;
+	}
+
+	// could not set options
+	return false;
+}
+
+/**
+ * Do not send an email after changing the password or the email of the user!
+ *
+ * @param boolean $result The initial resturn value
+ * @param array $user The old userdata
+ * @param array $newUserData The changed userdata
+ *
+ * @return bool
+ */
+function authLdap_send_change_email($result, $user, $newUserData)
+{
+	if (get_user_meta($user['ID'], 'authLDAP')) {
+		return false;
+	}
+
+	return $result;
+}
+
+$hook = is_multisite() ? 'network_' : '';
+add_action($hook . 'admin_menu', 'authLdap_addmenu');
+add_filter('show_password_fields', 'authLdap_show_password_fields', 10, 2);
+add_filter('allow_password_reset', 'authLdap_allow_password_reset', 10, 2);
+add_filter('authenticate', 'authLdap_login', 10, 3);
+/** This only works from WP 4.3.0 on */
+add_filter('send_password_change_email', 'authLdap_send_change_email', 10, 3);
+add_filter('send_email_change_email', 'authLdap_send_change_email', 10, 3);
+$handler = new UserRoleHandler();
+add_action('authldap_user_roles', [$handler, 'addRolesToUser'], 10, 2);

+<?xml version="1.0" encoding="utf-8"?>
+<project name="ajaxComments" default="build" basedir=".">
+    <php expression="include('vendor/autoload.php')"/>
+    <input propertyName="version">Which version shall be tagged?</input>
+    <!--loadfile property = "version" file = "VERSION">
+        <filterchain>
+            <striplinebreaks/>
+        </filterchain>
+    </loadfile-->
+    <target name="bumpversion">
+        <echo>Bumping version to ${version}</echo>
+        <reflexive>
+            <fileset dir=".">
+                <include name="index.php"/>
+                <include name="authLdap.php"/>
+            </fileset>
+            <filterchain>
+                <replaceregexp>
+                    <regexp pattern="Version:.*" replace="Version: ${version}"/>
+                </replaceregexp>
+            </filterchain>
+        </reflexive>
+    </target>
+    <target name="build" depends="bumpversion,deploy.git,deploy.svn"/>
+    <target name="sync.svn">
+        <copy todir="${project.basedir}/svn/trunk">
+            <fileset dir="${project.basedir}">
+                <include name="src/**"/>
+                <include name="view/**"/>
+                <include name="authLdap.css"/>
+                <include name="authLdap.php"/>
+                <include name="ldap.php"/>
+                <include name="LICENSE.md"/>
+                <include name="README.md"/>
+                <include name="readme.txt"/>
+            </fileset>
+        </copy>
+    </target>
+    <target name="deploy.svn" depends="sync.svn">
+        <property override="true" file="${project.basedir}/.svnAccess" prefix="svnaccess" />
+        <foreach param="dirname" target="svn.addFile">
+            <fileset dir="${project.basedir}/svn/trunk">
+                <include name="**/*"/>
+            </fileset>
+        </foreach>
+        <echo message="${svnaccess.username}"/>
+        <exec outputProperty="committedrevision" executable="svn" dir="${project.basedir}/svn/trunk">
+            <arg value="commit"/>
+            <arg value="--username"/>
+            <arg value="${svnaccess.username}"/>
+            <arg value="--password"/>
+            <arg value="${svnaccess.password}"/>
+            <arg value="--message"/>
+            <arg value="Bumps version to ${version}"/>
+            <arg value="--no-auth-cache"/>
+            <arg value="--quiet"/>
+        </exec>
+        <!--svncommit
+            username="${svnaccess.username}"
+            password="${svnaccess.password}"
+            workingcopy="${project.basedir}/svn"
+            message="Bumps version to ${version}"
+            nocache="true"
+            /-->
+        <echo message="Committed revision: ${committedrevision}"/>
+    </target>
+
+    <target name="svn.addFile">
+        <trycatch>
+            <try>
+                <svninfo workingcopy="${project.basedir}/svn/trunk/${dirname}"/>
+            </try>
+            <catch>
+                <exec command="svn add ${project.basedir}/svn/trunk/${dirname}"/>
+                <echo>${dirname}</echo>
+            </catch>
+            <finally>
+
+            </finally>
+        </trycatch>
+        <echo>${svn.info}</echo>
+    </target>
+    <target name="deploy.git">
+        <exec executable="git" dir=".">
+            <arg value="add" />
+            <arg value="authLdap.php" />
+        </exec>
+        <exec executable="git" dir=".">
+            <arg value="commit" />
+            <arg value="-m"/>
+            <arg value="Bumps version to ${version}"/>
+        </exec>
+        <exec executable="git" dir=".">
+            <arg value="tag"/>
+            <arg value="-s"/>
+            <arg value="-m"/>
+            <arg value="Version ${version}"/>
+            <arg value="${version}"/>
+        </exec>
+        <exec executable="git" dir=".">
+            <arg value="push"/>
+            <arg value="--tags"/>
+            <arg value="origin"/>
+            <arg value="master" />
+        </exec>
+    </target>
+</project>
\ No newline at end of file

+{
+    "name" : "org_heigl/authldap",
+    "type" : "library",
+    "description": "Enables wordpress-authentication via LDAP",
+    "keywords": ["ldap","authenticate", "auth", "wordpress"],
+    "homepage": "http://github.com/heiglandreas/authLdap",
+    "license": "MIT",
+    "authors": [{
+        "name": "Andreas Heigl",
+        "email": "andreas@heigl.org",
+        "homepage": "http://andreas.heigl.org",
+        "role": "Developer"
+    }],
+    "require" : {
+        "php": ">=7.4",
+      "ext-ldap": "*"
+    },
+    "require-dev": {
+        "automattic/wordbless": "^0.3.1"
+    },
+    "autoload" : {
+        "classmap" : [
+            "authLdap.php"
+        ],
+        "psr-4" : {
+            "Org_Heigl\\AuthLdap\\" : "src/"
+        }
+    },
+    "autoload-dev" : {
+        "psr-4" : {
+            "Org_Heigl\\AuthLdapTest\\" : "tests/"
+        }
+    },
+    "scripts": {
+        "post-update-cmd": "php -r \"copy('vendor/automattic/wordbless/src/dbless-wpdb.php', 'wordpress/wp-content/db.php');\""
+    },
+    "config": {
+        "allow-plugins": {
+            "roots/wordpress-core-installer": true
+        }
+    }
+}

+version: "3.5"
+
+services:
+  wp:
+   # image: authldap:latest
+    build:
+      context: dockersetup
+      dockerfile: Dockerfile_wordpress
+    ports:
+      - 80:80 # change ip if required
+    volumes:
+      - ./config/php.conf.ini:/usr/local/etc/php/conf.d/conf.ini
+      - ./wp-app:/var/www/html # Full wordpress project
+      - .:/var/www/html/wp-content/plugins/authldap # Plugin development
+      #- ./theme-name/trunk/:/var/www/html/wp-content/themes/theme-name # Theme development
+    environment:
+      WORDPRESS_DB_HOST: db
+      WORDPRESS_DB_NAME: "wordpress"
+      WORDPRESS_DB_USER: root
+      WORDPRESS_DB_PASSWORD: "wppasswd"
+    depends_on:
+      - db
+    links:
+      - db
+
+  wpcli:
+    image: wordpress:cli
+    volumes:
+      - ./config/php.conf.ini:/usr/local/etc/php/conf.d/conf.ini
+      - ./wp-app:/var/www/html
+    depends_on:
+      - db
+      - wp
+
+  db:
+    image: mysql:latest # https://hub.docker.com/_/mysql/ - or mariadb https://hub.docker.com/_/mariadb
+    ports:
+      - 3306:3306 # change ip if required
+    command: [
+      '--default_authentication_plugin=mysql_native_password',
+      '--character-set-server=utf8mb4',
+      '--collation-server=utf8mb4_unicode_ci'
+    ]
+    volumes:
+      - ./wp-data:/docker-entrypoint-initdb.d
+      - db_data:/var/lib/mysql
+    environment:
+      MYSQL_DATABASE: "wordpress"
+      MYSQL_ROOT_PASSWORD: "wppasswd"
+
+  openldap:
+    image: osixia/openldap:latest
+#    build:
+#      context: dockersetup
+#      dockerfile: Dockerfile_ldap
+    ports:
+      - 3389:389
+    volumes:
+      - ./.ci/50-init.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/50-bootstrap.ldif
+    command: "--copy-service --loglevel debug"
+    restart: always
+    environment:
+      LDAP_LOG_LEVEL: "0"
+      LDAP_TLS: "false"
+      LDAP_ADMIN_PASSWORD: "insecure"
+
+volumes:
+  db_data:

+FROM wordpress:latest
+
+RUN set -x \
+    && apt-get update \
+    && apt-get install -y libldap2-dev \
+    && rm -rf /var/lib/apt/lists/* \
+    && docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu/ \
+    && docker-php-ext-install ldap \
+&& apt-get purge -y --auto-remove libldap2-dev
\ No newline at end of file

+<?xml version="1.0"?>
+<ruleset name="Custom Standard" namespace="MyProject\CS\Standard">
+	<description>authLdap codestyle</description>
+	<file>./src</file>
+	<file>./authLdap.php</file>
+	<file>./tests</file>
+
+	<arg name="colors"/>
+	<arg value="sp"/>
+
+	<autoload>./vendor/autoload.php</autoload>
+
+	<rule ref="PSR12">
+		<exclude name="Generic.WhiteSpace.DisallowTabIndent"/>
+	</rule>
+	<rule ref="Generic.WhiteSpace.ScopeIndent">
+		<properties>
+			<property name="tabIndent" value="true"/>
+		</properties>
+	</rule>
+
+</ruleset>

+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		 bootstrap="tests/bootstrap.php"
+		 testdox="true"
+		 xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.5/phpunit.xsd"
+>
+	<coverage>
+		<include>
+			<directory suffix=".php">src</directory>
+			<file>authLdap.php</file>
+		</include>
+		<exclude>
+			<directory>src/Wrapper</directory>
+		</exclude>
+		<report>
+			<html outputDirectory="build/coverage" lowUpperBound="35" highLowerBound="70"/>
+		</report>
+	</coverage>
+	<testsuite name="authLdap Test-Suite">
+		<directory>tests</directory>
+	</testsuite>
+	<groups>
+		<exclude>
+			<group>disable</group>
+		</exclude>
+	</groups>
+	<logging>
+		<!--log type="coverage-xml" target="../report/coverage.xml"/-->
+		<!--log type="graphviz" target="../report/logfile.dot"/-->
+		<!--log type="json" target="../report/logfile.json"/-->
+		<!--log type="metrics-xml" target="../report/metrics.xml"/-->
+		<!--log type="plain" target="../report/logfile.txt"/-->
+		<!--log type="pmd-xml" target="../report/pmd.xml" cpdMinLines="5" cpdMinMatches="70"/-->
+		<!--log type="tap" target="../report/logfile.tap"/-->
+		<!--log type="test-xml" target="../report/logfile.xml" logIncompleteSkipped="false"/-->
+		<!--log type="testdox-html" target="../report/testdox.html"/-->
+		<!--log type="testdox-text" target="../report/testdox.txt"/-->
+	</logging>
+</phpunit>

 === authLdap ===
 === authLdap ===
 Contributors: heiglandreas
 Contributors: heiglandreas
-Tags: ldap, auth
+Tags: ldap, auth, authentication, active directory, AD, openLDAP, Open Directory
 Requires at least: 2.5.0
 Requires at least: 2.5.0
-Tested up to: 4.6.1
+Tested up to: 5.9.0
+Requires PHP: 7.4
 Stable tag: trunk
 Stable tag: trunk
+License: MIT
+License URI: https://opensource.org/licenses/MIT
 
 
 Use your existing LDAP flexible as authentication backend for WordPress
 Use your existing LDAP flexible as authentication backend for WordPress
 
 
@@ -13,13 +16,9 @@ Use your existing LDAP as authentication-backend for your wordpress!
 
 
 So what are the differences to other Wordpress-LDAP-Authentication-Plugins?
 So what are the differences to other Wordpress-LDAP-Authentication-Plugins?
 
 
-* Flexible: You are totaly free in which LDAP-backend to use. Due to the extensive configuration you can
-freely decide how to do the authentication of your users. It simply depends on your
-filters
-* Independent: As soon as a user logs in, it is added/updated to the Wordpress' user-database
-to allow wordpress to always use the correct data. You only have to administer your users once.
-* Failsafe: Due to the users being created in Wordpress' User-database they can
-also log in when the LDAP-backend currently is gone.
+* Flexible: You are totaly free in which LDAP-backend to use. Due to the extensive configuration you can freely decide how to do the authentication of your users. It simply depends on your filters
+* Independent: As soon as a user logs in, it is added/updated to the Wordpress' user-database to allow wordpress to always use the correct data. You only have to administer your users once.
+* Failsafe: Due to the users being created in Wordpress' User-database they can also log in when the LDAP-backend currently is gone.
 * Role-Aware: You can map Wordpress' roles to values of an existing LDAP-attribute.
 * Role-Aware: You can map Wordpress' roles to values of an existing LDAP-attribute.
 
