wp-auth-ldap

Signed-off-by: Jeff <jeff@gotenzing.com>

+vendor
+composer.lock
+.svnAccess
\ No newline at end of file

+# authLDAP
+
+[![Join the chat at https://gitter.im/heiglandreas/authLdap](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/heiglandreas/authLdap?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+
+Use your existing LDAP as authentication-backend for your wordpress!
+
+[![Build Status](https://travis-ci.org/heiglandreas/authLdap.svg?branch=master)](https://travis-ci.org/heiglandreas/authLdap)
+[![WordPress Stats](https://img.shields.io/wordpress/plugin/dt/authldap.svg)](https://wordpress.org/plugins/authldap/stats/)
+[![WordPress Version](https://img.shields.io/wordpress/plugin/v/authldap.svg)](https://wordpress.org/plugins/authldap/)
+[![WordPress testet](https://img.shields.io/wordpress/v/authldap.svg)](https://wordpress.org/plugins/authldap/)
+[![Code Climate](https://codeclimate.com/github/heiglandreas/authLdap/badges/gpa.svg)](https://codeclimate.com/github/heiglandreas/authLdap)
+[![Test Coverage](https://codeclimate.com/github/heiglandreas/authLdap/badges/coverage.svg)](https://codeclimate.com/github/heiglandreas/authLdap)
+
+So what are the differences to other Wordpress-LDAP-Authentication-Plugins?
+
+* **Flexible**: You are totaly free in which LDAP-backend to use. Due to the extensive configuration you can
+freely decide how to do the authentication of your users. It simply depends on your
+filters
+* **Independent**: As soon as a user logs in, it is added/updated to the Wordpress' user-database
+to allow wordpress to always use the correct data. You only have to administer your users once.
+* **Failsafe**: Due to the users being created in Wordpress' User-database they can
+also log in when the LDAP-backend currently is gone.
+* **Role-Aware**: You can map Wordpress' roles to values of an existing LDAP-attribute.
+
+## How does the plugin work?
+
+Well, as a matter of fact it is rather simple. The plugin verifies, that the user
+seeking authentification can bind to the LDAP using the provided password.
+
+If that is so, the user is either created or updated in the wordpress-user-database.
+This update includes the provided password (so the wordpress can authenticate users
+even without the LDAP), the users name according to the authLDAP-preferences and
+the status of the user depending on the groups-settings of the authLDAP-preferences
+
+Writing this plugin would not have been as easy as it has been, without the
+wonderfull plugin of Alistair Young from http://www.weblogs.uhi.ac.uk/sm00ay/?p=45
+
+## Configuration
+
+### Usage Settings
+
+* **Enable Authentication via LDAP** Whether you want to enable authLdap for login or not
+* **debug authLdap** When you have problems with authentication via LDAP you can enable a debugging mode here.
+* **Save entered Password** Decide whether passwords will be cached in your wordpress-installation. **Attention:** Without the cache your users will not be able to log into your site when your LDAP is down!
+
+### Server Settings
+
+* **LDAP Uri** This is the URI where your ldap-backend can be reached. More information are actually on the Configuration page
+* **Filter** This is the real McCoy! The filter you define here specifies how a user will be found. Before applying the filter a %s will be replaced with the given username. This means, when a user logs in using ‘foobar’ as username the following happens:
+
+    * **uid=%s** check for any LDAP-Entry that has an attribute ‘uid’ with value ‘foobar’
+    * **(&(objectclass=posixAccount)((!(uid=%s)(mail=%s)))** check for any LDAP-Entry that has an attribute ‘objectclass’ with value ‘posixAccout’ and either a UID- or a mail-attribute with value ‘foobar’
+
+    This filter is rather powerfull if used wisely.
+
+### Creating Users
+
+* **Name-Attribute** Which Attribute from the LDAP contains the Full or the First name of the user trying to log in. This defaults to name
+* **Second Name Attribute** If the above Name-Attribute only contains the First Name of the user you can here specify an Attribute that contains the second name. This field is empty by default
+* **User-ID Attribute** This field will be used as login-name for wordpress. Please give the Attribute, that is used to identify the user. This should be the same as you used in the above Filter-Option. This field defaults to uid
+* **Mail Attribute** Which Attribute holds the eMail-Address of the user? If more than one eMail-Address are stored in the LDAP, only the first given is used. This field defaults to mail
+* **Web-Attribute** If your users have a personal page (URI) stored in the LDAP, it can be provided here. This field is empty by default
+
+### User-Groups for Roles
+
+* **Group-Attribute** This is the attribute that defines the Group-ID that can be matched against the Groups defined further down This field defaults to gidNumber.
+* **Group-Filter** Here you can add the filter for selecting groups for the currentlly logged in user The Filter should contain the string %s which will be replaced by the login-name of the currently logged in
+
+
+## FAQ
+
+<dl>
+    <dt>Can I change a users password with this plugin?</dt>
+    <dd>Short Answer: <strong>No</strong>!<br>Long Answer: As the users credentials are not
+    only used for a wordpress-site when you authenticate against an LDAP but for
+    many other services also chances are great that there is a centralized place
+    where password-changes shall be made. We'll later allow inclusion of a link
+    to such a place but currently it's not available. And as password-hashing and
+    where to store it requires deeper insight into the LDAP-Server then most users
+    have and admins are willing to give, password changes are out of scope of this
+    plugin. If you know exactyl what you do, you might want to have a look at
+    <a href="https://github.com/heiglandreas/authLdap/issues/54#issuecomment-125851029">
+    issue 54</a>
+    wherer a way of adding it is described!
+    </dd>
+    <dt>Can I add a user to the LDAP when she creates a user-account on wordpress?</dt>
+    <dd>Short Answer: <strong>No</strong>!<br>Long Answer: Even though that is technically possible
+    it's not in the scope of this plugin. As creating a user in an LDAP often involves
+    an administrative process that has already been implemented in your departments
+    administration it doesn't make sense to rebuild that - in most cases highly
+    individual - process in this plugin. If you know exactly what you do, have a look at
+    <a href="https://github.com/heiglandreas/authLdap/issues/65">issue 65</a>
+    where <a href="https://github.com/wtfiwtz">wtfiwtz</a> shows how to implement that feature.
+    </dd>
+    </dl>
\ No newline at end of file

