wp-auth-ldap

Signed-off-by: Jeff <jeff@gotenzing.com>

+vendor
+composer.lock
+.svnAccess
\ No newline at end of file

+# authLDAP
+
+[![Join the chat at https://gitter.im/heiglandreas/authLdap](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/heiglandreas/authLdap?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+
+Use your existing LDAP as authentication-backend for your wordpress!
+
+[![Build Status](https://travis-ci.org/heiglandreas/authLdap.svg?branch=master)](https://travis-ci.org/heiglandreas/authLdap)
+[![WordPress Stats](https://img.shields.io/wordpress/plugin/dt/authldap.svg)](https://wordpress.org/plugins/authldap/stats/)
+[![WordPress Version](https://img.shields.io/wordpress/plugin/v/authldap.svg)](https://wordpress.org/plugins/authldap/)
+[![WordPress testet](https://img.shields.io/wordpress/v/authldap.svg)](https://wordpress.org/plugins/authldap/)
+[![Code Climate](https://codeclimate.com/github/heiglandreas/authLdap/badges/gpa.svg)](https://codeclimate.com/github/heiglandreas/authLdap)
+[![Test Coverage](https://codeclimate.com/github/heiglandreas/authLdap/badges/coverage.svg)](https://codeclimate.com/github/heiglandreas/authLdap)
+
+So what are the differences to other Wordpress-LDAP-Authentication-Plugins?
+
+* **Flexible**: You are totaly free in which LDAP-backend to use. Due to the extensive configuration you can
+freely decide how to do the authentication of your users. It simply depends on your
+filters
+* **Independent**: As soon as a user logs in, it is added/updated to the Wordpress' user-database
+to allow wordpress to always use the correct data. You only have to administer your users once.
+* **Failsafe**: Due to the users being created in Wordpress' User-database they can
+also log in when the LDAP-backend currently is gone.
+* **Role-Aware**: You can map Wordpress' roles to values of an existing LDAP-attribute.
+
+## How does the plugin work?
+
+Well, as a matter of fact it is rather simple. The plugin verifies, that the user
+seeking authentification can bind to the LDAP using the provided password.
+
+If that is so, the user is either created or updated in the wordpress-user-database.
+This update includes the provided password (so the wordpress can authenticate users
+even without the LDAP), the users name according to the authLDAP-preferences and
+the status of the user depending on the groups-settings of the authLDAP-preferences
+
+Writing this plugin would not have been as easy as it has been, without the
+wonderfull plugin of Alistair Young from http://www.weblogs.uhi.ac.uk/sm00ay/?p=45
+
+## Configuration
+
+### Usage Settings
+
+* **Enable Authentication via LDAP** Whether you want to enable authLdap for login or not
+* **debug authLdap** When you have problems with authentication via LDAP you can enable a debugging mode here.
+* **Save entered Password** Decide whether passwords will be cached in your wordpress-installation. **Attention:** Without the cache your users will not be able to log into your site when your LDAP is down!
+
+### Server Settings
+
+* **LDAP Uri** This is the URI where your ldap-backend can be reached. More information are actually on the Configuration page
+* **Filter** This is the real McCoy! The filter you define here specifies how a user will be found. Before applying the filter a %s will be replaced with the given username. This means, when a user logs in using ‘foobar’ as username the following happens:
+
+    * **uid=%s** check for any LDAP-Entry that has an attribute ‘uid’ with value ‘foobar’
+    * **(&(objectclass=posixAccount)((!(uid=%s)(mail=%s)))** check for any LDAP-Entry that has an attribute ‘objectclass’ with value ‘posixAccout’ and either a UID- or a mail-attribute with value ‘foobar’
+
+    This filter is rather powerfull if used wisely.
+
+### Creating Users
+
+* **Name-Attribute** Which Attribute from the LDAP contains the Full or the First name of the user trying to log in. This defaults to name
+* **Second Name Attribute** If the above Name-Attribute only contains the First Name of the user you can here specify an Attribute that contains the second name. This field is empty by default
+* **User-ID Attribute** This field will be used as login-name for wordpress. Please give the Attribute, that is used to identify the user. This should be the same as you used in the above Filter-Option. This field defaults to uid
+* **Mail Attribute** Which Attribute holds the eMail-Address of the user? If more than one eMail-Address are stored in the LDAP, only the first given is used. This field defaults to mail
+* **Web-Attribute** If your users have a personal page (URI) stored in the LDAP, it can be provided here. This field is empty by default
+
+### User-Groups for Roles
+
+* **Group-Attribute** This is the attribute that defines the Group-ID that can be matched against the Groups defined further down This field defaults to gidNumber.
+* **Group-Filter** Here you can add the filter for selecting groups for the currentlly logged in user The Filter should contain the string %s which will be replaced by the login-name of the currently logged in
+
+
+## FAQ
+
+<dl>
+    <dt>Can I change a users password with this plugin?</dt>
+    <dd>Short Answer: <strong>No</strong>!<br>Long Answer: As the users credentials are not
+    only used for a wordpress-site when you authenticate against an LDAP but for
+    many other services also chances are great that there is a centralized place
+    where password-changes shall be made. We'll later allow inclusion of a link
+    to such a place but currently it's not available. And as password-hashing and
+    where to store it requires deeper insight into the LDAP-Server then most users
+    have and admins are willing to give, password changes are out of scope of this
+    plugin. If you know exactyl what you do, you might want to have a look at
+    <a href="https://github.com/heiglandreas/authLdap/issues/54#issuecomment-125851029">
+    issue 54</a>
+    wherer a way of adding it is described!