 
 For more Information on the configuration have a look at https://github.com/heiglandreas/authLdap
 For more Information on the configuration have a look at https://github.com/heiglandreas/authLdap
@@ -41,6 +40,51 @@ Go to https://github.com/heiglandreas/authLdap
 Please use the issuetracker at https://github.com/heiglandreas/authLdap/issues
 Please use the issuetracker at https://github.com/heiglandreas/authLdap/issues
 
 
 == Changelog ==
 == Changelog ==
+
+= 2.5.3 =
+* Fix issue with broken role-assignement in combination with WooCommerce
+* Fix spelling issue
+* Allow DN as role-definition
+
+= 2.5.0 =
+* Ignore the order of capabilities to tell the role. In addition the filter `editable_roles` can be used to limit the roles
+
+= 2.4.11 =
+* Fix issue with running on PHP8.1
+
+= 2.4.9 =
+* Improve group-assignement UI
+
+= 2.4.8 =
+* Make textfields in settings-page wider
+
+= 2.4.7 =
+* Replace deprecated function
+* Fix undefined index
+* Add filter for retrieving other params at login (authLdap_filter_attributes)
+* Add do_action after successfull login (authLdap_login_successful)
+
+= 2.4.0 =
+* Allow to use environment variables for LDAP-URI configuration
+
+= 2.3.0 =
+* Allow to not overwrite existing WordPress-Users with LDAP-Users as that can be a security issue.
+
+= 2.1.0 =
+* Add search-base for groups. This might come in handy for multisite-instances
+
+= 2.0.0 =
+* This new release adds Multi-Site support. It will no longer be possible to use this plugin just in one subsite of a multisite installation!
+* Adds a warning screen to the config-section when no LDAPextension could be found
+* Fixes an issue with the max-length of the username
+
+= 1.5.1 =
+* Fixes an issue with escaped backslashes and quotes
+
+= 1.5.0 =
+* Allows parts of the LDAP-URI to be URLEncoded
+* Drops support for PHP 5.4
+
 = 1.4.20 =
 = 1.4.20 =
 * Allows multiple LDAP-servers to be queried (given that they use the same attributes)
 * Allows multiple LDAP-servers to be queried (given that they use the same attributes)
 * Fixes issue with URL-Encoded informations (see https://github.com/heiglandreas/authLdap/issues/108)
 * Fixes issue with URL-Encoded informations (see https://github.com/heiglandreas/authLdap/issues/108)
@@ -77,7 +121,7 @@ Please use the issuetracker at https://github.com/heiglandreas/authLdap/issues
 * Fixes PSR2 violations
 * Fixes PSR2 violations
 
 
 […]
 […]
-    
+
 = 1.2.1 =
 = 1.2.1 =
 * Fixed an issue with group-ids
 * Fixed an issue with group-ids
 * Moved the code to GitHub (https://github.com/heiglandreas/authLdap)
 * Moved the code to GitHub (https://github.com/heiglandreas/authLdap)

+<?php
+
+/**
+ * Copyright Andrea Heigl <andreas@heigl.org>
+ *
+ * Licenses under the MIT-license. For details see the included file LICENSE.md
+ */
+
+declare(strict_types=1);
+
+namespace Org_Heigl\AuthLdap\Exception;
+
+use Exception;
+
+class Error extends Exception
+{
+    public function __construct($message, $line = null)
+    {
+        parent::__construct($message);
+        if ($line) {
+            $this -> line = $line;
+        }
+    }
+}

+<?php
+
+/**
+ * Copyright Andreas Heigl <andreas@heigl.org>
+ *
+ * Licenses under the MIT-license. For details see the included file LICENSE.md
+ */
+
+declare(strict_types=1);
+
+namespace Org_Heigl\AuthLdap\Exception;
+
+use RuntimeException;
+
+use function sprintf;
+
+class InvalidLdapUri extends RuntimeException
+{
+	public static function cannotparse(string $ldapUri): self
+	{
+		return new self(sprintf(
+			'%1$s seems not to be a valid URI',
+			$ldapUri
+		));
+	}
+
+	public static function wrongSchema(string $uri): self
+	{
+		return new self(sprintf(
+			'%1$s does not start with a valid schema',
+			$uri
+		));
+	}
+
+	public static function noSchema(string $uri): self
+	{
+		return new self(sprintf(
+			'%1$s does not provide a schema',
+			$uri
+		));
+	}
+
+	public static function noEnvironmentVariableSet(string $uri): self
+	{
+		return new self(sprintf(
+			'The environment variable %1$s does not provide a URI',
+			$uri
+		));
+	}
+
+	public static function noServerProvided(string $uri): self
+	{
+		return new self(sprintf(
+			'The LDAP-URI %1$s does not provide a server',
+			$uri
+		));
+	}
+
+	public static function noSearchBaseProvided(string $uri): self
+	{
+		return new self(sprintf(
+			'The LDAP-URI %1$s does not provide a search-base',
+			$uri
+		));
+	}
+
+	public static function invalidSearchBaseProvided(string $uri): self
+	{
+		return new self(sprintf(
+			'The LDAP-URI %1$s does not provide a valid search-base',
+			$uri
+		));
+	}
+}

+<?php
+
+/**
+ * Copyright Andreas Heigl <andreas@heigl.org>
+ *
+ * Licenses under the MIT-license. For details see the included file LICENSE.md
+ */
+
+declare(strict_types=1);
+
+namespace Org_Heigl\AuthLdap\Exception;
+
+use RuntimeException;
+
+class MissingValidLdapConnection extends Error
+{
+	public static function get(): self
+	{
+		return new self(sprintf(
+			'No valid LDAP connection available'
+		));
+	}
+}

+<?php
+
+/**
+ * Copyright Andreas Heigl <andreas@heigl.org>
+ *
+ * Licenses under the MIT-license. For details see the included file LICENSE.md
+ */
+
+declare(strict_types=1);
+
+namespace Org_Heigl\AuthLdap\Exception;
+
+use RuntimeException;
+
+class SearchUnsuccessfull extends RuntimeException
+{
+	public static function fromSearchFilter(string $filter): self
+	{
+		return new self(sprintf(
+			'Search for %1$s was not successfull',
+			$filter
+		));
+	}
+}

 <?php
 <?php
+
 /**
 /**
  * Copyright (c) Andreas Heigl<andreas@heigl.org>
  * Copyright (c) Andreas Heigl<andreas@heigl.org>
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -26,23 +27,29 @@
 
 
 namespace Org_Heigl\AuthLdap;
 namespace Org_Heigl\AuthLdap;
 
 
+use Exception;
+use Org_Heigl\AuthLdap\Exception\Error;
+use Org_Heigl\AuthLdap\Exception\SearchUnsuccessfull;
+use Org_Heigl\AuthLdap\Manager\Ldap;
+
 class LdapList
 class LdapList
 {
 {
     /**
     /**
-     * @var \LDAP[]
+     * @var Ldap[]
      */
      */
     protected $items = [];
     protected $items = [];
 
 
-    public function addLdap(LDAP $ldap)
+    public function addLdap(Ldap $ldap)
     {
     {
         $this->items[] = $ldap;
         $this->items[] = $ldap;
     }
     }
 
 
     public function authenticate($username, $password, $filter = '(uid=%s)')
     public function authenticate($username, $password, $filter = '(uid=%s)')
     {
     {
+        /** @var Ldap $item */
         foreach ($this->items as $key => $item) {
         foreach ($this->items as $key => $item) {
             if (! $item->authenticate($username, $password, $filter)) {
             if (! $item->authenticate($username, $password, $filter)) {
-                unset ($this->items[$key]);
+                unset($this->items[$key]);
                 continue;
                 continue;
             }
             }
             return true;
             return true;
@@ -65,21 +72,22 @@ class LdapList
         }
         }
 
 
         if ($allFailed) {
         if ($allFailed) {
-            throw new AuthLDAP_Exception('No bind successfull');
+            throw new Error('No bind successfull');
         }
         }
+
+        return true;
     }
     }
 
 
-    public function search($filter, $attributes = array('uid'))
+    public function search($filter, $attributes = array('uid'), $base = '')
     {
     {
         foreach ($this->items as $item) {
         foreach ($this->items as $item) {
             try {
             try {
-                $result = $item->search($filter, $attributes);
+                $result = $item->search($filter, $attributes, $base);
                 return $result;
                 return $result;
             } catch (Exception $e) {
             } catch (Exception $e) {
-                throw $e;
             }
             }
         }
         }
 
 
-        throw new \AuthLDAP_Exception('No Results found');
+        throw SearchUnsuccessfull::fromSearchFilter($filter);
     }
     }
-}
\ No newline at end of file
+}

+<?php
+
+/**
+ * Copyright (c) Andreas Heigl<andreas@heigl.org>
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ *
+ * @author    Andreas Heigl<andreas@heigl.org>
+ * @copyright Andreas Heigl
+ * @license   http://www.opensource.org/licenses/mit-license.php MIT-License
+ * @since     19.07.2020
+ * @link      http://github.com/heiglandreas/authLDAP
+ */
+
+declare(strict_types=1);
+
+namespace Org_Heigl\AuthLdap;
+
+use Org_Heigl\AuthLdap\Exception\InvalidLdapUri;
+
+use function array_map;
+use function error_get_last;
+use function getenv;
+use function is_array;
+use function is_string;
+use function parse_url;
+use function preg_replace_callback;
+use function rawurlencode;
+use function strlen;
+use function strpos;
+use function substr;
+use function trim;
+use function urldecode;
+
+final class LdapUri
+{
+	private $server;
+
+	private $scheme;
+
+	private $port = 389;
+
+	private string $baseDn;
+
+	private $username = '';
+
+	private $password = '';
+
+	private function __construct(string $uri)
+	{
+		if (!preg_match('/^(ldap|ldaps|env)/', $uri)) {
+			throw InvalidLdapUri::wrongSchema($uri);
+		}
+
+		if (strpos($uri, 'env:') === 0) {
+			$newUri = getenv(substr($uri, 4));
+			if (false === $newUri) {
+				throw InvalidLdapUri::noEnvironmentVariableSet($uri);
+			}
+			$uri = (string) $newUri;
+		}
+
+		$uri = $this->injectEnvironmentVariables($uri);
+
+		$array = parse_url($uri);
+		if (!is_array($array)) {
+			throw InvalidLdapUri::cannotparse($uri);
+		}
+
+		$url = array_map(static function ($item) {
+			if (is_int($item)) {
+				return $item;
+			}
+			return urldecode($item);
+		}, $array);
+
+
+		if (!isset($url['scheme'])) {
+			throw InvalidLdapUri::noSchema($uri);
+		}
+		if (0 !== strpos($url['scheme'], 'ldap')) {
+			throw InvalidLdapUri::wrongSchema($uri);
+		}
+		if (!isset($url['host'])) {
+			throw InvalidLdapUri::noServerProvided($uri);
+		}
+		if (!isset($url['path'])) {
+			throw InvalidLdapUri::noSearchBaseProvided($uri);
+		}
+		if (1 === strlen($url['path'])) {
+			throw InvalidLdapUri::invalidSearchBaseProvided($uri);
+		}
+
+		$this->server = $url['host'];
+		$this->scheme = $url['scheme'];
+		$this->baseDn = substr($url['path'], 1);
+		if (isset($url['user'])) {
+			$this->username = $url['user'];
+		}
+		if ('' === trim($this->username)) {
+			$this->username = 'anonymous';
+		}
+		if (isset($url['pass'])) {
+			$this->password = $url['pass'];
+		}
+		if ($this->scheme === 'ldaps' && $this->port = 389) {
+			$this->port = 636;
+		}
+
+		// When someone sets the port in the URL we overwrite whatever is set.
+		// We have to assume they know what they are doing!
+		if (isset($url['port'])) {
+			$this->port = $url['port'];
+		}
+	}
+
+	public static function fromString(string $uri): LdapUri
+	{
+		return new LdapUri($uri);
+	}
+
+	private function injectEnvironmentVariables(string $base): string
+	{
+		return preg_replace_callback('/%env:([^%]+)%/', static function (array $matches) {
+			return rawurlencode(getenv($matches[1]));
+		}, $base);
+	}
+
+	public function toString(): string
+	{
+		return $this->scheme . '://' . $this->server . ':' . $this->port;
+	}
+
+	public function __toString()
+	{
+		return $this->toString();
+	}
+
+	public function getUsername(): string
+	{
+		return $this->username;
+	}
+
+	public function getPassword(): string
+	{
+		return $this->password;
+	}
+
+	public function getBaseDn(): string
+	{
+		return $this->baseDn;
+	}
+
+	public function isAnonymous(): bool
+	{
+		if ($this->password === '') {
+			return true;
+		}
+
+		if ($this->username === 'anonymous') {
+			return true;
+		}
+
+		return false;
+	}
+}