+1.4.20
\ No newline at end of file

+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: wp-auth-ldap
+  annotations:
+    github.com/project-slug: lampo/wp-auth-ldap
+spec:
+  type: general
+  lifecycle: production
+  owner: B2C Developers

+{
+    "name" : "lampo/wp-auth-ldap",
+    "type" : "wordpress-plugin",
+    "description": "Fork of http://github.com/heiglandreas/authLdap, moves settings to defined constants.",
+    "keywords": ["ldap","authenticate", "auth", "wordpress"],
+    "homepage": "http://github.com/lampo/wp-auth-ldap",
+    "license": "MIT",
+    "authors": [{
+        "name": "Andreas Heigl",
+        "email": "andreas@heigl.org",
+        "homepage": "http://andreas.heigl.org",
+        "role": "Developer"
+    },{
+        "name": "Micah Flatt",
+        "email": "mflatt@flattware.net",
+        "role": "Developer"
+    }],
+    "require" : {
+        "php": ">=5.4",
+        "composer/installers": "~1.0"
+    },
+    "autoload" : {
+        "psr-4" : {
+            "Org_Heigl\\AuthLdap\\" : "./"
+        }
+    }
+}

+<?php
+/**
+ * $Id: ldap.php 381646 2011-05-06 09:37:31Z heiglandreas $
+ *
+ * authLdap - Authenticate Wordpress against an LDAP-Backend.
+ * Copyright (c) 2008 Andreas Heigl<andreas@heigl.org>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ * This file handles the basic LDAP-Tasks
+ *
+ * @author Andreas Heigl<andreas@heigl.org>
+ * @package authLdap
+ * @category authLdap
+ * @since 2008
+ */
+namespace Org_Heigl\AuthLdap;
+
+use Exception;
+
+class LDAP
+{
+    private $_server = '';
+
+    private $_scheme = 'ldap';
+
+    private $_port = 389;
+
+    private $_baseDn = '';
+
+    private $_debug = false;
+    /**
+     * This property contains the connection handle to the ldap-server
+     *
+     * @var Ressource
+     */
+    private $_ch = null;
+
+    private $_username = '';
+
+    private $_password = '';
+
+    private $_starttls = false;
+
+    public function __construct($URI, $debug = false, $starttls = false)
+    {
+        $this->_debug=$debug;
+        $array = parse_url($URI);
+        if (! is_array($array)) {
+            throw new Exception($URI . ' seems not to be a valid URI');
+        }
+        $url = array_map(function ($item) { return urldecode($item); }, $array);
+        if (false === $url) {
+            throw new Exception($URI . ' is an invalid URL');
+        }
+        if (! isset ( $url['scheme'] )) {
+            throw new Exception($URI . ' does not provide a scheme');
+        }
+        if (0 !== strpos($url['scheme'], 'ldap')) {
+            throw new Exception($URI . ' is an invalid LDAP-URI');
+        }
+        if (! isset ( $url['host'] )) {
+            throw new Exception($URI . ' does not provide a server');
+        }
+        if (! isset ( $url['path'] )) {
+            throw new Exception($URI . ' does not provide a search-base');
+        }
+        if (1 == strlen($url['path'])) {
+            throw new Exception($URI . ' does not provide a valid search-base');
+        }
+        $this -> _server = $url['host'];
+        $this -> _scheme = $url['scheme'];
+        $this -> _baseDn = substr($url['path'], 1);
+        if (isset ( $url['user'] )) {
+            $this -> _username = $url['user'];
+        }
+        if ('' == trim($this -> _username)) {
+            $this -> _username = 'anonymous';
+        }
+        if (isset ( $url['pass'] )) {
+            $this -> _password = $url['pass'];
+        }
+        if (isset ( $url['port'] )) {
+            $this -> _port = $url['port'];
+        }
+        $this->_starttls = $starttls;
+    }
+
+    /**
+     * Connect to the given LDAP-Server
+     *
+     * @return LDAP
+     * @throws AuthLdap_Exception
+     */
+    public function connect()
+    {
+        $this -> disconnect();
+        if ('ldaps' == $this->_scheme && 389 == $this->_port) {
+            $this->_port = 636;
+        }
+
+        $this->_ch = @ldap_connect($this->_scheme . '://' . $this->_server . ':' . $this -> _port);
+        if (! $this->_ch) {
+            throw new AuthLDAP_Exception('Could not connect to the server');
+        }
+        ldap_set_option($this->_ch, LDAP_OPT_PROTOCOL_VERSION, 3);
+        ldap_set_option($this->_ch, LDAP_OPT_REFERRALS, 0);