+    </dd>
+    <dt>Can I add a user to the LDAP when she creates a user-account on wordpress?</dt>
+    <dd>Short Answer: <strong>No</strong>!<br>Long Answer: Even though that is technically possible
+    it's not in the scope of this plugin. As creating a user in an LDAP often involves
+    an administrative process that has already been implemented in your departments
+    administration it doesn't make sense to rebuild that - in most cases highly
+    individual - process in this plugin. If you know exactly what you do, have a look at
+    <a href="https://github.com/heiglandreas/authLdap/issues/65">issue 65</a>
+    where <a href="https://github.com/wtfiwtz">wtfiwtz</a> shows how to implement that feature.
+    </dd>
+    </dl>
\ No newline at end of file

+1.4.20
\ No newline at end of file

+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: wp-auth-ldap
+  annotations:
+    github.com/project-slug: lampo/wp-auth-ldap
+spec:
+  type: general
+  lifecycle: production
+  owner: B2C Developers

+{
+    "name" : "lampo/wp-auth-ldap",
+    "type" : "wordpress-plugin",
+    "description": "Fork of http://github.com/heiglandreas/authLdap, moves settings to defined constants.",
+    "keywords": ["ldap","authenticate", "auth", "wordpress"],
+    "homepage": "http://github.com/lampo/wp-auth-ldap",
+    "license": "MIT",
+    "authors": [{
+        "name": "Andreas Heigl",
+        "email": "andreas@heigl.org",
+        "homepage": "http://andreas.heigl.org",
+        "role": "Developer"
+    },{
+        "name": "Micah Flatt",
+        "email": "mflatt@flattware.net",
+        "role": "Developer"
+    }],
+    "require" : {
+        "php": ">=5.4",
+        "composer/installers": "~1.0"
+    },
+    "autoload" : {
+        "psr-4" : {
+            "Org_Heigl\\AuthLdap\\" : "./"
+        }
+    }
+}

+<?php
+/**
+ * $Id: ldap.php 381646 2011-05-06 09:37:31Z heiglandreas $
+ *
+ * authLdap - Authenticate Wordpress against an LDAP-Backend.
+ * Copyright (c) 2008 Andreas Heigl<andreas@heigl.org>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ * This file handles the basic LDAP-Tasks
+ *
+ * @author Andreas Heigl<andreas@heigl.org>
+ * @package authLdap
+ * @category authLdap
+ * @since 2008
+ */
+namespace Org_Heigl\AuthLdap;
+
+use Exception;
+
+class LDAP
+{
+    private $_server = '';
+
+    private $_scheme = 'ldap';
+
+    private $_port = 389;
+
+    private $_baseDn = '';
+
+    private $_debug = false;
+    /**
+     * This property contains the connection handle to the ldap-server
+     *
+     * @var Ressource
+     */
+    private $_ch = null;
+
+    private $_username = '';
+
+    private $_password = '';
+
+    private $_starttls = false;
+
+    public function __construct($URI, $debug = false, $starttls = false)
+    {
+        $this->_debug=$debug;
+        $array = parse_url($URI);
+        if (! is_array($array)) {
+            throw new Exception($URI . ' seems not to be a valid URI');
+        }
+        $url = array_map(function ($item) { return urldecode($item); }, $array);
+        if (false === $url) {
+            throw new Exception($URI . ' is an invalid URL');
+        }
+        if (! isset ( $url['scheme'] )) {
+            throw new Exception($URI . ' does not provide a scheme');
+        }
+        if (0 !== strpos($url['scheme'], 'ldap')) {
+            throw new Exception($URI . ' is an invalid LDAP-URI');
+        }
+        if (! isset ( $url['host'] )) {
+            throw new Exception($URI . ' does not provide a server');
+        }
+        if (! isset ( $url['path'] )) {
+            throw new Exception($URI . ' does not provide a search-base');
+        }
+        if (1 == strlen($url['path'])) {
+            throw new Exception($URI . ' does not provide a valid search-base');
+        }
+        $this -> _server = $url['host'];
+        $this -> _scheme = $url['scheme'];
+        $this -> _baseDn = substr($url['path'], 1);
+        if (isset ( $url['user'] )) {
+            $this -> _username = $url['user'];
+        }
+        if ('' == trim($this -> _username)) {
+            $this -> _username = 'anonymous';
+        }
+        if (isset ( $url['pass'] )) {
+            $this -> _password = $url['pass'];
+        }
+        if (isset ( $url['port'] )) {
+            $this -> _port = $url['port'];
+        }
+        $this->_starttls = $starttls;
+    }
+
+    /**
+     * Connect to the given LDAP-Server
+     *
+     * @return LDAP
+     * @throws AuthLdap_Exception
+     */
+    public function connect()
+    {
+        $this -> disconnect();
+        if ('ldaps' == $this->_scheme && 389 == $this->_port) {
+            $this->_port = 636;
+        }
+
+        $this->_ch = @ldap_connect($this->_scheme . '://' . $this->_server . ':' . $this -> _port);
+        if (! $this->_ch) {
+            throw new AuthLDAP_Exception('Could not connect to the server');
+        }
+        ldap_set_option($this->_ch, LDAP_OPT_PROTOCOL_VERSION, 3);
+        ldap_set_option($this->_ch, LDAP_OPT_REFERRALS, 0);
+        //if configured try to upgrade encryption to tls for ldap connections
+        if ($this->_starttls) {
+          ldap_start_tls($this->_ch);
+        }
+        return $this;
+    }
+
+    /**
+     * Disconnect from a resource if one is available
+     *
+     * @return LDAP
+     */
+    public function disconnect()
+    {
+        if (is_resource($this->_ch)) {
+            @ldap_unbind($this->_ch);
+        }
+        $this->_ch = null;
+        return $this;
+    }
+
+    /**
+     * Bind to an LDAP-Server with the given credentials
+     *
+     * @return LDAP
+     * @throw AuthLdap_Exception
+     */
+    public function bind()
+    {
+        if (! $this->_ch) {
+            $this->connect();
+        }
+        if (! is_resource($this->_ch)) {
+            throw new AuthLDAP_Exception('No Resource-handle given');
+        }
+        $bind = false;
+        if (( ( $this->_username )
+            && ( $this->_username != 'anonymous') )
+            && ( $this->_password != '' ) ) {
+            $bind = @ldap_bind($this->_ch, $this->_username, $this->_password);
+        } else {
+            $bind = @ldap_bind($this->_ch);
+        }
+        if (! $bind) {
+            throw new AuthLDAP_Exception('bind was not successfull: ' . ldap_error($this->_ch));
+        }
+        return $this;
+    }
+
+    public function getErrorNumber()
+    {
+        return @ldap_errno($this->_ch);
+    }
+
+    public function getErrorText()
+    {
+        return @ldap_error($this->_ch);
+    }
+
+    /**
+     * This method does the actual ldap-serch.