+<?php
+
+/**
+ * $Id: ldap.php 381646 2011-05-06 09:37:31Z heiglandreas $
+ *
+ * authLdap - Authenticate Wordpress against an LDAP-Backend.
+ * Copyright (c) 2008 Andreas Heigl<andreas@heigl.org>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ * This file handles the basic LDAP-Tasks
+ *
+ * @author Andreas Heigl<andreas@heigl.org>
+ * @package authLdap
+ * @category authLdap
+ * @since 2008
+ */
+
+namespace Org_Heigl\AuthLdap\Manager;
+
+use Org_Heigl\AuthLdap\Exception\Error;
+use Org_Heigl\AuthLdap\Exception\MissingValidLdapConnection;
+use Org_Heigl\AuthLdap\LdapUri;
+use Org_Heigl\AuthLdap\Wrapper\LdapFactory;
+use Org_Heigl\AuthLdap\Wrapper\LdapInterface;
+
+class Ldap
+{
+	/**
+	 * This property contains the connection handle to the ldap-server
+	 *
+	 * @var LdapInterface|null
+	 */
+	private ?LdapInterface $connection;
+
+	private LdapUri $uri;
+
+	private LdapFactory $factory;
+
+	private $starttls;
+
+	public function __construct(LdapFactory $factory, LdapUri $uri, $starttls = false)
+	{
+		$this->starttls = $starttls;
+		$this->uri = $uri;
+		$this->factory = $factory;
+		$this->connection = null;
+	}
+
+	/**
+	 * Connect to the given LDAP-Server
+	 */
+	public function connect(): self
+	{
+		$this->disconnect();
+
+		$this->connection = $this->factory->createFromLdapUri($this->uri->toString());
+		$this->connection->setOption(LDAP_OPT_PROTOCOL_VERSION, 3);
+		$this->connection->setOption(LDAP_OPT_REFERRALS, 0);
+		//if configured try to upgrade encryption to tls for ldap connections
+		if ($this->starttls) {
+			$this->connection->startTls();
+		}
+		return $this;
+	}
+
+	/**
+	 * Disconnect from a resource if one is available
+	 */
+	public function disconnect(): self
+	{
+		if (null !== $this->connection) {
+			$this->connection->unbind();
+		}
+		$this->connection = null;
+		return $this;
+	}
+
+	/**
+	 * Bind to an LDAP-Server with the given credentials
+	 *
+	 * @throws Error
+	 */
+	public function bind(): self
+	{
+		if (!$this->connection) {
+			$this->connect();
+		}
+		if (null === $this->connection) {
+			throw MissingValidLdapConnection::get();
+		}
+		if ($this->uri->isAnonymous()) {
+			$bind = $this->connection->bind();
+		} else {
+			$bind = $this->connection->bind($this->uri->getUsername(), $this->uri->getPassword());
+		}
+		if (!$bind) {
+			throw new Error('bind was not successfull: ' . $this->connection->error());
+		}
+		return $this;
+	}
+
+	/**
+	 * This method does the actual ldap-serch.
+	 *
+	 * This is using the filter <var>$filter</var> for retrieving the attributes
+	 * <var>$attributes</var>
+	 *
+	 * @return array<string|int, mixed>
+	 * @throws Error
+	 */
+	public function search(string $filter, array $attributes = ['uid'], ?string $base = ''): array
+	{
+		if (null === $this->connection) {
+			throw new Error('No resource handle available');
+		}
+		if (!$base) {
+			$base = $this->uri->getBaseDn();
+		}
+		$result = $this->connection->search($base, $filter, $attributes);
+		if ($result === false) {
+			throw new Error('no result found');
+		}
+		$info = $this->connection->getEntries($result);
+		if ($info === false) {
+			throw new Error('invalid results found');
+		}
+		return $info;
+	}
+
+	/**
+	 * This method authenticates the user <var>$username</var> using the
+	 * password <var>$password</var>
+	 *
+	 * @param string $filter OPTIONAL This parameter defines the Filter to be used
+	 * when searchin for the username. This MUST contain the string '%s' which
+	 * will be replaced by the vaue given in <var>$username</var>
+	 * @throws Error
+	 */
+	public function authenticate(string $username, string $password, string $filter = '(uid=%s)'): bool
+	{
+		$this->connect();
+		$this->bind();
+		$res = $this->search(sprintf($filter, $this->factory->escape($username, '', LDAP_ESCAPE_FILTER)));
+		if ($res ['count'] !== 1) {
+			return false;
+		}
+
+		$dn = $res[0]['dn'];
+		return $username && $password && $this->connection->bind($dn, $password);
+	}
+}

+<?php
+
+/**
+ * Copyright Andreas Heigl <andreas@heigl.org>
+ *
+ * Licenses under the MIT-license. For details see the included file LICENSE.md
+ */
+
+declare(strict_types=1);
+
+namespace Org_Heigl\AuthLdap;
+
+use WP_User;
+
+use function array_search;
+use function in_array;
+use function var_dump;
+
+class UserRoleHandler
+{
+	/**
+	 * @param WP_User $user
+	 * @param string[] $roles
+	 * @return void
+	 */
+	public function addRolesToUser(WP_User $user, $roles) : void
+	{
+		if ($roles === []) {
+			return;
+		}
+
+		if ($user->roles == $roles) {
+			return;
+		}
+
+		// Remove unused roles from existing.
+		foreach ($user->roles as $role) {
+			if (!in_array($role, $roles)) {
+				// Remove unused roles.
+				$user->remove_role($role);
+				continue;
+			}
+			// Remove the existing role from roles.
+			if (($key = array_search($role, $roles)) !== false) {
+				unset($roles[$key]);
+			}
+		}
+
+		// Add new ones if not already assigned.
+		foreach ($roles as $role) {
+			$user->add_role($role);
+		}
+	}
+}

+<?php
+
+/**
+ * Copyright Andreas Heigl <andreas@heigl.org>
+ *
+ * Licenses under the MIT-license. For details see the included file LICENSE.md
+ */
+
+declare(strict_types=1);
+
+namespace Org_Heigl\AuthLdap\Wrapper;
+
+use function ldap_bind;
+use function ldap_connect;
+use function ldap_error;
+use function ldap_escape;
+use function ldap_get_entries;
+use function ldap_set_option;
+use function ldap_start_tls;
+use function ldap_unbind;
+
+final class Ldap implements LdapInterface
+{
+	private $connection;
+
+	public function __construct(string $ldapUri)
+	{
+		$this->connection = ldap_connect($ldapUri);
+	}
+
+	public function bind($dn = null, $password = null)
+	{
+		if (null === $dn && null === $password) {
+			return ldap_bind($this->connection);
+		}
+		return ldap_bind($this->connection, $dn, $password);
+	}
+
+	public function unbind()
+	{
+		return ldap_unbind($this->connection);
+	}
+
+	public function setOption($option, $value)
+	{
+		return ldap_set_option($this->connection, $option, $value);
+	}
+
+	public function startTls()
+	{
+		return ldap_start_tls($this->connection);
+	}
+
+	public function error()
+	{
+		return ldap_error($this->connection);
+	}
+
+	public function errno()
+	{
+		return ldap_errno($this->connection);
+	}
+
+	public function search(
+		$base,
+		$filter,
+		array $attributes = [],
+		$attributes_only = 0,
+		$sizelimit = -1,
+		$timelimit = -1
+	) {
+		return ldap_search(
+			$this->connection,
+			$base,
+			$filter,
+			$attributes,
+			$attributes_only,
+			$sizelimit,
+			$timelimit
+		);
+	}
+
+	public function getEntries($search_result)
+	{
+		return ldap_get_entries($this->connection, $search_result);
+	}
+
+	public static function escape(string $value, string $ignore = '', int $flags = 0): string
+	{
+		return ldap_escape($value, $ignore, $flags);
+	}
+}

+<?php
+
+/**
+ * Copyright Andreas Heigl <andreas@heigl.org>
+ *
+ * Licenses under the MIT-license. For details see the included file LICENSE.md
+ */
+
+declare(strict_types=1);
+
+namespace Org_Heigl\AuthLdap\Wrapper;
+
+class LdapFactory
+{
+	public function createFromLdapUri(string $ldapUri): LdapInterface
+	{
+		return new Ldap($ldapUri);
+	}
+
+	public function escape($value, $ignore = '', $flags = 0): string
+	{
+		return Ldap::escape($value, $ignore, $flags);
+	}
+}

+<?php
+
+/**
+ * Copyright Andreas Heigl <andreas@heigl.org>
+ *
+ * Licenses under the MIT-license. For details see the included file LICENSE.md
+ */
+
+declare(strict_types=1);
+
+namespace Org_Heigl\AuthLdap\Wrapper;
+
+interface LdapInterface
+{
+	public function bind($dn = null, $password = null);
+
+	public function unbind();
+
+	public function setOption($option, $value);
+
+	public function startTls();
+
+	public function error();
+
+	public function errno();
+
+	public function search(
+		$base,
+		$filter,
+		array $attributes = [],
+		$attributes_only = 0,
+		$sizelimit = -1,
+		$timelimit = -1
+	);
+
+	public function getEntries($search_result);
+
+	public static function escape(string $value, string $ignore = '', int $flags = 0): string;
+}

+<?php
+
+/**
+ * Copyright (c) 2016-2016} Andreas Heigl<andreas@heigl.org>
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ *
+ * @author    Andreas Heigl<andreas@heigl.org>
+ * @copyright 2016-2016 Andreas Heigl
+ * @license   http://www.opensource.org/licenses/mit-license.php MIT-License
+ * @version   0.0
+ * @since     07.06.2016
+ * @link      http://github.com/heiglandreas/authLDAP
+ */
+
+namespace Org_Heigl\AuthLdapTest;
+
+use Closure;
+use Org_Heigl\AuthLdap\Exception\Error;
+use Org_Heigl\AuthLdap\Exception\SearchUnsuccessfull;
+use Org_Heigl\AuthLdap\LdapList;
+use Org_Heigl\AuthLdap\Manager\Ldap;
+use Org_Heigl\AuthLdap\LdapUri;
+use Org_Heigl\AuthLdap\Wrapper\LdapFactory;
+use Org_Heigl\AuthLdap\Wrapper\LdapInterface;
+use PHPUnit\Framework\Assert;
+use PHPUnit\Framework\TestCase;
+
+class LDAPListBaseTest extends TestCase
+{
+	private $ldapA;
+
+	private $ldapB;
+
+	public function setUp(): void
+	{
+		$this->ldapA = $this->getMockBuilder(Ldap::class)->disableOriginalConstructor()->getMock();
+		$this->ldapB = $this->getMockBuilder(Ldap::class)->disableOriginalConstructor()->getMock();
+		Assert::assertNotSame($this->ldapA, $this->ldapB);
+		parent::setUp(); // TODO: Change the autogenerated stub
+	}
+
+	public function addingItemsWorks(): void
+	{
+		$list = new LdapList();
+
+		$list->addLdap($this->ldapA);
+		$list->addLdap($this->ldapB);
+
+		Assert::assertSame([$this->ldapA, $this->ldapB], $this->getLdaps($list));
+	}
+
+	public function testFailingBindRemovesItemsFromList(): void
+	{
+		$list = new LdapList();
+
+		$list->addLdap($this->ldapA);
+		$list->addLdap($this->ldapB);
+
+		$this->ldapA->method('bind')->willThrowException(new Error('throw'));
+		$this->ldapB->method('bind')->willReturn($this->ldapB);
+
+		$list->bind();
+
+		Assert::assertCount(1, $this->getLdaps($list));
+	}
+
+	public function testFailingBindInAllConnectorsThrows(): void
+	{
+		$list = new LdapList();
+
+		$list->addLdap($this->ldapA);
+		$list->addLdap($this->ldapB);
+
+		$this->ldapA->method('bind')->willThrowException(new Error('throw'));
+		$this->ldapB->method('bind')->willThrowException(new Error('throw'));
+
+		$this->expectException(Error::class);
+		$this->expectExceptionMessage('No bind successfull');
+
+		$list->bind();
+
+		Assert::assertCount(0, $this->getLdaps($list));
+	}
+
+	public function testAuthenticatingViaListWorks(): void
+	{
+		$list = new LdapList();
+
+		$list->addLdap($this->ldapA);
+		$list->addLdap($this->ldapB);
+
+		$this->ldapA->method('authenticate')->willReturn(false);
+		$this->ldapB->method('authenticate')->willReturn(true);
+
+		Assert::assertTrue($list->authenticate('foo', 'bar'));
+
+		Assert::assertCount(1, $this->getLdaps($list));
+	}
+
+	public function testAuthenticatingViaListFailsWhenNoConnectorAuthenticates(): void
+	{
+		$list = new LdapList();
+
+		$list->addLdap($this->ldapA);
+		$list->addLdap($this->ldapB);
+
+		$this->ldapA->method('authenticate')->willReturn(false);
+		$this->ldapB->method('authenticate')->willReturn(false);
+
+		Assert::assertFalse($list->authenticate('foo', 'bar'));
+
+		Assert::assertCount(0, $this->getLdaps($list));
+	}
+
+	public function testSuccessfullSearchInOneConnectorReturnsResult(): void
+	{
+		$list = new LdapList();
+
+		$list->addLdap($this->ldapA);
+		$list->addLdap($this->ldapB);
+
+		$this->ldapA->method('search')->willThrowException(new Error('Whoot'));
+		$this->ldapB->method('search')->willReturn(['count' => 1, ['dn' => 'foo']]);
+
+		Assert::assertEquals(['count' => 1, ['dn' => 'foo']], $list->search('uid=foo'));
+	}
+
+	public function testUnsuccessfullSearchWillThrow(): void
+	{
+		$list = new LdapList();
+
+		$list->addLdap($this->ldapA);
+		$list->addLdap($this->ldapB);
+
+		$this->ldapA->method('search')->willThrowException(new Error('Whoot'));
+		$this->ldapB->method('search')->willThrowException(new Error('Whoot2'));
+
+		$this->expectException(SearchUnsuccessfull::class);
+
+		$list->search('uid=foo');
+	}
+
+
+	private function getLdaps(LdapList $list): array
+	{
+
+		// Courtesy of Marco Pivetta
+		//  https://ocramius.github.io/blog/accessing-private-php-class-members-without-reflection/
+		$sweetsThief = function (LdapList $kitchen) {
+			return $kitchen->items;
+		};
+
+		// Closure::bind() actually creates a new instance of the closure
+		$sweetsThief = Closure::bind($sweetsThief, null, $list);
+
+		return $sweetsThief($list);
+	}
+}