+        //if configured try to upgrade encryption to tls for ldap connections
+        if ($this->_starttls) {
+          ldap_start_tls($this->_ch);
+        }
+        return $this;
+    }
+
+    /**
+     * Disconnect from a resource if one is available
+     *
+     * @return LDAP
+     */
+    public function disconnect()
+    {
+        if (is_resource($this->_ch)) {
+            @ldap_unbind($this->_ch);
+        }
+        $this->_ch = null;
+        return $this;
+    }
+
+    /**
+     * Bind to an LDAP-Server with the given credentials
+     *
+     * @return LDAP
+     * @throw AuthLdap_Exception
+     */
+    public function bind()
+    {
+        if (! $this->_ch) {
+            $this->connect();
+        }
+        if (! is_resource($this->_ch)) {
+            throw new AuthLDAP_Exception('No Resource-handle given');
+        }
+        $bind = false;
+        if (( ( $this->_username )
+            && ( $this->_username != 'anonymous') )
+            && ( $this->_password != '' ) ) {
+            $bind = @ldap_bind($this->_ch, $this->_username, $this->_password);
+        } else {
+            $bind = @ldap_bind($this->_ch);
+        }
+        if (! $bind) {
+            throw new AuthLDAP_Exception('bind was not successfull: ' . ldap_error($this->_ch));
+        }
+        return $this;
+    }
+
+    public function getErrorNumber()
+    {
+        return @ldap_errno($this->_ch);
+    }
+
+    public function getErrorText()
+    {
+        return @ldap_error($this->_ch);
+    }
+
+    /**
+     * This method does the actual ldap-serch.
+     *
+     * This is using the filter <var>$filter</var> for retrieving the attributes
+     * <var>$attributes</var>
+     *
+     *
+     * @param string $filter
+     * @param array $attributes
+     * @return array
+     */
+    public function search($filter, $attributes = array('uid'))
+    {
+        if (! is_Resource($this->_ch)) {
+            throw new AuthLDAP_Exception('No resource handle avbailable');
+        }
+        $result = @ldap_search($this->_ch, $this->_baseDn, $filter, $attributes);
+        if ($result === false) {
+            throw new AuthLDAP_Exception('no result found');
+        }
+        $this->_info = @ldap_get_entries($this->_ch, $result);
+        if ($this->_info === false) {
+            throw new AuthLDAP_Exception('invalid results found');
+        }
+        return $this -> _info;
+    }
+
+    /**
+     * This method sets debugging to ON
+     */
+    public function debugOn()
+    {
+        $this->_debug = true;
+        return $this;
+    }
+
+    /**
+     * This method sets debugging to OFF
+     */
+    public function debugOff()
+    {
+        $this->_debug = false;
+        return $this;
+    }
+
+    /**
+     * This method authenticates the user <var>$username</var> using the
+     * password <var>$password</var>
+     *
+     * @param string $username
+     * @param string $password
+     * @param string $filter OPTIONAL This parameter defines the Filter to be used
+     * when searchin for the username. This MUST contain the string '%s' which
+     * will be replaced by the vaue given in <var>$username</var>
+     * @return boolean true or false depending on successfull authentication or not
+     */
+    public function authenticate($username, $password, $filter = '(uid=%s)')
+    {
+        //return true;
+        $this->connect();
+        $this->bind();
+        $res = $this->search(sprintf($filter, $username));
+        if (! $res || ! is_array($res) || ( $res ['count'] != 1 )) {
+            return false;
+        }
+        $dn = $res[0]['dn'];
+        if ($username && $password) {
+            if (@ldap_bind($this->_ch, $dn, $password)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * $this method loggs errors if debugging is set to ON
+     */
+    public function logError()
+    {
+        if ($this->_debug) {
+            $_v = debug_backtrace();
+            throw new AuthLDAP_Exception('[LDAP_ERROR]' . ldap_errno($this->_ch) . ':' . ldap_error($this->_ch), $_v[0]['line']);
+        }
+    }
+}
+
+class AuthLDAP_Exception extends Exception
+{
+    public function __construct($message, $line = null)
+    {
+        parent :: __construct($message);
+        if ($line) {
+            $this -> line = $line;
+        }
+    }
+}