+     *
+     * This is using the filter <var>$filter</var> for retrieving the attributes
+     * <var>$attributes</var>
+     *
+     *
+     * @param string $filter
+     * @param array $attributes
+     * @return array
+     */
+    public function search($filter, $attributes = array('uid'))
+    {
+        if (! is_Resource($this->_ch)) {
+            throw new AuthLDAP_Exception('No resource handle avbailable');
+        }
+        $result = @ldap_search($this->_ch, $this->_baseDn, $filter, $attributes);
+        if ($result === false) {
+            throw new AuthLDAP_Exception('no result found');
+        }
+        $this->_info = @ldap_get_entries($this->_ch, $result);
+        if ($this->_info === false) {
+            throw new AuthLDAP_Exception('invalid results found');
+        }
+        return $this -> _info;
+    }
+
+    /**
+     * This method sets debugging to ON
+     */
+    public function debugOn()
+    {
+        $this->_debug = true;
+        return $this;
+    }
+
+    /**
+     * This method sets debugging to OFF
+     */
+    public function debugOff()
+    {
+        $this->_debug = false;
+        return $this;
+    }
+
+    /**
+     * This method authenticates the user <var>$username</var> using the
+     * password <var>$password</var>
+     *
+     * @param string $username
+     * @param string $password
+     * @param string $filter OPTIONAL This parameter defines the Filter to be used
+     * when searchin for the username. This MUST contain the string '%s' which
+     * will be replaced by the vaue given in <var>$username</var>
+     * @return boolean true or false depending on successfull authentication or not
+     */
+    public function authenticate($username, $password, $filter = '(uid=%s)')
+    {
+        //return true;
+        $this->connect();
+        $this->bind();
+        $res = $this->search(sprintf($filter, $username));
+        if (! $res || ! is_array($res) || ( $res ['count'] != 1 )) {
+            return false;
+        }
+        $dn = $res[0]['dn'];
+        if ($username && $password) {
+            if (@ldap_bind($this->_ch, $dn, $password)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * $this method loggs errors if debugging is set to ON
+     */
+    public function logError()
+    {
+        if ($this->_debug) {
+            $_v = debug_backtrace();
+            throw new AuthLDAP_Exception('[LDAP_ERROR]' . ldap_errno($this->_ch) . ':' . ldap_error($this->_ch), $_v[0]['line']);
+        }
+    }
+}
+
+class AuthLDAP_Exception extends Exception
+{
+    public function __construct($message, $line = null)
+    {
+        parent :: __construct($message);
+        if ($line) {
+            $this -> line = $line;
+        }
+    }
+}

+=== authLdap ===
+Contributors: heiglandreas
+Tags: ldap, auth
+Requires at least: 2.5.0
+Tested up to: 4.6.1
+Stable tag: trunk
+
+Use your existing LDAP flexible as authentication backend for WordPress
+
+== Description ==
+
+Use your existing LDAP as authentication-backend for your wordpress!
+
+So what are the differences to other Wordpress-LDAP-Authentication-Plugins?
+
+* Flexible: You are totaly free in which LDAP-backend to use. Due to the extensive configuration you can
+freely decide how to do the authentication of your users. It simply depends on your
+filters
+* Independent: As soon as a user logs in, it is added/updated to the Wordpress' user-database
+to allow wordpress to always use the correct data. You only have to administer your users once.
+* Failsafe: Due to the users being created in Wordpress' User-database they can
+also log in when the LDAP-backend currently is gone.
+* Role-Aware: You can map Wordpress' roles to values of an existing LDAP-attribute.
+
+For more Information on the configuration have a look at https://github.com/heiglandreas/authLdap
+
+== Installation ==
+
+1. Upload the extracted folder `authLdap` to the `/wp-content/plugins/` directory
+2. Activate the plugin through the 'Plugins' menu in WordPress
+3. Configure the Plugin via the 'authLdap'-Configuration-Page.