+<?php
+
+/**
+ * $Id: LdapTest.php 292156 2010-09-21 19:32:01Z heiglandreas $
+ *
+ * authLdap - Authenticate Wordpress against an LDAP-Backend.
+ * Copyright (c) 2008 Andreas Heigl<andreas@heigl.org>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ * This file tests the basic LDAP-Tasks
+ *
+ * @category authLdap
+ * @package authLdap
+ * @subpackage UnitTests
+ * @author Andreas Heigl<andreas@heigl.org>
+ * @copyright 2010 Andreas Heigl<andreas@heigl.org>
+ * @license GPL
+ * @since 21.09.2010
+ */
+
+namespace Org_Heigl\AuthLdapTest;
+
+use Exception;
+use Generator;
+use Org_Heigl\AuthLdap\LdapUri;
+use Org_Heigl\AuthLdap\Wrapper\LdapFactory;
+use PHPUnit\Framework\TestCase;
+use Org_Heigl\AuthLdap\Manager\Ldap;
+
+class LdapTest extends TestCase
+{
+	/**
+	 *
+	 * @dataProvider dpInstantiateLdapClass
+	 * @param array $expected
+	 * @param array $given
+	 */
+	public function testInstantiateLdapClass($ldapUri, $debug, $startTls)
+	{
+		$ldap = new Ldap(new LdapFactory(), LdapUri::fromString($ldapUri), $debug, $startTls);
+		self::assertInstanceOf(Ldap::class, $ldap);
+	}
+
+	/**
+	 * @dataProvider dpExceptionsWhenInstantiatingLdapClass
+	 * @param string $expected
+	 */
+	public function testExceptionsWhenInstantiatingLdapClass(string $expected)
+	{
+		self::expectException(Exception::class);
+		new Ldap(new LdapFactory(), LdapUri::fromString($expected));
+	}
+
+	public function dpInstantiateLdapClass(): Generator
+	{
+		yield [
+			'ldap://uid=jondoe,cn=users,cn=example,c=org:secret@ldap.example.org/cn=example,c=org',
+			true,
+			false,
+			[
+				'username' => 'uid=jondoe,cn=users,cn=example,c=org',
+				'password' => 'secret',
+				'server' => 'ldap.example.org',
+				'baseDn' => 'cn=example,c=org',
+				'debug' => true,
+			],
+		];
+		yield [
+			'ldap://uid=jondoe,cn=users,cn=example,c=org@ldap.example.org/cn=example,c=org',
+			true,
+			false,
+			[
+				'username' => 'uid=jondoe,cn=users,cn=example,c=org',
+				'password' => '',
+				'server' => 'ldap.example.org',
+				'baseDn' => 'cn=example,c=org',
+				'debug' => true,
+			],
+		];
+		yield [
+			'ldap://ldap.example.org/cn=example,c=org',
+			true,
+			false,
+			[
+				'username' => 'anonymous',
+				'password' => '',
+				'server' => 'ldap.example.org',
+				'baseDn' => 'cn=example,c=org',
+				'debug' => true,
+			],
+		];
+//      yield [
+//           'ldap://ldap.example.org',
+//              true,
+//              false,
+//              [
+//                  'username' => 'anonymous',
+//                  'password' => '',
+//                  'server'   => 'ldap.example.org',
+//                  'baseDn'   => '',
+//                  'debug'    => true
+//             ]
+//          ];
+		yield [
+			'ldap://uid=jondoe,cn=users,cn=example,c=org:secret@ldap.example.org/cn=example,c=org',
+			false,
+			false,
+			[
+				'username' => 'uid=jondoe,cn=users,cn=example,c=org',
+				'password' => 'secret',
+				'server' => 'ldap.example.org',
+				'baseDn' => 'cn=example,c=org',
+				'debug' => false,
+			],
+		];
+		yield [
+			'ldap://ldap.example.org/cn=test%20example,c=org',
+			false,
+			false,
+			[
+				'username' => 'anonymous',
+				'password' => '',
+				'server' => 'ldap.example.org',
+				'baseDn' => 'cn=test example,c=org',
+				'debug' => false,
+			],
+		];
+	}
+
+	public function dpExceptionsWhenInstantiatingLdapClass(): Generator
+	{
+		yield ['ldap://ldap.example.org'];
+		yield ['ldap://foo:bar@/cn=example,c=org'];
+		yield ['http://ldap.example.org'];
+		yield ['fooBar'];
+		yield ['ldap://ldap.example.org/'];
+		yield ['()123üäö'];
+	}
+
+	public function testThatGroupMappingWorks()
+	{
+		$groups = [
+			'count' => 1,
+			0 => [
+				'dn' => 'dn-1',
+				'count' => 1,
+				0 => 'group',
+				'group' => [
+					'count' => 2,
+					0 => 'angličtina@ff.cuni.cz',
+					1 => 'literatura@ff.cuni.cz',
+				],
+			],
+		];
+
+		$grp = [];
+		for ($i = 0; $i < $groups ['count']; $i++) {
+			for ($k = 0; $k < $groups[$i][strtolower('group')]['count']; $k++) {
+				$grp[] = $groups[$i][strtolower('group')][$k];
+			}
+		}
+
+		$this->assertEquals([
+			'angličtina@ff.cuni.cz',
+			'literatura@ff.cuni.cz',
+		], $grp);
+
+		$role = '';
+		foreach (
+			[
+				'testrole' => 'literatura@ff.cuni.cz,literatura@ff.cuni.cz',
+			] as $key => $val
+		) {
+			$currentGroup = explode(',', $val);
+			// Remove whitespaces around the group-ID
+			$currentGroup = array_map('trim', $currentGroup);
+			if (0 < count(array_intersect($currentGroup, $grp))) {
+				$role = $key;
+				break;
+			}
+		}
+
+		$this->assertEquals('testrole', $role);
+	}
+}

+<?php
+
+namespace Org_Heigl\AuthLdapTest;
+
+use Generator;
+use Org_Heigl\AuthLdap\Exception\InvalidLdapUri;
+use Org_Heigl\AuthLdap\LdapUri;
+use PHPUnit\Framework\Assert;
+use PHPUnit\Framework\TestCase;
+
+use function getenv;
+use function putenv;
+
+class LdapUriTest extends TestCase
+{
+	public function toStringProvider(): Generator
+	{
+		yield ['ldaps://foo:bar@foo.bar/baz', 'ldaps://foo.bar:636', 'foo', 'bar', 'baz'];
+		yield ['env:LDAP_URI', 'ldaps://foo.bar:636', 'foo', 'bar', 'baz', [
+			'LDAP_URI' => 'ldaps://foo:bar@foo.bar/baz',
+		]];
+        yield ['ldaps://foo:%env:LDAP_PASSWORD%@foo.bar/baz', 'ldaps://foo.bar:636', 'foo', 'bar', 'baz', [
+			'LDAP_PASSWORD' => 'bar',
+        ]];
+        yield ['ldaps://foo:%env:LDAP_PASSWORD%@foo.bar/baz', 'ldaps://foo.bar:636', 'foo', 'ba r', 'baz', [
+	        'LDAP_PASSWORD' => 'ba r',
+        ]];
+    }
+
+	public function fromStringProvider(): Generator
+	{
+		yield ['ldaps://foo:bar@foo.bar/baz', false];
+		yield ['env:LDAP_URI', false];
+		yield ['foo:MyLdapUri', true];
+	}
+
+	/**
+	 * @dataProvider toStringProvider
+	 */
+	public function testToString(string $uri, string $result, $user, $password, $baseDn, array $env = []): void
+	{
+		foreach ($env as $key => $value) {
+			putenv("$key=$value");
+		}
+		$ldapUri = LdapUri::fromString($uri);
+		Assert::assertSame($result, $ldapUri->toString());
+		Assert::assertSame($user, $ldapUri->getUsername());
+		Assert::assertSame($password, $ldapUri->getPassword());
+		Assert::assertSame($baseDn, $ldapUri->getBaseDn());
+	}
+
+	/** @dataProvider fromStringProvider */
+	public function testFromString(string $uri, bool $failure = false): void
+	{
+		if ($failure) {
+			self::expectException(InvalidLdapUri::class);
+		}
+		$ldapUri = LdapUri::fromString($uri);
+		self::assertInstanceOf(LdapUri::class, $ldapUri);
+	}
+
+	public function testSettingLdapsWillSetCorrectPort(): void
+	{
+		$uri = LdapUri::fromString('ldaps://example.org/foo');
+
+		Assert::assertSame('ldaps://example.org:636', $uri->toString());
+	}
+
+	public function testSettingLdapWillSetCorrectPort(): void
+	{
+		$uri = LdapUri::fromString('ldap://example.org/foo');
+
+		Assert::assertSame('ldap://example.org:389', $uri->toString());
+	}
+
+	/**
+	 * @dataProvider anonymousProvider
+	 */
+	public function testUriIsAnonymous(string $uri): void
+	{
+		$uri = LdapUri::fromString($uri);
+		Assert::assertTrue($uri->isAnonymous());
+	}
+
+	public function anonymousProvider(): Generator
+	{
+		yield ['ldaps://test.example.com/dc=com'];
+		yield ['ldaps://foo@test.example.com/dc=com'];
+		yield ['ldaps://%20:password@test.example.com/dc=com'];
+		yield ['ldaps://anonymous:password@test.example.com/dc=com'];
+	}
+
+	public function testMissingSchemaThrows(): void
+	{
+		$this->expectException(InvalidLdapUri::class);
+
+		LdapUri::fromString('ldaps.example.com');
+	}
+
+	public function testMWrongSchemaThrows(): void
+	{
+		$this->expectException(InvalidLdapUri::class);
+
+		LdapUri::fromString('environ://ldaps.example.com');
+	}
+
+	public function testMissingHostThrows(): void
+	{
+		$this->expectException(InvalidLdapUri::class);
+
+		LdapUri::fromString('ldaps:/foo=bar');
+	}
+
+	public function testgettingUriFromEnvironment(): void
+	{
+		putenv('URI=ldaps://example.com/foo');
+		$uri = LdapUri::fromString('env:URI');
+
+		Assert::assertSame('ldaps://example.com:636', (string) $uri);
+		Assert::assertSame('foo', $uri->getBaseDn());
+	}
+
+	public function testgettingUriFromEmptyEnvironment(): void
+	{
+		putenv('URI');
+		$this->expectException(InvalidLdapUri::class);
+		$uri = LdapUri::fromString('env:URI');
+	}
+}

+<?php
+
+/**
+ * Copyright (c) 2016-2016} Andreas Heigl<andreas@heigl.org>
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ *
+ * @author    Andreas Heigl<andreas@heigl.org>
+ * @copyright 2016-2016 Andreas Heigl
+ * @license   http://www.opensource.org/licenses/mit-license.php MIT-License
+ * @version   0.0
+ * @since     07.06.2016
+ * @link      http://github.com/heiglandreas/authLDAP
+ */
+
+namespace Org_Heigl\AuthLdapTest\Manager;
+
+use Org_Heigl\AuthLdap\Exception\Error;
+use Org_Heigl\AuthLdap\LdapList;
+use Org_Heigl\AuthLdap\LdapUri;
+use Org_Heigl\AuthLdap\Manager\Ldap;
+use Org_Heigl\AuthLdap\Wrapper\Ldap as LdapWrapper;
+use Org_Heigl\AuthLdap\Wrapper\LdapFactory;
+use Org_Heigl\AuthLdap\Wrapper\LdapInterface;
+use PHPUnit\Framework\Assert;
+use PHPUnit\Framework\TestCase;
+
+class LDAPBaseTest extends TestCase
+{
+    private LdapFactory $factory;
+
+    private LdapInterface $wrapper;
+
+    public function setUp(): void
+    {
+        $this->wrapper = $this->getMockBuilder(LdapInterface::class)->getMock();
+        $this->factory = $this->getMockBuilder(LdapFactory::class)->getMock();
+        $this->factory->method('createFromLdapUri')->willReturn($this->wrapper);
+		$this->factory->method('escape')->willReturnCallback(function ($value, $ignore, $flags) {
+			return \Org_Heigl\AuthLdap\Wrapper\Ldap::escape($value, $ignore, $flags);
+		});
+    }
+
+    /**
+     * @dataProvider bindingWithPasswordProvider
+     * @testdox Binding user $user with password $password using a filter $filter works
+     */
+    public function testThatBindingWithPasswordWorks($user, $password, $filter, $uri)
+    {
+		$uri = LdapUri::fromString($uri);
+	    $this->wrapper
+		    ->method('bind')
+		    ->willReturn(true);
+
+		$this->wrapper
+			->expects($this->once())
+			->method('search')
+			->with($uri->getBaseDn(), sprintf($filter, $user));
+
+		$this->wrapper
+			->method('getEntries')
+			->willReturn(['count' => 1, 0 => ['dn' => 'foo']]);
+
+	    $ldap = new Ldap($this->factory, $uri);
+        $this->assertTrue($ldap->authenticate($user, $password, $filter));
+    }
+
+    public function bindingWithPasswordProvider()
+    {
+        return [
+            [
+                'user3',
+                'user!"',
+                'uid=%s',
+                'ldap://cn=admin,dc=example,dc=org:insecure@127.0.0.1:3389/dc=example,dc=org'
+            ], [
+//                'admin',
+//                'insecure',
+//                'cn=%s',
+//                'ldap://cn=admin,dc=example,dc=org:insecure@127.0.0.1:3389/dc=example,dc=org'
+//            ], [
+                'user1',
+                'user1',
+                'uid=%s',
+                'ldap://cn=admin,dc=example,dc=org:insecure@127.0.0.1:3389/dc=example,dc=org'
+            ], [
+                'user 4',
+                'user!"',
+                'uid=%s',
+                'ldap://cn=admin,dc=example,dc=org:insecure@127.0.0.1:3389/dc=example,dc=org'
+            ], [
+                'user 5',
+                'user!"',
+                'uid=%s',
+                'ldap://cn=admin,dc=example,dc=org:insecure@127.0.0.1:3389/dc=test%20space,dc=example,dc=org'
+            ],
+        ];
+    }
+
+    /**
+     * @param $uri
+     * @dataProvider initialBindingToLdapServerWorksProvider
+     */
+    public function testThatInitialBindingWorks($uri)
+    {
+	    $this->wrapper
+		    ->method('bind')
+		    ->willReturn(true);
+
+	    $ldap = new LDAP($this->factory, LdapUri::fromString($uri));
+        $this->assertInstanceof(Ldap::class, $ldap->bind());
+    }
+
+    /**
+     * @param $uri
+     * @dataProvider initialBindingToLdapServerWorksProvider
+     */
+    public function testThatInitialBindingToMultipleLdapsWorks($uri)
+    {
+		$this->wrapper->expects($this->once())
+	        ->method('bind')
+			->with('uid=user 5,dc=test space,dc=example,dc=org', 'user!"')
+			->willReturn(true);
+
+        $list = new LdapList();
+        $list->addLDAP(new LDAP($this->factory, LdapUri::fromString($uri)));
+        $this->assertTrue($list->bind());
+    }
+
+    public function initialBindingToLdapServerWorksProvider()
+    {
+        return [
+            ['ldap://uid=user%205,dc=test%20space,dc=example,dc=org:user!"' .
+                '@127.0.0.1:3389/dc=test%20space,dc=example,dc=org'],
+        ];
+    }
+
+    /**
+     * @dataProvider provideUnescapedData
+     */
+    public function testThatPassedDataIsEscaped($unescaped, $escaped): void
+    {
+        $ldap = new LDAP($this->factory, LdapUri::fromString(
+            'ldap://cn=admin,dc=example,dc=org:insecure@127.0.0.1:3389/dc=example,dc=org'
+        ));
+
+		$this->wrapper->expects($this->exactly(2))
+			->method('bind')
+			->withConsecutive(
+				['cn=admin,dc=example,dc=org', 'insecure'],
+				['foo', 'password'],
+			)
+			->willReturnOnConsecutiveCalls(true, true);
+		$this->wrapper->expects($this->once())->method('search')->with(
+			'dc=example,dc=org',
+			$escaped,
+			['uid'],
+		);
+		$this->wrapper->method('getEntries')->willReturn(['count' => 1, 0 => ['dn' => 'foo']]);
+
+        $ldap->authenticate($unescaped, 'password');
+    }
+
+    public function provideUnescapedData(): array
+    {
+        return [
+            ['\’foobar', '(uid=\5c’foobar)'],
+            ['XXX;(&(uid=Admin)(userPassword=A*))', '(uid=XXX;\28&\28uid=Admin\29\28userPassword=A\2a\29\29)'],
+        ];
+    }
+
+
+	public function testSettingStartTls(): void
+	{
+		$ldap = new Ldap($this->factory, LdapUri::fromString('ldap://example.com/foo=bar'), true);
+
+		$this->wrapper->expects($this->once())->method('startTls');
+		$this->wrapper->method('bind')->willReturn(true);
+
+		$ldap->bind();
+	}
+
+
+	public function testUnsettingConnectionBeforeBinding(): void
+	{
+		$ldap = new Ldap($this->factory, LdapUri::fromString('ldap://example.com/foo=bar'), true);
+
+		$this->wrapper->method('bind')->willReturn(true);
+		$this->wrapper->expects($this->once())->method('unbind');
+
+		$ldap->connect();
+		$ldap->disconnect();
+	}
+
+	public function testErrorIsThrownOnUnsuccessfullBInd(): void
+	{
+		$ldap = new Ldap($this->factory, LdapUri::fromString('ldap://example.com/foo=bar'), true);
+
+		$this->wrapper->method('bind')->willReturn(false);
+		$this->expectException(Error::class);
+
+		$ldap->bind();
+	}
+
+	public function testFailingSearchThrowsError(): void
+	{
+		$ldap = new Ldap($this->factory, LdapUri::fromString('ldap://example.com/foo=bar'), true);
+
+		$this->wrapper->method('bind')->willReturn(true);
+		$this->wrapper->method('search')->willReturn(false);
+
+		$this->expectException(Error::class);
+		$this->expectExceptionMessage('no result found');
+
+		$ldap->bind();
+		$ldap->search('uid=foo');
+	}
+
+	public function testFailingSearchResultFetchingThrowsError(): void
+	{
+		$ldap = new Ldap($this->factory, LdapUri::fromString('ldap://example.com/foo=bar'), true);
+
+		$this->wrapper->method('bind')->willReturn(true);
+		$this->wrapper->method('search')->willReturn(true);
+		$this->wrapper->method('getEntries')->willReturn(false);
+
+		$this->expectException(Error::class);
+		$this->expectExceptionMessage('invalid results found');
+
+		$ldap->bind();
+		$ldap->search('uid=foo');
+	}
+
+	public function testSearchingWithoutBindingThrowsError(): void
+	{
+		$ldap = new Ldap($this->factory, LdapUri::fromString('ldap://example.com/foo=bar'), true);
+
+		$this->expectException(Error::class);
+		$this->expectExceptionMessage('No resource handle available');
+
+		$ldap->search('uid=foo');
+	}
+
+	public function testAuthenticatingFailsWithNoSearchResults(): void
+	{
+		$ldap = new Ldap($this->factory, LdapUri::fromString('ldap://example.com/foo=bar'), true);
+
+		$this->wrapper->method('bind')->willReturn(true);
+		$this->wrapper->method('search')->willReturn(true);
+		$this->wrapper->method('getEntries')->willReturn(['count' => 0]);
+
+		$ldap->bind();
+		Assert::assertFalse($ldap->authenticate('foo', 'bar'));
+	}
+}