+=== authLdap ===
+Contributors: heiglandreas
+Tags: ldap, auth
+Requires at least: 2.5.0
+Tested up to: 4.6.1
+Stable tag: trunk
+
+Use your existing LDAP flexible as authentication backend for WordPress
+
+== Description ==
+
+Use your existing LDAP as authentication-backend for your wordpress!
+
+So what are the differences to other Wordpress-LDAP-Authentication-Plugins?
+
+* Flexible: You are totaly free in which LDAP-backend to use. Due to the extensive configuration you can
+freely decide how to do the authentication of your users. It simply depends on your
+filters
+* Independent: As soon as a user logs in, it is added/updated to the Wordpress' user-database
+to allow wordpress to always use the correct data. You only have to administer your users once.
+* Failsafe: Due to the users being created in Wordpress' User-database they can
+also log in when the LDAP-backend currently is gone.
+* Role-Aware: You can map Wordpress' roles to values of an existing LDAP-attribute.
+
+For more Information on the configuration have a look at https://github.com/heiglandreas/authLdap
+
+== Installation ==
+
+1. Upload the extracted folder `authLdap` to the `/wp-content/plugins/` directory
+2. Activate the plugin through the 'Plugins' menu in WordPress
+3. Configure the Plugin via the 'authLdap'-Configuration-Page.
+
+== Frequently Asked Questions ==
+
+= Where can I find more Informations about the plugin? =
+
+Go to https://github.com/heiglandreas/authLdap
+
+= Where can I report issues with the plugin? =
+
+Please use the issuetracker at https://github.com/heiglandreas/authLdap/issues
+
+== Changelog ==
+= 1.4.20 =
+* Allows multiple LDAP-servers to be queried (given that they use the same attributes)
+* Fixes issue with URL-Encoded informations (see https://github.com/heiglandreas/authLdap/issues/108)
+
+= 1.4.19 =
+* Adds support for TLS
+
+= 1.4.14 =
+* Update to showing password-fields check (thanks to @chaplina)
+
+= 1.4.13 =
+* Removed generation of default email-address (thanks to @henryk)
+* Fixes password-hashing when caching passwords (thanks to @litinoveweedle)
+* Removes the possibility to reset a password for LDAP-based users (thanks to @chaplina)
+* Removes the password-change-Email from 4.3 on (thanks to @litinoveweedle)
+* Fixes double authentication-attempt (that resulted in failed authentication) (thanks to @litinoveweedle)
+
+= 1.4.10 =
+* Cleanup by removing deprecated code
+* Fixes issues with undefined variables
+* Enables internal option-versioning
+* Setting users nickname initially to the realname instead of the uid
+* Fixes display of password-change possibility in users profile-page
+= 1.4.9 =
+* Fixed an issue with changing display name on every login
+* Use proper way of looking up user-roles in setups w/o DB-prefix
+= 1.4.8 =
+* Updated version string
+= 1.4.7 =
+* Use default user to retrieve group menberships and not logging in user.
+* return the UID from the LDAP instead of the value given by the user
+* remove unnecessary checkbox
+* Adds a testsuite
+* Fixes PSR2 violations
+
+[…]
+    
+= 1.2.1 =
+* Fixed an issue with group-ids
+* Moved the code to GitHub (https://github.com/heiglandreas/authLdap)
+= 1.1.0 =
+* Changed the login-process. Now users that are not allowed to login due to
+missing group-memberships are not created within your blog as was the standard
+until Version 1.0.3 - Thanks to alex@tayts.com
+* Changed the default mail-address that is created when no mail-address can be
+retrieved from the LDAP from me@example.com to $username@example.com so that
+a new user can be created even though the mail address already exists in your
+blog - Also thanks to alex@tayts.com
+* Added support for WordPress-Table-prefixes as the capabilities of a user
+are interlany stored in a field that is named "$tablePrefix_capabilities" -
+again thanks to alex@tayts.com and also to sim0n of silicium.mine.nu