+
+== Frequently Asked Questions ==
+
+= Where can I find more Informations about the plugin? =
+
+Go to https://github.com/heiglandreas/authLdap
+
+= Where can I report issues with the plugin? =
+
+Please use the issuetracker at https://github.com/heiglandreas/authLdap/issues
+
+== Changelog ==
+= 1.4.20 =
+* Allows multiple LDAP-servers to be queried (given that they use the same attributes)
+* Fixes issue with URL-Encoded informations (see https://github.com/heiglandreas/authLdap/issues/108)
+
+= 1.4.19 =
+* Adds support for TLS
+
+= 1.4.14 =
+* Update to showing password-fields check (thanks to @chaplina)
+
+= 1.4.13 =
+* Removed generation of default email-address (thanks to @henryk)
+* Fixes password-hashing when caching passwords (thanks to @litinoveweedle)
+* Removes the possibility to reset a password for LDAP-based users (thanks to @chaplina)
+* Removes the password-change-Email from 4.3 on (thanks to @litinoveweedle)
+* Fixes double authentication-attempt (that resulted in failed authentication) (thanks to @litinoveweedle)
+
+= 1.4.10 =
+* Cleanup by removing deprecated code
+* Fixes issues with undefined variables
+* Enables internal option-versioning
+* Setting users nickname initially to the realname instead of the uid
+* Fixes display of password-change possibility in users profile-page
+= 1.4.9 =
+* Fixed an issue with changing display name on every login
+* Use proper way of looking up user-roles in setups w/o DB-prefix
+= 1.4.8 =
+* Updated version string
+= 1.4.7 =
+* Use default user to retrieve group menberships and not logging in user.
+* return the UID from the LDAP instead of the value given by the user
+* remove unnecessary checkbox
+* Adds a testsuite
+* Fixes PSR2 violations
+
+[…]
+    
+= 1.2.1 =
+* Fixed an issue with group-ids
+* Moved the code to GitHub (https://github.com/heiglandreas/authLdap)
+= 1.1.0 =
+* Changed the login-process. Now users that are not allowed to login due to
+missing group-memberships are not created within your blog as was the standard
+until Version 1.0.3 - Thanks to alex@tayts.com
+* Changed the default mail-address that is created when no mail-address can be
+retrieved from the LDAP from me@example.com to $username@example.com so that
+a new user can be created even though the mail address already exists in your
+blog - Also thanks to alex@tayts.com
+* Added support for WordPress-Table-prefixes as the capabilities of a user
+are interlany stored in a field that is named "$tablePrefix_capabilities" -
+again thanks to alex@tayts.com and also to sim0n of silicium.mine.nu

+<?php
+/**
+ * Copyright (c) Andreas Heigl<andreas@heigl.org>
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ *
+ * @author    Andreas Heigl<andreas@heigl.org>
+ * @copyright Andreas Heigl
+ * @license   http://www.opensource.org/licenses/mit-license.php MIT-License
+ * @since     07.07.2016
+ * @link      http://github.com/heiglandreas/authLDAP
+ */
+
+namespace Org_Heigl\AuthLdap;
+
+class LdapList
+{
+    /**
+     * @var \LDAP[]
+     */
+    protected $items = [];
+
+    public function addLdap(LDAP $ldap)
+    {
+        $this->items[] = $ldap;
+    }
+
+    public function authenticate($username, $password, $filter = '(uid=%s)')
+    {
+        foreach ($this->items as $key => $item) {
+            if (! $item->authenticate($username, $password, $filter)) {
+                unset ($this->items[$key]);
+                continue;
+            }
+            return true;
+        }
+
+        return false;
+    }
+
+    public function bind()
+    {
+        $allFailed = true;
+        foreach ($this->items as $key => $item) {
+            try {
+                $item->bind();
+            } catch (\Exception $e) {
+                unset($this->items[$key]);
+                continue;
+            }
+            $allFailed = false;
+        }
+
+        if ($allFailed) {
+            throw new AuthLDAP_Exception('No bind successfull');
+        }
+    }
+
+    public function search($filter, $attributes = array('uid'))
+    {
+        foreach ($this->items as $item) {
+            try {
+                $result = $item->search($filter, $attributes);
+                return $result;
+            } catch (Exception $e) {
+                throw $e;
+            }
+        }
+
+        throw new \AuthLDAP_Exception('No Results found');
+    }
+}
\ No newline at end of file

+<?php
+/*
+Plugin Name: Lampo-AuthLDAP
+Plugin URI: https://github.com/lampo/wp-auth-ldap
+Description: This plugin allows you to use your existing LDAP as authentication base for WordPress
+Version: 1.4.20
+Author: Andreas Heigl <a.heigl@wdv.de>
+Author URI: http://andreas.heigl.org
+*/
+
+require_once dirname(__FILE__) . '/ldap.php';
+
+function authLdap_debug($message)
+{
+    if (authLdap_get_option('Debug')) {
+        error_log('[AuthLDAP] ' . $message, 0);
+    }
+}
+
+
+function authLdap_get_post($name, $default = '')
+{
+    return isset($_POST[$name]) ? $_POST[$name] : $default;
+}
+
+
+/**
+ * get a LDAP server object
+ *
+ * throws exception if there is a problem connecting
+ *
+ * @conf boolean authLDAPDebug true, if debugging should be turned on
+ * @conf string  authLDAPURI LDAP server URI
+ *
+ * @return LDAP LDAP server object
+ */
+function authLdap_get_server()
+{
+    static $_ldapserver = null;
+    if (is_null($_ldapserver)) {
+        $authLDAPDebug = authLdap_get_option('Debug');
+        $authLDAPURI   = explode(
+            authLdap_get_option('URISeparator', ' '),
+            authLdap_get_option('URI')
+        );
+        $authLDAPStartTLS = authLdap_get_option('StartTLS');
+
+        //$authLDAPURI = 'ldap:/foo:bar@server/trallala';
+        authLdap_debug('connect to LDAP server');
+        require_once dirname(__FILE__) . '/src/LdapList.php';
+        $_ldapserver = new \Org_Heigl\AuthLdap\LdapList();
+        foreach ($authLDAPURI as $uri) {
+            $_ldapserver->addLdap(new \Org_Heigl\AuthLdap\LDAP($uri, $authLDAPDebug, $authLDAPStartTLS));
+        }
+    }
+    return $_ldapserver;
+}
+
+
+/**
+ * This method authenticates a user using either the LDAP or, if LDAP is not