+<?php
+
+/**
+ * Copyright Andreas Heigl <andreas@heigl.org>
+ *
+ * Licenses under the MIT-license. For details see the included file LICENSE.md
+ */
+
+namespace Org_Heigl\AuthLdapTest;
+
+use Org_Heigl\AuthLdap\UserRoleHandler;
+use WorDBless\BaseTestCase;
+use WP_User;
+
+class UserRoleHandlerTest extends BaseTestCase
+{
+	public function testUserRolesAreAssignedAsExpected() : void
+	{
+		$user = new WP_User(1);
+
+		$handler = new UserRoleHandler();
+
+		$handler->addRolesToUser($user, ['author', 'user']);
+
+		self::assertEquals(['author'], $user->roles);
+	}
+
+	public function testEqualUserRolesAreEasy() : void
+	{
+		$user = new WP_User(1);
+		$user->add_role('administrator');
+		$user->add_role('author');
+
+		$handler = new UserRoleHandler();
+
+		$handler->addRolesToUser($user, ['administrator', 'author']);
+
+		self::assertEquals(['administrator', 'author'], $user->roles);
+	}
+	
+	public function testUserRolesAreNotAssignedWhenUserAlreadyHasRole() : void
+	{
+		$user = new WP_User(1);
+		$user->add_role('administrator');
+		$user->add_role('author');
+
+		$handler = new UserRoleHandler();
+
+		$handler->addRolesToUser($user, ['author', 'editor']);
+
+		self::assertEquals(['author', 'editor'], $user->roles);
+	}
+
+	public function testEmptyRolesAreIgnored() : void
+	{
+		$user = new WP_User(1);
+		$user->add_role('administrator');
+
+		$handler = new UserRoleHandler();
+		$handler->addRolesToUser($user, []);
+
+		self::assertEquals(['administrator'], $user->roles);
+	}
+}

+<?php
+
+/**
+ * Copyright Andreas Heigl <andreas@heigl.org>
+ *
+ * Licenses under the MIT-license. For details see the included file LICENSE.md
+ */
+
+require_once __DIR__ . '/../vendor/autoload.php'; // adjust the path as needed
+
+\WorDBless\Load::load();