+<?php
+/**
+ * Copyright (c) Andreas Heigl<andreas@heigl.org>
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ *
+ * @author    Andreas Heigl<andreas@heigl.org>
+ * @copyright Andreas Heigl
+ * @license   http://www.opensource.org/licenses/mit-license.php MIT-License
+ * @since     07.07.2016
+ * @link      http://github.com/heiglandreas/authLDAP
+ */
+
+namespace Org_Heigl\AuthLdap;
+
+class LdapList
+{
+    /**
+     * @var \LDAP[]
+     */
+    protected $items = [];
+
+    public function addLdap(LDAP $ldap)
+    {
+        $this->items[] = $ldap;
+    }
+
+    public function authenticate($username, $password, $filter = '(uid=%s)')
+    {
+        foreach ($this->items as $key => $item) {
+            if (! $item->authenticate($username, $password, $filter)) {
+                unset ($this->items[$key]);
+                continue;
+            }
+            return true;
+        }
+
+        return false;
+    }
+
+    public function bind()
+    {
+        $allFailed = true;
+        foreach ($this->items as $key => $item) {
+            try {
+                $item->bind();
+            } catch (\Exception $e) {
+                unset($this->items[$key]);
+                continue;
+            }
+            $allFailed = false;
+        }
+
+        if ($allFailed) {
+            throw new AuthLDAP_Exception('No bind successfull');
+        }
+    }
+
+    public function search($filter, $attributes = array('uid'))
+    {
+        foreach ($this->items as $item) {
+            try {
+                $result = $item->search($filter, $attributes);
+                return $result;
+            } catch (Exception $e) {
+                throw $e;
+            }
+        }
+
+        throw new \AuthLDAP_Exception('No Results found');
+    }
+}
\ No newline at end of file