+ * available, the local database
+ *
+ * For this we store the hashed passwords in the WP_Database to ensure working
+ * conditions even without an LDAP-Connection
+ *
+ * @param null|WP_User|WP_Error
+ * @param string $username
+ * @param string $password
+ * @param boolean $already_md5
+ * @return boolean true, if login was successfull or false, if it wasn't
+ * @conf boolean authLDAP true, if authLDAP should be used, false if not. Defaults to false
+ * @conf string authLDAPFilter LDAP filter to use to find correct user, defaults to '(uid=%s)'
+ * @conf string authLDAPNameAttr LDAP attribute containing user (display) name, defaults to 'name'
+ * @conf string authLDAPSecName LDAP attribute containing second name, defaults to ''
+ * @conf string authLDAPMailAttr LDAP attribute containing user e-mail, defaults to 'mail'
+ * @conf string authLDAPUidAttr LDAP attribute containing user id (the username we log on with), defaults to 'uid'
+ * @conf string authLDAPWebAttr LDAP attribute containing user website, defaults to ''
+ * @conf string authLDAPDefaultRole default role for authenticated user, defaults to ''
+ * @conf boolean authLDAPGroupEnable true, if we try to map LDAP groups to Wordpress roles
+ * @conf boolean authLDAPGroupOverUser true, if LDAP Groups have precedence over existing user roles
+ */
+function authLdap_login($user, $username, $password, $already_md5 = false)
+{
+    // don't do anything when authLDAP is disabled
+    if (! authLdap_get_option('Enabled')) {
+        authLdap_debug('LDAP disabled in AuthLDAP plugin options (use the first option in the AuthLDAP options to enable it)');
+        return $user;
+    }
+
+    // If the user has already been authenticated (only in that case we get a
+    // WP_User-Object as $user) we skip LDAP-authentication and simply return
+    // the existing user-object
+    if ($user instanceof WP_User) {
+        authLdap_debug(sprintf(
+            'User %s has already been authenticated - skipping LDAP-Authentication',
+            $user->get('nickname')));
+        return $user;
+    }
+
+    authLdap_debug("User '$username' logging in");
+
+    if ($username == 'admin') {
+        authLdap_debug('Doing nothing for possible local user admin');
+        return $user;
+    }
+
+    global $wpdb, $error;
+    try {
+        $authLDAP               = authLdap_get_option('Enabled');
+        $authLDAPFilter         = authLdap_get_option('Filter');
+        $authLDAPNameAttr       = authLdap_get_option('NameAttr');
+        $authLDAPSecName        = authLdap_get_option('SecName');
+        $authLDAPMailAttr       = authLdap_get_option('MailAttr');
+        $authLDAPUidAttr        = authLdap_get_option('UidAttr');
+        $authLDAPWebAttr        = authLdap_get_option('WebAttr');
+        $authLDAPDefaultRole    = authLdap_get_option('DefaultRole');
+        $authLDAPGroupEnable    = authLdap_get_option('GroupEnable');
+        $authLDAPGroupOverUser  = authLdap_get_option('GroupOverUser');
+
+        if (! $username) {
+            authLdap_debug('Username not supplied: return false');
+            return false;
+        }
+
+        if (! $password) {
+            authLdap_debug('Password not supplied: return false');
+            $error = __('<strong>Error</strong>: The password field is empty.');
+            return false;
+        }
+        // First check for valid values and set appropriate defaults
+        if (! $authLDAPFilter) {
+            $authLDAPFilter = '(uid=%s)';
+        }
+        if (! $authLDAPNameAttr) {
+            $authLDAPNameAttr = 'name';
+        }
+        if (! $authLDAPMailAttr) {
+            $authLDAPMailAttr = 'mail';
+        }
+        if (! $authLDAPUidAttr) {
+            $authLDAPUidAttr = 'uid';
+        }
+
+        // If already_md5 is TRUE, then we're getting the user/password from the cookie. As we don't want to store LDAP passwords in any
+        // form, we've already replaced the password with the hashed username and LDAP_COOKIE_MARKER
+        if ($already_md5) {
+            if ($password == md5($username).md5($ldapCookieMarker)) {
+                authLdap_debug('cookie authentication');
+                return true;
+            }
+        }
+
+        // No cookie, so have to authenticate them via LDAP
+        $result = false;
+        try {
+            authLdap_debug('about to do LDAP authentication');
+            $result = authLdap_get_server()->Authenticate($username, $password, $authLDAPFilter);
+        } catch (Exception $e) {
+            authLdap_debug('LDAP authentication failed with exception: ' . $e->getMessage());
+            return false;
+        }
+
+        // Rebind with the default credentials after the user has been loged in
+        // Otherwise the credentials of the user trying to login will be used
+        // This fixes #55
+        authLdap_get_server()->bind();
+
+        if (true !== $result) {
+            authLdap_debug('LDAP authentication failed');
+            // TODO what to return? WP_User object, true, false, even an WP_Error object... all seem to fall back to normal wp user authentication
+            return;
+        }
+
+        authLdap_debug('LDAP authentication successfull');
+        $attributes = array_values(
+            array_filter(
+                array(
+                    $authLDAPNameAttr,
+                    $authLDAPSecName,
+                    $authLDAPMailAttr,
+                    $authLDAPWebAttr,
+                    $authLDAPUidAttr
+                )
+            )
+        );
+
+        try {
+            $attribs = authLdap_get_server()->search(
+                sprintf($authLDAPFilter, $username),
+                $attributes
+            );
+            // First get all the relevant group informations so we can see if
+            // whether have been changes in group association of the user
+            if (! isset($attribs[0]['dn'])) {
+                authLdap_debug('could not get user attributes from LDAP');
+                throw new UnexpectedValueException('dn has not been returned');
+            }
+            if (! isset($attribs[0][strtolower($authLDAPUidAttr)][0])) {