+<?php
+/**
+ * Copyright (c)2014-2014 heiglandreas
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIBILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ *
+ * @category
+ * @author    Andreas Heigl<andreas@heigl.org>
+ * @copyright ©2014-2014 Andreas Heigl
+ * @license   http://www.opesource.org/licenses/mit-license.php MIT-License
+ * @version   0.0
+ * @since     19.12.14
+ * @link      https://github.com/heiglandreas/authLdap
+ */
+?><div class="wrap">
+    <?php if (! extension_loaded('ldap')) : ?>
+    <div class="error"><strong>Caveat:</strong> The LDAP-extension is not loaded!
+        Without that extension it is not possible to query an LDAP-Server! Please have a look
+        at <a href="http://php.net/manual/install.php">the PHP-Installation page</a>
+    </div>
+    <?php endif ?>
+    <h2>AuthLDAP Options</h2>
+    <form class="authldap-options" method="post" id="authLDAP_options" action="<?php echo $action;?>">
+        <h3 class="title">General Usage of authLDAP</h3>
+        <fieldset class="options">
+            <table class="form-table">
+                <tr>
+                    <th>
+                        <label for="authLDAPAuth">Enable Authentication via LDAP?</label>
+                    </th>
+                    <td>
+                        <input type="checkbox" name="authLDAPAuth" id="authLDAPAuth" value="1"<?php echo $tChecked; ?>/>
+                    </td>
+                </tr>
+                <tr>
+                    <th>
+                        <label for="authLDAPDebug">Debug AuthLDAP?</label>
+                    </th>
+                    <td>
+                        <input type="checkbox" name="authLDAPDebug" id="authLDAPDebug" value="1"<?php echo $tDebugChecked; ?>/>
+                    </td>
+                </tr>
+                <tr>
+                    <th>
+                        <label for="authLDAPDoNotOverwriteNonLdapUsers">Do not authenticate existing WordPress-Users</label>
+                    </th>
+                    <td>
+                        <input type="checkbox" name="authLDAPDoNotOverwriteNonLdapUsers" id="authLDAPDoNotOverwriteNonLdapUsers" value="1"<?php echo $tDoNotOverwriteNonLdapUsers; ?>/>
+                        <p class="description">
+                            Shall we prohibit authenticating already in WordPress created users using LDAP? If you enable this, LDAP-Users with the same user-ID
+                        as existing WordPress-Users can no longer take over the WordPress-Users account. This also means that LDAP-Users with the same User-ID as existing
+                        WordPress-Users will <strong>not</strong> be able to authenticate anymore! Accounts that have been taken over already will not be affected by this setting.
+                        </p>
+                        <p class="description">This should only be checked if you know what you are doing!</p>
+                    </td>
+                </tr>
+                <tr>
+                    <th>
+                        <label for="authLDAPCachePW">Save entered passwords in the wordpress user table?</label>
+                    </th>
+                    <td>
+                        <input type="checkbox" name="authLDAPCachePW" id="authLDAPCachePW" value="1"<?php echo $tPWChecked; ?>/>
+                    </td>
+                </tr>
+                <tr>
+                    <th>
+                        <label for="authLDAPGroupEnable">Map LDAP Groups to wordpress Roles?</label>
+                    </th>
+                    <td>
+                        <input type="checkbox" name="authLDAPGroupEnable" id="authLDAPGroupEnable" value="1"<?php echo $tGroupChecked; ?>/>
+                        <p class="description">
+                            Search LDAP for user's groups and map to Wordpress Roles.
+                        </p>
+                    </td>
+                </tr>
+            </table>
+        </fieldset>
+        <h3 class="title">General Server Settings</h3>
+        <fieldset class="options">
+            <table class="form-table">
+                <tr>
+                    <th>
+                        <label for="authLDAPURI">LDAP URI</label>
+                    </th>
+                    <td>
+                        <input type="text" name="authLDAPURI" id="authLDAPURI" placeholder="LDAP-URI"
+                          class="regular-text" value="<?php echo $authLDAPURI; ?>"/>
+                        <p class="description">
+                            The <abbr title="Uniform Ressource Identifier">URI</abbr>
+                            for connecting to the LDAP-Server. This usualy takes the form
+                            <var>&lt;scheme&gt;://&lt;user&gt;:&lt;password&gt;@&lt;server&gt;/&lt;path&gt;</var>
+                            according to RFC 1738.</p>
+                        <p class="description">
+                            In this case it schould be something like
+                            <var>ldap://uid=adminuser,dc=example,c=com:secret@ldap.example.com/dc=basePath,dc=example,c=com</var>.
+                        </p>
+                        <p class="description">
+                            If your LDAP accepts anonymous login, you can ommit the user and
+                            password-Part of the URI
+                        </p>
+                        <p class="description">
+                            You can use the pseudo-schema <em>env</em> to provide your LDAP-URI from an environment-variable. So if you have your
+                            LDAP-URI in a variable called <code>LDAP_URI</code> you can enter <code>env:LDAP_URI</code> in this field and at runtime the
+                            appropriate value will be taken from the Environment-variable <code>LDAP_URI</code>. If the varialbe is not set, then the value will be empty.
+                        </p>
+                        <p class="description">
+                            You can also provide different parts of the LDP-URI from environment variables by providing
+                            <code>%env:[VARIABLENAME]%</code> within your LDAP-URI. So if you want to provide the
+                            password from an Environment-variable <code>LDAP_PASSWORD</code> your LDAP-URI looks like
+                            <code>ldap://uid=adminuser,dc=example,c=com:%env:LDAP_PASSWORD%@ldap.example.com/dc=basePath,dc=example,c=com</code>
+                        </p>
+                        <p class="description">
+                            <strong>Caveat!</strong><br/>
+                            If you are using Environment-variables for parts of the LDAP-URL then those <strong>must not</strong> be URL-Encoded!<br/>
+                            Otherwise the different parts <strong>must</strong> be URL-Encoded!
+                        </p>
+                    </td>
+                </tr>
+                <tr>
+                    <th>
+                        <label for="authLDAPURISeparator">LDAP URI-Separator</label>
+                    </th>
+                    <td>
+                        <input type="text" name="authLDAPURISeparator" id="authLDAPURISeparator" placeholder="LDAP-URI Separator"
+                               class="regular-text" value="<?php echo $authLDAPURISeparator; ?>"/>
+                        <p class="description">
+                            A separator that separates multiple LDAP-URIs from one another.
+                            You can use that feature to try to authenticate against multiple LDAP-Servers
+                            as long as they all have the same attribute-settings. The first LDAP-Server the user can
+                            authenticate against will be used to handle the user.
+                    </td>
+                </tr>
+                <tr>
+                      <th>
+                          <label for="authLDAPStartTLS" class="description">StartTLS</label>
+                      </th>
+                      <td>
+                          <input type="checkbox" name="authLDAPStartTLS" id="authLDAPStartTLS" value="1"<?php echo $tStartTLSChecked; ?>/>
+                          <p class="description">
+                              Use StartTLS for encryption of ldap connections. This setting is not to be used in combination with ldaps connections (ldap:// only).
+                          </p>
+                      </td>
+                <tr>
+                    <th scope="row">
+                        <label for="authLDAPFilter" class="description">Filter</label>
+                    </th>
+                    <td>
+                        <input type="text" name="authLDAPFilter" id="authLDAPFilter" placeholder="(uid=%s)"
+                          class="regular-text" value="<?php echo $authLDAPFilter; ?>"/>
+                        <p class="description">
+                            Please provide a valid filter that can be used for querying the
+                            <abbr title="Lightweight Directory Access Protocol">LDAP</abbr>
+                            for the correct user. For more information on this
+                            feature have a look at <a href="http://andreas.heigl.org/cat/dev/wp/authldap">http://andreas.heigl.org/cat/dev/wp/authldap</a>
+                        </p>
+                        <p class="description">
+                            This field <strong>should</strong> include the string <code>%s</code>
+                            that will be replaced with the username provided during log-in
+                        </p>
+                        <p class="description">
+                            If you leave this field empty it defaults to <strong>(uid=%s)</strong>
+                        </p>
+                    </td>
+                </tr>
+            </table>
+        </fieldset>
+
+        <h3 class="title">Settings for creating new Users</h3>
+        <fieldset class="options">
+            <table class="form-table">
+                <tr>
+                    <th scope="row">
+                        <label for="authLDAPUseUserAccount">User-Read</label>
+                    </th>
+                    <td>
+                        <input type="checkbox" name="authLDAPUseUserAccount" id="authLDAPUseUserAccount" value="1"<?php echo $tUserRead; ?>/><br />
+                        <p class="description">
+                            If checked the plugin will use the user's account to query their own information. If not it will use the admin account.
+                        </p>
+						
+                    </td>
+                </tr>
+				<tr>
+                    <th scope="row">
+                        <label for="authLDAPNameAttr">Name-Attribute</label>
+                    </th>
+                    <td>
+                        <input type="text" name="authLDAPNameAttr" id="authLDAPNameAttr" placeholder="name"
+                          class="regular-text" value="<?php echo $authLDAPNameAttr; ?>"/><br />
+                        <p class="description">
+                            Which Attribute from the LDAP contains the Full or the First name
+                            of the user trying to log in.
+                        </p>
+                        <p class="description">
+                            This defaults to <strong>name</strong>
+                        </p>
+
+                    </td>
+                </tr>
+                <tr>
+                    <th scope="row">
+                        <label for="authLDAPSecName">Second Name Attribute</label>
+                    </th>
+                    <td>
+                        <input type="text" name="authLDAPSecName" id="authLDAPSecName" placeholder=""
+                          class="regular-text" value="<?php echo $authLDAPSecName; ?>" />
+                        <p class="description">
+                            If the above Name-Attribute only contains the First Name of the
+                            user you can here specify an Attribute that contains the second name.
+                        </p>
+                        <p class="description">
+                            This field is empty by default
+                        </p>
+                    </td>
+                </tr>
+                <tr>
+                    <th scope="row">
+                        <label for="authLDAPUidAttr">User-ID Attribute</label>
+                    </th>
+                    <td>
+                        <input type="text" name="authLDAPUidAttr" id="authLDAPUidAttr" placeholder="uid"
+                          class="regular-text" value="<?php echo $authLDAPUidAttr; ?>" />
+                        <p class="description">
+                            Please give the Attribute, that is used to identify the user. This
+                            should be the same as you used in the above <em>Filter</em>-Option
+                        </p>
+                        <p class="description">
+                            This field defaults to <strong>uid</strong>
+                        </p>
+                    </td>
+                </tr>
+                <tr>
+                    <th scope="row">
+                        <label for="authLDAPMailAttr">Mail Attribute</label>
+                    </th>
+                    <td>
+                        <input type="text" name="authLDAPMailAttr" id="authLDAPMailAttr" placeholder="mail"
+                          class="regular-text" value="<?php echo $authLDAPMailAttr; ?>" />
+                        <p class="description">
+                            Which Attribute holds the eMail-Address of the user?
+                        </p>
+                        <p class="description">
+                            If more than one eMail-Address are stored in the LDAP, only the first given is used
+                        </p>
+                        <p class="description">
+                            This field defaults to <strong>mail</strong>
+                        </p>
+                    </td>
+                </tr>
+                <tr>
+                    <th scope="row">
+                        <label for="authLDAPWebAttr">Web-Attribute</label>
+                    </th>
+                    <td>
+                        <input type="text" name="authLDAPWebAttr" id="authLDAPWebAttr" placeholder=""
+                          class="regular-text" value="<?php echo $authLDAPWebAttr; ?>" />
+                        <p class="description">
+                            If your users have a personal page (URI) stored in the LDAP, it can
+                            be provided here.
+                        </p>
+                        <p class="description">
+                            This field is empty by default
+                        </p>
+                    </td>
+                </tr>
+                <tr>
+                    <th scope="row">
+                        <label for="authLDAPDefaultRole">Default Role</label>
+                    </th>
+                    <td>
+                        <select name="authLDAPDefaultRole" id="authLDAPDefaultRole">
+                            <option value="" <?php echo ( $authLDAPDefaultRole == '' ? 'selected="selected"' : '' ); ?>>
+                                None (deny access)
+                            </option>
+<?php foreach ($roles->get_names() as $group => $vals) : ?>
+                            <option value="<?php echo $group; ?>" <?php echo ( $authLDAPDefaultRole == $group ? 'selected="selected"' : '' ); ?>>
+                                <?php echo $vals; ?>
+                            </option>
+<?php endforeach; ?>
+                        </select>
+                        <p class="description">
+                            Here you can select the default role for users.
+                            If you enable LDAP Groups below, they will take precedence over the Default Role.
+                        </p>
+                        <p class="description">
+                            Existing users will retain their roles unless overriden by LDAP Groups below.
+                        </p>
+                    </td>
+                </tr>
+            </table>
+        </fieldset>
+
+
+        <div id="authldaprolemapping">
+        <h3 class="title">Groups for Roles</h3>
+        <fieldset class="options">
+            <table class="form-table">
+                <tr>
+                    <th>
+                        <label for="authLDAPGroupOverUser">LDAP Groups override role of existing users?</label>
+                    </th>
+                    <td>
+                        <input type="checkbox" name="authLDAPGroupOverUser" id="authLDAPGroupOverUser" value="1"<?php echo $tGroupOverUserChecked; ?>/>
+                        <p class="description">
+                            If role determined by LDAP Group differs from existing Wordpress User's role, use LDAP Group.
+                        </p>
+                    </td>
+                </tr>
+                <tr>
+                    <th scope="row">
+                        <label for="authLDAPGroupBase">Group-Base</label>
+                    </th>
+                    <td>
+                        <input type="text" name="authLDAPGroupBase" id="authLDAPGroupBase" placeholder=""
+                          class="regular-text" value="<?php echo $authLDAPGroupBase; ?>" />
+                        <p class="description">
+                            This is the base dn to lookup groups.
+                        </p>
+                        <p class="description">
+                            If empty the base dn of the LDAP URI will be used
+                        </p>
+                    </td>
+                </tr>
+                <tr>
+                    <th scope="row">
+                        <label for="authLDAPGroupAttr">Group-Attribute</label>
+                    </th>
+                    <td>
+                        <input type="text" name="authLDAPGroupAttr" id="authLDAPGroupAttr" placeholder="gidNumber"
+                          class="regular-text" value="<?php echo $authLDAPGroupAttr; ?>" />
+                        <p class="description">
+                            This is the attribute that defines the Group-ID that can be matched
+                            against the Groups defined further down
+                        </p>
+                        <p class="description">
+                            This field defaults to <strong>gidNumber</strong>
+                        </p>
+                    </td>
+                </tr>
+                <tr>
+                    <th scope="row">
+                        <label for="authLDAPGroupSeparator">Group-Separator</label>
+                    </th>
+                    <td>
+                        <input type="text" name="authLDAPGroupSeparator" id="authLDAPGroupSeparator" placeholder=","
+                          class="regular-text" value="<?php echo $authLDAPGroupSeparator; ?>" />
+                        <p class="description">
+                            This attribute defines the separator used for the Group-IDs listed in the
+                            Groups defined further down. This is useful if the value of Group-Attribute
+                            listed above can contain a comma (for example, when using the memberof attribute)
+                        </p>
+                        <p class="description">
+                            This field defaults to <strong>, (comma)</strong>
+                        </p>
+                    </td>
+                </tr>
+                <tr>
+                    <th scope="row">
+                        <label for="authLDAPGroupFilter">Group-Filter</label>
+                    </th>
+                    <td>
+                        <input type="text" name="authLDAPGroupFilter" id="authLDAPGroupFilter"
+                          placeholder="(&amp;(objectClass=posixGroup)(memberUid=%s))"
+                          class="regular-text" value="<?php echo $authLDAPGroupFilter; ?>" />
+                        <p class="description">
+                            Here you can add the filter for selecting groups for ther
+                            currentlly logged in user
+                        </p>
+                        <p class="description">
+                            The Filter should contain the string <code>%s</code> which will be replaced by
+                            the login-name of the currently logged in user
+                        </p>
+                        <p class="description">
+                            Alternatively the string <code>%dn%</code> will be replaced by the
+                            DN of the currently logged in user. This can be helpfull if
+                            group-memberships are defined with DNs rather than UIDs
+                        </p>
+                        <p class="description">This field defaults to
+                            <strong>(&amp;(objectClass=posixGroup)(memberUid=%s))</strong>
+                        </p>
+                    </td>
+                </tr>
+            </table>
+        </fieldset>
+
+        <h3 class="title">Role - group mapping</h3>
+        <fieldset class="options">
+            <p class="description">You can set multiple values per role by separating them with a coma</p>
+            <p class="description">The values are empty by default</p>
+            <table class="form-table">
+                <thead>
+                    <th scope="row">Assign this WordPress-Role</th>
+                    <th style="width:auto;">to members of this/these LDAP-Groups</th>
+                </thead>
+                <tbody>
+<?php
+    foreach ($roles->get_names() as $group => $vals) :
+        $aGroup=$authLDAPGroups[$group]; ?>
+                <tr>
+                    <th scope="row" style="width:auto; min-width: 200px;">
+                        <label for="authLDAPGroups[<?php echo $group; ?>]">
+                            <?php echo $vals; ?>
+                        </label>
+                    </th>
+                    <td>
+                        <input type="text" name="authLDAPGroups[<?php echo $group; ?>]" id="authLDAPGroups[<?php echo $group; ?>]"
+                          value="<?php echo $aGroup; ?>" />
+                    </td>
+                </tr>
+<?php endforeach; ?>
+                </tbody>
+            </table>
+        </fieldset>
+            </div>
+        <fieldset class="buttons">
+            <p class="submit">
+                <input type="submit" name="ldapOptionsSave" class="button button-primary" value="Save Changes" />
+            </p>
+        </fieldset>
+    </form>
+</div>
+
+<script type="text/javascript">
+    elem = document.getElementById('authLDAPGroupEnable');
+    if(! elem.checked) {
+        document.getElementById('authldaprolemapping').setAttribute('style', 'display:none;');
+    }
+
+    elem.addEventListener('change', function(e){
+        if(! e.target.checked) {
+            document.getElementById('authldaprolemapping').setAttribute('style', 'display:none;');
+        } else {
+            document.getElementById('authldaprolemapping').removeAttribute('style');
+        }
+    });
+
+</script>

-1.4.20
\ No newline at end of file

-apiVersion: backstage.io/v1alpha1
-kind: Component
-metadata:
-  name: wp-auth-ldap
-  annotations:
-    github.com/project-slug: lampo/wp-auth-ldap
-spec:
-  type: general
-  lifecycle: production
-  owner: B2C Developers

-{
-    "name" : "lampo/wp-auth-ldap",
-    "type" : "wordpress-plugin",
-    "description": "Fork of http://github.com/heiglandreas/authLdap, moves settings to defined constants.",
-    "keywords": ["ldap","authenticate", "auth", "wordpress"],
-    "homepage": "http://github.com/lampo/wp-auth-ldap",
-    "license": "MIT",
-    "authors": [{
-        "name": "Andreas Heigl",
-        "email": "andreas@heigl.org",
-        "homepage": "http://andreas.heigl.org",
-        "role": "Developer"
-    },{
-        "name": "Micah Flatt",
-        "email": "mflatt@flattware.net",
-        "role": "Developer"
-    }],
-    "require" : {
-        "php": ">=5.4",
-        "composer/installers": "~1.0"
-    },
-    "autoload" : {
-        "psr-4" : {
-            "Org_Heigl\\AuthLdap\\" : "./"
-        }
-    }
-}