+                authLdap_debug('could not get user attributes from LDAP');
+                throw new UnexpectedValueException('The user-ID attribute has not been returned');
+
+            }
+
+            $dn = $attribs[0]['dn'];
+            $realuid = $attribs[0][strtolower($authLDAPUidAttr)][0];
+        } catch (Exception $e) {
+            authLdap_debug('Exception getting LDAP user: ' . $e->getMessage());
+            return false;
+        }
+
+        $uid = authLdap_get_uid($realuid);
+        $role = '';
+
+        // we only need this if either LDAP groups are disabled or
+        // if the WordPress role of the user overrides LDAP groups
+        if (!$authLDAPGroupEnable || !$authLDAPGroupOverUser) {
+            $role = authLdap_user_role($uid);
+        }
+
+        // do LDAP group mapping if needed
+        // (if LDAP groups override worpress user role, $role is still empty)
+        if (empty($role) && $authLDAPGroupEnable) {
+            $role = authLdap_groupmap($realuid, $dn);
+            authLdap_debug('role from group mapping: ' . $role);
+        }
+
+        // if we don't have a role yet, use default role
+        if (empty($role) && !empty($authLDAPDefaultRole)) {
+            authLdap_debug('no role yet, set default role');
+            $role = $authLDAPDefaultRole;
+        }
+
+        if (empty($role)) {
+            // Sorry, but you are not in any group that is allowed access
+            trigger_error('no group found');
+            authLdap_debug('user is not in any group that is allowed access');
+            return false;
+        } else {
+            $roles = new WP_Roles();
+            // not sure if this is needed, but it can't hurt
+            if (!$roles->is_role($role)) {
+                trigger_error('no group found');
+                authLdap_debug('role is invalid');
+                return false;
+            }
+        }
+
+        // from here on, the user has access!
+        // now, lets update some user details
+        $user_info = array();
+        $user_info['user_login'] = $realuid;
+        $user_info['role'] = $role;
+        $user_info['user_email'] = '';
+
+        // first name
+        if (isset($attribs[0][strtolower($authLDAPNameAttr)][0])) {
+            $user_info['first_name'] = $attribs[0][strtolower($authLDAPNameAttr)][0];
+        }
+
+        // last name
+        if (isset($attribs[0][strtolower($authLDAPSecName)][0])) {
+            $user_info['last_name'] = $attribs[0][strtolower($authLDAPSecName)][0];
+        }
+
+        // mail address
+        if (isset($attribs[0][strtolower($authLDAPMailAttr)][0])) {
+            $user_info['user_email'] = $attribs[0][strtolower($authLDAPMailAttr)][0];
+        }
+
+        // website
+        if (isset($attribs[0][strtolower($authLDAPWebAttr)][0])) {
+            $user_info['user_url'] = $attribs[0][strtolower($authLDAPWebAttr)][0];
+        }
+
+        // display name, nickname, nicename
+        if (array_key_exists('first_name', $user_info)) {
+            $user_info['display_name'] = $user_info['first_name'];
+            $user_info['nickname'] = $user_info['first_name'];
+            $user_info['user_nicename'] = sanitize_title_with_dashes($user_info['first_name']);
+            if (array_key_exists('last_name', $user_info)) {
+                $user_info['display_name'] .= ' ' . $user_info['last_name'];
+                $user_info['nickname'] .= ' ' . $user_info['last_name'];
+                $user_info['user_nicename'] .= '_' . sanitize_title_with_dashes($user_info['last_name']);
+            }
+        }
+
+        // optionally store the password into the wordpress database
+        if (authLdap_get_option('CachePW')) {
+            // Password will be hashed inside wp_update_user or wp_insert_user
+            $user_info['user_pass'] = $password;
+        } else {
+            // clear the password
+            $user_info['user_pass'] = '';
+        }
+
+        // add uid if user exists
+        if ($uid) {
+            // found user in the database
+            authLdap_debug('The LDAP user has an entry in the WP-Database');
+            $user_info['ID'] = $uid;
+            unset ($user_info['display_name'], $user_info['nickname']);
+            $userid = wp_update_user($user_info);
+        } else {
+            // new wordpress account will be created
+            authLdap_debug('The LDAP user does not have an entry in the WP-Database, a new WP account will be created');
+
+            $userid = wp_insert_user($user_info);
+        }
+
+        // if the user exists, wp_insert_user will update the existing user record
+        if (is_wp_error($userid)) {
+            authLdap_debug('Error creating user : ' . $userid->get_error_message());
+            trigger_error('Error creating user: ' . $userid->get_error_message());
+            return $userid;
+        }
+
+        authLdap_debug('user id = ' . $userid);
+
+        // flag the user as an ldap user so we can hide the password fields in the user profile
+        update_user_meta($userid, 'authLDAP', true);
+
+        // return a user object upon positive authorization
+        return new WP_User($userid);
+    } catch (Exception $e) {
+        authLdap_debug($e->getMessage() . '. Exception thrown in line ' . $e->getLine());
+        trigger_error($e->getMessage() . '. Exception thrown in line ' . $e->getLine());
+    }
+}
+
+/**
+ * Get user's user id
+ *
+ * Returns null if username not found
+ *
+ * @param string $username username
+ * @param string user id, null if not found
+ */
+function authLdap_get_uid($username)
+{
+    global $wpdb;
+
+    // find out whether the user is already present in the database
+    $uid = $wpdb->get_var(
+        $wpdb->prepare(
+            "SELECT ID FROM {$wpdb->users} WHERE user_login = %s",
+            $username
+        )
+    );
+    if ($uid) {
+        authLdap_debug("Existing user, uid = {$uid}");
+        return $uid;
+    } else {
+        return  null;
+    }
+}
+
+/**
+ * Get the user's current role
+ *
+ * Returns empty string if not found.
+ *
+ * @param int $uid wordpress user id
+ * @return string role, empty if none found
+ */
+function authLdap_user_role($uid)
+{
+    global $wpdb;
+
+    if (!$uid) {
+        return '';
+    }
+
+    $meta_value = $wpdb->get_var("SELECT meta_value FROM {$wpdb->usermeta} WHERE meta_key = '{$wpdb->prefix}capabilities' AND user_id = {$uid}");
+
+    if (!$meta_value) {
+        return '';
+    }
+
+    $capabilities = unserialize($meta_value);
+    $roles = is_array($capabilities) ? array_keys($capabilities) : array('');
+    $role = $roles[0];
+
+    authLdap_debug("Existing user's role: {$role}");
+    return $role;
+}
+
+/**
+ * Get LDAP groups for user and map to role
+ *
+ * @param string $username
+ * @param string $dn
+ * @return string role, empty string if no mapping found, first found role otherwise
+ * @conf array authLDAPGroups, associative array, role => ldap_group
+ * @conf string authLDAPGroupAttr, ldap attribute that holds name of group
+ * @conf string authLDAPGroupFilter, LDAP filter to find groups. can contain %s and %dn% placeholders
+ */
+function authLdap_groupmap($username, $dn)
+{
+    $authLDAPGroups         = authLdap_sort_roles_by_capabilities(
+        authLdap_get_option('Groups')
+    );
+    $authLDAPGroupAttr      = authLdap_get_option('GroupAttr');
+    $authLDAPGroupFilter    = authLdap_get_option('GroupFilter');
+    $authLDAPGroupSeparator = authLdap_get_option('GroupSeparator');
+    if (! $authLDAPGroupAttr) {
+        $authLDAPGroupAttr = 'gidNumber';
+    }
+    if (! $authLDAPGroupFilter) {
+        $authLDAPGroupFilter = '(&(objectClass=posixGroup)(memberUid=%s))';
+    }
+    if (! $authLDAPGroupSeparator) {
+        $authLDAPGroupSeparator = ',';
+    }
+
+    if (!is_array($authLDAPGroups) || count(array_filter(array_values($authLDAPGroups))) == 0) {
+        authLdap_debug('No group names defined');
+        return '';
+    }
+
+    try {
+        // To allow searches based on the DN instead of the uid, we replace the
+        // string %dn% with the users DN.
+        $authLDAPGroupFilter = str_replace('%dn%', $dn, $authLDAPGroupFilter);
+        authLdap_debug('Group Filter: ' . json_encode($authLDAPGroupFilter));
+        $groups = authLdap_get_server()->search(sprintf($authLDAPGroupFilter, $username), array($authLDAPGroupAttr));
+    } catch (Exception $e) {
+        authLdap_debug('Exception getting LDAP group attributes: ' . $e->getMessage());
+        return '';
+    }
+
+    $grp = array();
+    for ($i = 0; $i < $groups ['count']; $i++) {
+        for ($k = 0; $k < $groups[$i][strtolower($authLDAPGroupAttr)]['count']; $k++) {
+            $grp[] = $groups[$i][strtolower($authLDAPGroupAttr)][$k];
+        }
+    }
+
+    authLdap_debug('LDAP groups: ' . json_encode($grp));
+
+    // Check whether the user is member of one of the groups that are
+    // allowed acces to the blog. If the user is not member of one of
+    // The groups throw her out! ;-)
+    // If the user is member of more than one group only the first one
+    // will be taken into account!
+
+    $role = '';
+    foreach ($authLDAPGroups as $key => $val) {
+        $currentGroup = explode($authLDAPGroupSeparator, $val);
+        // Remove whitespaces around the group-ID
+        $currentGroup = array_map('trim', $currentGroup);
+        if (0 < count(array_intersect($currentGroup, $grp))) {
+            $role = $key;
+            break;
+        }
+    }
+
+    authLdap_debug("Role from LDAP group: {$role}");
+    return $role;
+}
+
+/**
+ * This function disables the password-change fields in the users preferences.