-<?php
-/**
- * $Id: ldap.php 381646 2011-05-06 09:37:31Z heiglandreas $
- *
- * authLdap - Authenticate Wordpress against an LDAP-Backend.
- * Copyright (c) 2008 Andreas Heigl<andreas@heigl.org>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- *
- * This file handles the basic LDAP-Tasks
- *
- * @author Andreas Heigl<andreas@heigl.org>
- * @package authLdap
- * @category authLdap
- * @since 2008
- */
-namespace Org_Heigl\AuthLdap;
-
-use Exception;
-
-class LDAP
-{
-    private $_server = '';
-
-    private $_scheme = 'ldap';
-
-    private $_port = 389;
-
-    private $_baseDn = '';
-
-    private $_debug = false;
-    /**
-     * This property contains the connection handle to the ldap-server
-     *
-     * @var Ressource
-     */
-    private $_ch = null;
-
-    private $_username = '';
-
-    private $_password = '';
-
-    private $_starttls = false;
-
-    public function __construct($URI, $debug = false, $starttls = false)
-    {
-        $this->_debug=$debug;
-        $array = parse_url($URI);
-        if (! is_array($array)) {
-            throw new Exception($URI . ' seems not to be a valid URI');
-        }
-        $url = array_map(function ($item) { return urldecode($item); }, $array);
-        if (false === $url) {
-            throw new Exception($URI . ' is an invalid URL');
-        }
-        if (! isset ( $url['scheme'] )) {
-            throw new Exception($URI . ' does not provide a scheme');
-        }
-        if (0 !== strpos($url['scheme'], 'ldap')) {
-            throw new Exception($URI . ' is an invalid LDAP-URI');
-        }
-        if (! isset ( $url['host'] )) {
-            throw new Exception($URI . ' does not provide a server');
-        }
-        if (! isset ( $url['path'] )) {
-            throw new Exception($URI . ' does not provide a search-base');
-        }
-        if (1 == strlen($url['path'])) {
-            throw new Exception($URI . ' does not provide a valid search-base');
-        }
-        $this -> _server = $url['host'];
-        $this -> _scheme = $url['scheme'];
-        $this -> _baseDn = substr($url['path'], 1);
-        if (isset ( $url['user'] )) {
-            $this -> _username = $url['user'];
-        }
-        if ('' == trim($this -> _username)) {
-            $this -> _username = 'anonymous';
-        }
-        if (isset ( $url['pass'] )) {
-            $this -> _password = $url['pass'];
-        }
-        if (isset ( $url['port'] )) {
-            $this -> _port = $url['port'];
-        }
-        $this->_starttls = $starttls;
-    }
-
-    /**
-     * Connect to the given LDAP-Server
-     *
-     * @return LDAP
-     * @throws AuthLdap_Exception
-     */
-    public function connect()
-    {
-        $this -> disconnect();
-        if ('ldaps' == $this->_scheme && 389 == $this->_port) {
-            $this->_port = 636;
-        }
-
-        $this->_ch = @ldap_connect($this->_scheme . '://' . $this->_server . ':' . $this -> _port);
-        if (! $this->_ch) {
-            throw new AuthLDAP_Exception('Could not connect to the server');
-        }
-        ldap_set_option($this->_ch, LDAP_OPT_PROTOCOL_VERSION, 3);
-        ldap_set_option($this->_ch, LDAP_OPT_REFERRALS, 0);
-        //if configured try to upgrade encryption to tls for ldap connections
-        if ($this->_starttls) {
-          ldap_start_tls($this->_ch);
-        }
-        return $this;
-    }
-
-    /**
-     * Disconnect from a resource if one is available
-     *
-     * @return LDAP
-     */
-    public function disconnect()
-    {
-        if (is_resource($this->_ch)) {
-            @ldap_unbind($this->_ch);
-        }
-        $this->_ch = null;
-        return $this;
-    }
-
-    /**
-     * Bind to an LDAP-Server with the given credentials
-     *
-     * @return LDAP
-     * @throw AuthLdap_Exception
-     */
-    public function bind()
-    {
-        if (! $this->_ch) {
-            $this->connect();
-        }
-        if (! is_resource($this->_ch)) {
-            throw new AuthLDAP_Exception('No Resource-handle given');
-        }
-        $bind = false;
-        if (( ( $this->_username )
-            && ( $this->_username != 'anonymous') )
-            && ( $this->_password != '' ) ) {
-            $bind = @ldap_bind($this->_ch, $this->_username, $this->_password);
-        } else {
-            $bind = @ldap_bind($this->_ch);
-        }
-        if (! $bind) {
-            throw new AuthLDAP_Exception('bind was not successfull: ' . ldap_error($this->_ch));
-        }
-        return $this;
-    }
-
-    public function getErrorNumber()
-    {
-        return @ldap_errno($this->_ch);
-    }
-
-    public function getErrorText()
-    {
-        return @ldap_error($this->_ch);
-    }
-
-    /**
-     * This method does the actual ldap-serch.
-     *
-     * This is using the filter <var>$filter</var> for retrieving the attributes
-     * <var>$attributes</var>
-     *
-     *
-     * @param string $filter
-     * @param array $attributes
-     * @return array
-     */
-    public function search($filter, $attributes = array('uid'))
-    {
-        if (! is_Resource($this->_ch)) {
-            throw new AuthLDAP_Exception('No resource handle avbailable');
-        }
-        $result = @ldap_search($this->_ch, $this->_baseDn, $filter, $attributes);
-        if ($result === false) {
-            throw new AuthLDAP_Exception('no result found');
-        }
-        $this->_info = @ldap_get_entries($this->_ch, $result);
-        if ($this->_info === false) {
-            throw new AuthLDAP_Exception('invalid results found');
-        }
-        return $this -> _info;
-    }
-
-    /**
-     * This method sets debugging to ON
-     */
-    public function debugOn()
-    {
-        $this->_debug = true;
-        return $this;
-    }
-
-    /**
-     * This method sets debugging to OFF
-     */
-    public function debugOff()
-    {
-        $this->_debug = false;
-        return $this;
-    }
-
-    /**
-     * This method authenticates the user <var>$username</var> using the
-     * password <var>$password</var>
-     *
-     * @param string $username
-     * @param string $password
-     * @param string $filter OPTIONAL This parameter defines the Filter to be used
-     * when searchin for the username. This MUST contain the string '%s' which
-     * will be replaced by the vaue given in <var>$username</var>
-     * @return boolean true or false depending on successfull authentication or not
-     */
-    public function authenticate($username, $password, $filter = '(uid=%s)')
-    {
-        //return true;
-        $this->connect();
-        $this->bind();
-        $res = $this->search(sprintf($filter, $username));
-        if (! $res || ! is_array($res) || ( $res ['count'] != 1 )) {
-            return false;
-        }
-        $dn = $res[0]['dn'];
-        if ($username && $password) {
-            if (@ldap_bind($this->_ch, $dn, $password)) {
-                return true;
-            }
-        }
-        return false;
-    }
-    /**
-     * $this method loggs errors if debugging is set to ON
-     */
-    public function logError()
-    {
-        if ($this->_debug) {
-            $_v = debug_backtrace();
-            throw new AuthLDAP_Exception('[LDAP_ERROR]' . ldap_errno($this->_ch) . ':' . ldap_error($this->_ch), $_v[0]['line']);
-        }
-    }
-}
-
-class AuthLDAP_Exception extends Exception
-{
-    public function __construct($message, $line = null)
-    {
-        parent :: __construct($message);
-        if ($line) {
-            $this -> line = $line;
-        }
-    }
-}

-<?php
-/*
-Plugin Name: Lampo-AuthLDAP
-Plugin URI: https://github.com/lampo/wp-auth-ldap
-Description: This plugin allows you to use your existing LDAP as authentication base for WordPress
-Version: 1.4.20
-Author: Andreas Heigl <a.heigl@wdv.de>
-Author URI: http://andreas.heigl.org
-*/
-
-require_once dirname(__FILE__) . '/ldap.php';
-
-function authLdap_debug($message)
-{
-    if (authLdap_get_option('Debug')) {
-        error_log('[AuthLDAP] ' . $message, 0);
-    }
-}
-
-
-function authLdap_get_post($name, $default = '')
-{
-    return isset($_POST[$name]) ? $_POST[$name] : $default;
-}
-
-
-/**
- * get a LDAP server object
- *
- * throws exception if there is a problem connecting
- *
- * @conf boolean authLDAPDebug true, if debugging should be turned on
- * @conf string  authLDAPURI LDAP server URI
- *
- * @return LDAP LDAP server object
- */
-function authLdap_get_server()
-{
-    static $_ldapserver = null;
-    if (is_null($_ldapserver)) {
-        $authLDAPDebug = authLdap_get_option('Debug');
-        $authLDAPURI   = explode(
-            authLdap_get_option('URISeparator', ' '),
-            authLdap_get_option('URI')
-        );
-        $authLDAPStartTLS = authLdap_get_option('StartTLS');
-
-        //$authLDAPURI = 'ldap:/foo:bar@server/trallala';
-        authLdap_debug('connect to LDAP server');
-        require_once dirname(__FILE__) . '/src/LdapList.php';
-        $_ldapserver = new \Org_Heigl\AuthLdap\LdapList();
-        foreach ($authLDAPURI as $uri) {
-            $_ldapserver->addLdap(new \Org_Heigl\AuthLdap\LDAP($uri, $authLDAPDebug, $authLDAPStartTLS));
-        }
-    }
-    return $_ldapserver;
-}
-
-
-/**
- * This method authenticates a user using either the LDAP or, if LDAP is not
- * available, the local database
- *
- * For this we store the hashed passwords in the WP_Database to ensure working
- * conditions even without an LDAP-Connection
- *
- * @param null|WP_User|WP_Error
- * @param string $username
- * @param string $password
- * @param boolean $already_md5
- * @return boolean true, if login was successfull or false, if it wasn't
- * @conf boolean authLDAP true, if authLDAP should be used, false if not. Defaults to false
- * @conf string authLDAPFilter LDAP filter to use to find correct user, defaults to '(uid=%s)'
- * @conf string authLDAPNameAttr LDAP attribute containing user (display) name, defaults to 'name'
- * @conf string authLDAPSecName LDAP attribute containing second name, defaults to ''
- * @conf string authLDAPMailAttr LDAP attribute containing user e-mail, defaults to 'mail'
- * @conf string authLDAPUidAttr LDAP attribute containing user id (the username we log on with), defaults to 'uid'
- * @conf string authLDAPWebAttr LDAP attribute containing user website, defaults to ''
- * @conf string authLDAPDefaultRole default role for authenticated user, defaults to ''
- * @conf boolean authLDAPGroupEnable true, if we try to map LDAP groups to Wordpress roles
- * @conf boolean authLDAPGroupOverUser true, if LDAP Groups have precedence over existing user roles
- */
-function authLdap_login($user, $username, $password, $already_md5 = false)
-{
-    // don't do anything when authLDAP is disabled
-    if (! authLdap_get_option('Enabled')) {
-        authLdap_debug('LDAP disabled in AuthLDAP plugin options (use the first option in the AuthLDAP options to enable it)');
-        return $user;
-    }
-
-    // If the user has already been authenticated (only in that case we get a
-    // WP_User-Object as $user) we skip LDAP-authentication and simply return
-    // the existing user-object
-    if ($user instanceof WP_User) {
-        authLdap_debug(sprintf(
-            'User %s has already been authenticated - skipping LDAP-Authentication',
-            $user->get('nickname')));
-        return $user;
-    }
-
-    authLdap_debug("User '$username' logging in");
-
-    if ($username == 'admin') {
-        authLdap_debug('Doing nothing for possible local user admin');
-        return $user;
-    }
-
-    global $wpdb, $error;
-    try {
-        $authLDAP               = authLdap_get_option('Enabled');
-        $authLDAPFilter         = authLdap_get_option('Filter');
-        $authLDAPNameAttr       = authLdap_get_option('NameAttr');
-        $authLDAPSecName        = authLdap_get_option('SecName');
-        $authLDAPMailAttr       = authLdap_get_option('MailAttr');
-        $authLDAPUidAttr        = authLdap_get_option('UidAttr');
-        $authLDAPWebAttr        = authLdap_get_option('WebAttr');
-        $authLDAPDefaultRole    = authLdap_get_option('DefaultRole');
-        $authLDAPGroupEnable    = authLdap_get_option('GroupEnable');
-        $authLDAPGroupOverUser  = authLdap_get_option('GroupOverUser');
-
-        if (! $username) {
-            authLdap_debug('Username not supplied: return false');
-            return false;
-        }
-
-        if (! $password) {
-            authLdap_debug('Password not supplied: return false');
-            $error = __('<strong>Error</strong>: The password field is empty.');
-            return false;
-        }
-        // First check for valid values and set appropriate defaults
-        if (! $authLDAPFilter) {
-            $authLDAPFilter = '(uid=%s)';
-        }
-        if (! $authLDAPNameAttr) {
-            $authLDAPNameAttr = 'name';
-        }
-        if (! $authLDAPMailAttr) {
-            $authLDAPMailAttr = 'mail';
-        }
-        if (! $authLDAPUidAttr) {
-            $authLDAPUidAttr = 'uid';
-        }
-
-        // If already_md5 is TRUE, then we're getting the user/password from the cookie. As we don't want to store LDAP passwords in any
-        // form, we've already replaced the password with the hashed username and LDAP_COOKIE_MARKER
-        if ($already_md5) {
-            if ($password == md5($username).md5($ldapCookieMarker)) {
-                authLdap_debug('cookie authentication');
-                return true;
-            }
-        }
-
-        // No cookie, so have to authenticate them via LDAP
-        $result = false;
-        try {
-            authLdap_debug('about to do LDAP authentication');
-            $result = authLdap_get_server()->Authenticate($username, $password, $authLDAPFilter);
-        } catch (Exception $e) {
-            authLdap_debug('LDAP authentication failed with exception: ' . $e->getMessage());
-            return false;
-        }
-
-        // Rebind with the default credentials after the user has been loged in
-        // Otherwise the credentials of the user trying to login will be used
-        // This fixes #55
-        authLdap_get_server()->bind();
-
-        if (true !== $result) {
-            authLdap_debug('LDAP authentication failed');
-            // TODO what to return? WP_User object, true, false, even an WP_Error object... all seem to fall back to normal wp user authentication
-            return;
-        }
-
-        authLdap_debug('LDAP authentication successfull');
-        $attributes = array_values(
-            array_filter(
-                array(
-                    $authLDAPNameAttr,
-                    $authLDAPSecName,
-                    $authLDAPMailAttr,
-                    $authLDAPWebAttr,
-                    $authLDAPUidAttr
-                )
-            )
-        );
-
-        try {
-            $attribs = authLdap_get_server()->search(
-                sprintf($authLDAPFilter, $username),
-                $attributes
-            );
-            // First get all the relevant group informations so we can see if
-            // whether have been changes in group association of the user
-            if (! isset($attribs[0]['dn'])) {
-                authLdap_debug('could not get user attributes from LDAP');
-                throw new UnexpectedValueException('dn has not been returned');
-            }
-            if (! isset($attribs[0][strtolower($authLDAPUidAttr)][0])) {
-                authLdap_debug('could not get user attributes from LDAP');
-                throw new UnexpectedValueException('The user-ID attribute has not been returned');
-
-            }
-
-            $dn = $attribs[0]['dn'];
-            $realuid = $attribs[0][strtolower($authLDAPUidAttr)][0];
-        } catch (Exception $e) {
-            authLdap_debug('Exception getting LDAP user: ' . $e->getMessage());
-            return false;
-        }
-
-        $uid = authLdap_get_uid($realuid);
-        $role = '';
-
-        // we only need this if either LDAP groups are disabled or
-        // if the WordPress role of the user overrides LDAP groups
-        if (!$authLDAPGroupEnable || !$authLDAPGroupOverUser) {
-            $role = authLdap_user_role($uid);
-        }
-
-        // do LDAP group mapping if needed
-        // (if LDAP groups override worpress user role, $role is still empty)
-        if (empty($role) && $authLDAPGroupEnable) {
-            $role = authLdap_groupmap($realuid, $dn);
-            authLdap_debug('role from group mapping: ' . $role);
-        }
-
-        // if we don't have a role yet, use default role
-        if (empty($role) && !empty($authLDAPDefaultRole)) {
-            authLdap_debug('no role yet, set default role');
-            $role = $authLDAPDefaultRole;
-        }
-
-        if (empty($role)) {
-            // Sorry, but you are not in any group that is allowed access
-            trigger_error('no group found');
-            authLdap_debug('user is not in any group that is allowed access');
-            return false;
-        } else {
-            $roles = new WP_Roles();
-            // not sure if this is needed, but it can't hurt
-            if (!$roles->is_role($role)) {
-                trigger_error('no group found');
-                authLdap_debug('role is invalid');
-                return false;
-            }
-        }
-
-        // from here on, the user has access!
-        // now, lets update some user details
-        $user_info = array();
-        $user_info['user_login'] = $realuid;
-        $user_info['role'] = $role;
-        $user_info['user_email'] = '';
-
-        // first name
-        if (isset($attribs[0][strtolower($authLDAPNameAttr)][0])) {
-            $user_info['first_name'] = $attribs[0][strtolower($authLDAPNameAttr)][0];
-        }
-
-        // last name
-        if (isset($attribs[0][strtolower($authLDAPSecName)][0])) {
-            $user_info['last_name'] = $attribs[0][strtolower($authLDAPSecName)][0];
-        }
-
-        // mail address
-        if (isset($attribs[0][strtolower($authLDAPMailAttr)][0])) {
-            $user_info['user_email'] = $attribs[0][strtolower($authLDAPMailAttr)][0];
-        }
-
-        // website
-        if (isset($attribs[0][strtolower($authLDAPWebAttr)][0])) {
-            $user_info['user_url'] = $attribs[0][strtolower($authLDAPWebAttr)][0];
-        }
-
-        // display name, nickname, nicename
-        if (array_key_exists('first_name', $user_info)) {
-            $user_info['display_name'] = $user_info['first_name'];
-            $user_info['nickname'] = $user_info['first_name'];
-            $user_info['user_nicename'] = sanitize_title_with_dashes($user_info['first_name']);
-            if (array_key_exists('last_name', $user_info)) {
-                $user_info['display_name'] .= ' ' . $user_info['last_name'];
-                $user_info['nickname'] .= ' ' . $user_info['last_name'];
-                $user_info['user_nicename'] .= '_' . sanitize_title_with_dashes($user_info['last_name']);
-            }
-        }
-
-        // optionally store the password into the wordpress database
-        if (authLdap_get_option('CachePW')) {
-            // Password will be hashed inside wp_update_user or wp_insert_user
-            $user_info['user_pass'] = $password;
-        } else {
-            // clear the password
-            $user_info['user_pass'] = '';
-        }
-
-        // add uid if user exists
-        if ($uid) {
-            // found user in the database
-            authLdap_debug('The LDAP user has an entry in the WP-Database');
-            $user_info['ID'] = $uid;
-            unset ($user_info['display_name'], $user_info['nickname']);
-            $userid = wp_update_user($user_info);
-        } else {
-            // new wordpress account will be created
-            authLdap_debug('The LDAP user does not have an entry in the WP-Database, a new WP account will be created');
-
-            $userid = wp_insert_user($user_info);
-        }
-
-        // if the user exists, wp_insert_user will update the existing user record
-        if (is_wp_error($userid)) {
-            authLdap_debug('Error creating user : ' . $userid->get_error_message());
-            trigger_error('Error creating user: ' . $userid->get_error_message());
-            return $userid;
-        }
-
-        authLdap_debug('user id = ' . $userid);
-
-        // flag the user as an ldap user so we can hide the password fields in the user profile
-        update_user_meta($userid, 'authLDAP', true);
-
-        // return a user object upon positive authorization
-        return new WP_User($userid);
-    } catch (Exception $e) {
-        authLdap_debug($e->getMessage() . '. Exception thrown in line ' . $e->getLine());
-        trigger_error($e->getMessage() . '. Exception thrown in line ' . $e->getLine());
-    }
-}
-
-/**
- * Get user's user id
- *
- * Returns null if username not found
- *
- * @param string $username username
- * @param string user id, null if not found
- */
-function authLdap_get_uid($username)
-{
-    global $wpdb;
-
-    // find out whether the user is already present in the database
-    $uid = $wpdb->get_var(
-        $wpdb->prepare(
-            "SELECT ID FROM {$wpdb->users} WHERE user_login = %s",
-            $username
-        )
-    );
-    if ($uid) {
-        authLdap_debug("Existing user, uid = {$uid}");
-        return $uid;
-    } else {
-        return  null;
-    }
-}
-
-/**
- * Get the user's current role
- *
- * Returns empty string if not found.
- *
- * @param int $uid wordpress user id
- * @return string role, empty if none found
- */
-function authLdap_user_role($uid)
-{
-    global $wpdb;
-
-    if (!$uid) {
-        return '';
-    }
-
-    $meta_value = $wpdb->get_var("SELECT meta_value FROM {$wpdb->usermeta} WHERE meta_key = '{$wpdb->prefix}capabilities' AND user_id = {$uid}");
-
-    if (!$meta_value) {
-        return '';
-    }
-
-    $capabilities = unserialize($meta_value);
-    $roles = is_array($capabilities) ? array_keys($capabilities) : array('');
-    $role = $roles[0];
-
-    authLdap_debug("Existing user's role: {$role}");
-    return $role;
-}
-
-/**
- * Get LDAP groups for user and map to role
- *
- * @param string $username
- * @param string $dn
- * @return string role, empty string if no mapping found, first found role otherwise
- * @conf array authLDAPGroups, associative array, role => ldap_group
- * @conf string authLDAPGroupAttr, ldap attribute that holds name of group
- * @conf string authLDAPGroupFilter, LDAP filter to find groups. can contain %s and %dn% placeholders
- */
-function authLdap_groupmap($username, $dn)
-{
-    $authLDAPGroups         = authLdap_sort_roles_by_capabilities(
-        authLdap_get_option('Groups')
-    );
-    $authLDAPGroupAttr      = authLdap_get_option('GroupAttr');
-    $authLDAPGroupFilter    = authLdap_get_option('GroupFilter');
-    $authLDAPGroupSeparator = authLdap_get_option('GroupSeparator');
-    if (! $authLDAPGroupAttr) {
-        $authLDAPGroupAttr = 'gidNumber';
-    }
-    if (! $authLDAPGroupFilter) {
-        $authLDAPGroupFilter = '(&(objectClass=posixGroup)(memberUid=%s))';
-    }
-    if (! $authLDAPGroupSeparator) {
-        $authLDAPGroupSeparator = ',';
-    }
-
-    if (!is_array($authLDAPGroups) || count(array_filter(array_values($authLDAPGroups))) == 0) {
-        authLdap_debug('No group names defined');
-        return '';
-    }
-
-    try {
-        // To allow searches based on the DN instead of the uid, we replace the
-        // string %dn% with the users DN.
-        $authLDAPGroupFilter = str_replace('%dn%', $dn, $authLDAPGroupFilter);
-        authLdap_debug('Group Filter: ' . json_encode($authLDAPGroupFilter));
-        $groups = authLdap_get_server()->search(sprintf($authLDAPGroupFilter, $username), array($authLDAPGroupAttr));
-    } catch (Exception $e) {
-        authLdap_debug('Exception getting LDAP group attributes: ' . $e->getMessage());
-        return '';
-    }
-
-    $grp = array();
-    for ($i = 0; $i < $groups ['count']; $i++) {
-        for ($k = 0; $k < $groups[$i][strtolower($authLDAPGroupAttr)]['count']; $k++) {
-            $grp[] = $groups[$i][strtolower($authLDAPGroupAttr)][$k];
-        }
-    }
-
-    authLdap_debug('LDAP groups: ' . json_encode($grp));
-
-    // Check whether the user is member of one of the groups that are
-    // allowed acces to the blog. If the user is not member of one of
-    // The groups throw her out! ;-)
-    // If the user is member of more than one group only the first one
-    // will be taken into account!
-
-    $role = '';
-    foreach ($authLDAPGroups as $key => $val) {
-        $currentGroup = explode($authLDAPGroupSeparator, $val);
-        // Remove whitespaces around the group-ID
-        $currentGroup = array_map('trim', $currentGroup);
-        if (0 < count(array_intersect($currentGroup, $grp))) {
-            $role = $key;
-            break;
-        }
-    }
-
-    authLdap_debug("Role from LDAP group: {$role}");
-    return $role;
-}
-
-/**
- * This function disables the password-change fields in the users preferences.
- *
- * It does not make sense to authenticate via LDAP and then allow the user to
- * change the password only in the wordpress database. And changing the password
- * LDAP-wide can not be the scope of Wordpress!
- *
- * Whether the user is an LDAP-User or not is determined using the authLDAP-Flag
- * of the users meta-informations
- *
- * @return false, if the user whose prefs are viewed is an LDAP-User, true if
- * he isn't
- * @conf boolean authLDAP
- */
-function authLdap_show_password_fields($return, $user)
-{
-    if (! $user) {
-        return true;
-    }
-
-    if (get_user_meta($user->ID, 'authLDAP')) {
-        return false;
-    }
-
-    return $return;
-}
-
-/**
- * This function disables the password reset for a user.
- *
- * It does not make sense to authenticate via LDAP and then allow the user to
- * reset the password only in the wordpress database. And changing the password
- * LDAP-wide can not be the scope of Wordpress!
- *
- * Whether the user is an LDAP-User or not is determined using the authLDAP-Flag
- * of the users meta-informations
- *
- * @author chaplina (https://github.com/chaplina)
- * @conf boolean authLDAP
- * @return false, if the user is an LDAP-User, true if he isn't
- */
-function authLdap_allow_password_reset($return, $userid)
-{
-    if (!(isset($userid))) {
-        return true;
-    }
-
-    if (get_user_meta($userid, 'authLDAP')) {
-        return false;
-    }
-    return $return;
-}
-
-/**
- * Sort the given roles by number of capabilities
- *
- * @param array $roles
- *
- * @return array
- */
-function authLdap_sort_roles_by_capabilities($roles)
-{
-    global $wpdb;
-    $myRoles = get_option($wpdb->get_blog_prefix() . 'user_roles');
-
-    authLdap_debug(print_r($roles, true));
-    uasort($myRoles, 'authLdap_sortByCapabilitycount');
-
-    $return = array();
-
-    foreach ($myRoles as $key => $role) {
-        if (isset($roles[$key])) {
-            $return[$key] = $roles[$key];
-        }
-    }
-
-    authLdap_debug(print_r($return, true));
-    return $return;
-}
-
-/**
- * Sort according to the number of capabilities
- *
- * @param $a
- * @param $b
- */
-function authLdap_sortByCapabilitycount($a, $b)
-{
-    if (count($a['capabilities']) > count($b['capabilities'])) {
-        return -1;
-    }
-    if (count($a['capabilities']) < count($b['capabilities'])) {
-        return 1;
-    }
-
-    return 0;
-}
-
-/**
- * Load AuthLDAP Options
- *
- * Sets and stores defaults if options are not up to date
- */
-function authLdap_load_options($reload = false)
-{
-    static $options = null;
-
-    if( empty($options) || $reload){
-        // the current version for options
-        $option_version_plugin = 1;
-        // defaults for all options
-        $options = array(
-            'Enabled'       => false,
-            'CachePW'       => false,
-            'URI'           => '',
-            'URISeparator'  => ' ',
-            'Filter'        => '', // '(uid=%s)'
-            'NameAttr'      => '', // 'name'
-            'SecName'       => '',
-            'UidAttr'       => '', // 'uid'
-            'MailAttr'      => '', // 'mail'
-            'WebAttr'       => '',
-            'Groups'        => array(),
-            'Debug'         => false,
-            'GroupAttr'     => '', // 'gidNumber'
-            'GroupFilter'   => '', // '(&(objectClass=posixGroup)(memberUid=%s))'
-            'DefaultRole'   => '',
-            'GroupEnable'   => true,
-            'GroupOverUser' => true,
-            'Version'       => $option_version_plugin,
-        );
-
-        // 2016-12-23 MLF (why we forked) Set any options we can find via defined constants
-        foreach($options as $option_name => $option_value) {
-            $constant_name = 'AUTHLDAP_'.strtoupper($option_name);
-            if( defined($constant_name) ){
-                $options[$option_name] = constant($constant_name);
-            }
-        }
-    }
-
-    return $options;
-}
-
-/**
- * Get an individual option
- */
-function authLdap_get_option($optionname, $default = null)
-{
-    $options = authLdap_load_options();
-    if (isset($options[$optionname]) && $options[$optionname]) {
-        return $options[$optionname];
-    }
-
-    if (null !== $default) {
-        return $default;
-    }
-
-    //authLdap_debug('option name invalid: ' . $optionname);
-    return null;
-}
-
-
-/**
- * Do not send an email after changing the password or the email of the user!
- *
- * @param boolean $result      The initial resturn value
- * @param array   $user        The old userdata
- * @param array   $newUserData The changed userdata
- *
- * @return bool
- */
-function authLdap_send_change_email($result, $user, $newUserData)
-{
-    if (get_usermeta($user['ID'], 'authLDAP')) {
-        return false;
-    }
-
-    return $result;
-}
-
-add_filter('show_password_fields', 'authLdap_show_password_fields', 10, 2);
-add_filter('allow_password_reset', 'authLdap_allow_password_reset', 10, 2);
-add_filter('authenticate', 'authLdap_login', 10, 3);
-/** This only works from WP 4.3.0 on */
-add_filter('send_password_change_email', 'authLdap_send_change_email', 10, 3);
-add_filter('send_email_change_email', 'authLdap_send_change_email', 10, 3);