+ *
+ * It does not make sense to authenticate via LDAP and then allow the user to
+ * change the password only in the wordpress database. And changing the password
+ * LDAP-wide can not be the scope of Wordpress!
+ *
+ * Whether the user is an LDAP-User or not is determined using the authLDAP-Flag
+ * of the users meta-informations
+ *
+ * @return false, if the user whose prefs are viewed is an LDAP-User, true if
+ * he isn't
+ * @conf boolean authLDAP
+ */
+function authLdap_show_password_fields($return, $user)
+{
+    if (! $user) {
+        return true;
+    }
+
+    if (get_user_meta($user->ID, 'authLDAP')) {
+        return false;
+    }
+
+    return $return;
+}
+
+/**
+ * This function disables the password reset for a user.
+ *
+ * It does not make sense to authenticate via LDAP and then allow the user to
+ * reset the password only in the wordpress database. And changing the password
+ * LDAP-wide can not be the scope of Wordpress!
+ *
+ * Whether the user is an LDAP-User or not is determined using the authLDAP-Flag
+ * of the users meta-informations
+ *
+ * @author chaplina (https://github.com/chaplina)
+ * @conf boolean authLDAP
+ * @return false, if the user is an LDAP-User, true if he isn't
+ */
+function authLdap_allow_password_reset($return, $userid)
+{
+    if (!(isset($userid))) {
+        return true;
+    }
+
+    if (get_user_meta($userid, 'authLDAP')) {
+        return false;
+    }
+    return $return;
+}
+
+/**
+ * Sort the given roles by number of capabilities
+ *
+ * @param array $roles
+ *
+ * @return array
+ */
+function authLdap_sort_roles_by_capabilities($roles)
+{
+    global $wpdb;
+    $myRoles = get_option($wpdb->get_blog_prefix() . 'user_roles');
+
+    authLdap_debug(print_r($roles, true));
+    uasort($myRoles, 'authLdap_sortByCapabilitycount');
+
+    $return = array();
+
+    foreach ($myRoles as $key => $role) {
+        if (isset($roles[$key])) {
+            $return[$key] = $roles[$key];
+        }
+    }
+
+    authLdap_debug(print_r($return, true));
+    return $return;
+}
+
+/**
+ * Sort according to the number of capabilities
+ *
+ * @param $a
+ * @param $b
+ */
+function authLdap_sortByCapabilitycount($a, $b)
+{
+    if (count($a['capabilities']) > count($b['capabilities'])) {
+        return -1;
+    }
+    if (count($a['capabilities']) < count($b['capabilities'])) {
+        return 1;
+    }
+
+    return 0;
+}
+
+/**
+ * Load AuthLDAP Options
+ *
+ * Sets and stores defaults if options are not up to date
+ */
+function authLdap_load_options($reload = false)
+{
+    static $options = null;
+
+    if( empty($options) || $reload){
+        // the current version for options
+        $option_version_plugin = 1;
+        // defaults for all options
+        $options = array(
+            'Enabled'       => false,
+            'CachePW'       => false,
+            'URI'           => '',
+            'URISeparator'  => ' ',
+            'Filter'        => '', // '(uid=%s)'
+            'NameAttr'      => '', // 'name'
+            'SecName'       => '',
+            'UidAttr'       => '', // 'uid'
+            'MailAttr'      => '', // 'mail'
+            'WebAttr'       => '',
+            'Groups'        => array(),
+            'Debug'         => false,
+            'GroupAttr'     => '', // 'gidNumber'
+            'GroupFilter'   => '', // '(&(objectClass=posixGroup)(memberUid=%s))'
+            'DefaultRole'   => '',
+            'GroupEnable'   => true,
+            'GroupOverUser' => true,
+            'Version'       => $option_version_plugin,
+        );
+
+        // 2016-12-23 MLF (why we forked) Set any options we can find via defined constants
+        foreach($options as $option_name => $option_value) {
+            $constant_name = 'AUTHLDAP_'.strtoupper($option_name);
+            if( defined($constant_name) ){
+                $options[$option_name] = constant($constant_name);
+            }
+        }
+    }
+
+    return $options;
+}
+
+/**
+ * Get an individual option
+ */
+function authLdap_get_option($optionname, $default = null)
+{
+    $options = authLdap_load_options();
+    if (isset($options[$optionname]) && $options[$optionname]) {
+        return $options[$optionname];
+    }
+
+    if (null !== $default) {
+        return $default;
+    }
+
+    //authLdap_debug('option name invalid: ' . $optionname);
+    return null;
+}
+
+
+/**
+ * Do not send an email after changing the password or the email of the user!
+ *
+ * @param boolean $result      The initial resturn value
+ * @param array   $user        The old userdata
+ * @param array   $newUserData The changed userdata
+ *
+ * @return bool
+ */
+function authLdap_send_change_email($result, $user, $newUserData)
+{
+    if (get_usermeta($user['ID'], 'authLDAP')) {
+        return false;
+    }
+
+    return $result;
+}
+
+add_filter('show_password_fields', 'authLdap_show_password_fields', 10, 2);
+add_filter('allow_password_reset', 'authLdap_allow_password_reset', 10, 2);
+add_filter('authenticate', 'authLdap_login', 10, 3);
+/** This only works from WP 4.3.0 on */
+add_filter('send_password_change_email', 'authLdap_send_change_email', 10, 3);
+add_filter('send_email_change_email', 'authLdap_send_change_email', 10, 3);