Skip to content

Jeff Balicki / st_joseph

Go to a project
Toggle navigation
Toggle navigation pinning
55e5d640 by Jeff Balicki
Options

wp-auth-ldap 

Signed-off-by: Jeff <jeff@gotenzing.com>
1 parent f3f154e9
Expand all
Inline Side-by-side
Showing 9 changed files with 588 additions and 0 deletions
vendor
composer.lock
.svnAccess
\ No newline at end of file
# authLDAP
[![Join the chat at https://gitter.im/heiglandreas/authLdap](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/heiglandreas/authLdap?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
Use your existing LDAP as authentication-backend for your wordpress!
[![Build Status](https://travis-ci.org/heiglandreas/authLdap.svg?branch=master)](https://travis-ci.org/heiglandreas/authLdap)
[![WordPress Stats](https://img.shields.io/wordpress/plugin/dt/authldap.svg)](https://wordpress.org/plugins/authldap/stats/)
[![WordPress Version](https://img.shields.io/wordpress/plugin/v/authldap.svg)](https://wordpress.org/plugins/authldap/)
[![WordPress testet](https://img.shields.io/wordpress/v/authldap.svg)](https://wordpress.org/plugins/authldap/)
[![Code Climate](https://codeclimate.com/github/heiglandreas/authLdap/badges/gpa.svg)](https://codeclimate.com/github/heiglandreas/authLdap)
[![Test Coverage](https://codeclimate.com/github/heiglandreas/authLdap/badges/coverage.svg)](https://codeclimate.com/github/heiglandreas/authLdap)
So what are the differences to other Wordpress-LDAP-Authentication-Plugins?
* **Flexible**: You are totaly free in which LDAP-backend to use. Due to the extensive configuration you can
freely decide how to do the authentication of your users. It simply depends on your
filters
* **Independent**: As soon as a user logs in, it is added/updated to the Wordpress' user-database
to allow wordpress to always use the correct data. You only have to administer your users once.
* **Failsafe**: Due to the users being created in Wordpress' User-database they can
also log in when the LDAP-backend currently is gone.
* **Role-Aware**: You can map Wordpress' roles to values of an existing LDAP-attribute.
## How does the plugin work?
Well, as a matter of fact it is rather simple. The plugin verifies, that the user
seeking authentification can bind to the LDAP using the provided password.
If that is so, the user is either created or updated in the wordpress-user-database.
This update includes the provided password (so the wordpress can authenticate users
even without the LDAP), the users name according to the authLDAP-preferences and
the status of the user depending on the groups-settings of the authLDAP-preferences
Writing this plugin would not have been as easy as it has been, without the
wonderfull plugin of Alistair Young from http://www.weblogs.uhi.ac.uk/sm00ay/?p=45
## Configuration
### Usage Settings
* **Enable Authentication via LDAP** Whether you want to enable authLdap for login or not
* **debug authLdap** When you have problems with authentication via LDAP you can enable a debugging mode here.
* **Save entered Password** Decide whether passwords will be cached in your wordpress-installation. **Attention:** Without the cache your users will not be able to log into your site when your LDAP is down!
### Server Settings
* **LDAP Uri** This is the URI where your ldap-backend can be reached. More information are actually on the Configuration page
* **Filter** This is the real McCoy! The filter you define here specifies how a user will be found. Before applying the filter a %s will be replaced with the given username. This means, when a user logs in using ‘foobar’ as username the following happens:
* **uid=%s** check for any LDAP-Entry that has an attribute ‘uid’ with value ‘foobar’
* **(&(objectclass=posixAccount)((!(uid=%s)(mail=%s)))** check for any LDAP-Entry that has an attribute ‘objectclass’ with value ‘posixAccout’ and either a UID- or a mail-attribute with value ‘foobar’
This filter is rather powerfull if used wisely.
### Creating Users
* **Name-Attribute** Which Attribute from the LDAP contains the Full or the First name of the user trying to log in. This defaults to name
* **Second Name Attribute** If the above Name-Attribute only contains the First Name of the user you can here specify an Attribute that contains the second name. This field is empty by default
* **User-ID Attribute** This field will be used as login-name for wordpress. Please give the Attribute, that is used to identify the user. This should be the same as you used in the above Filter-Option. This field defaults to uid
* **Mail Attribute** Which Attribute holds the eMail-Address of the user? If more than one eMail-Address are stored in the LDAP, only the first given is used. This field defaults to mail
* **Web-Attribute** If your users have a personal page (URI) stored in the LDAP, it can be provided here. This field is empty by default
### User-Groups for Roles
* **Group-Attribute** This is the attribute that defines the Group-ID that can be matched against the Groups defined further down This field defaults to gidNumber.
* **Group-Filter** Here you can add the filter for selecting groups for the currentlly logged in user The Filter should contain the string %s which will be replaced by the login-name of the currently logged in
## FAQ
<dl>
<dt>Can I change a users password with this plugin?</dt>
<dd>Short Answer: <strong>No</strong>!<br>Long Answer: As the users credentials are not
only used for a wordpress-site when you authenticate against an LDAP but for
many other services also chances are great that there is a centralized place
where password-changes shall be made. We'll later allow inclusion of a link
to such a place but currently it's not available. And as password-hashing and
where to store it requires deeper insight into the LDAP-Server then most users
have and admins are willing to give, password changes are out of scope of this
plugin. If you know exactyl what you do, you might want to have a look at
<a href="https://github.com/heiglandreas/authLdap/issues/54#issuecomment-125851029">
issue 54</a>
wherer a way of adding it is described!
</dd>
<dt>Can I add a user to the LDAP when she creates a user-account on wordpress?</dt>
<dd>Short Answer: <strong>No</strong>!<br>Long Answer: Even though that is technically possible
it's not in the scope of this plugin. As creating a user in an LDAP often involves
an administrative process that has already been implemented in your departments
administration it doesn't make sense to rebuild that - in most cases highly
individual - process in this plugin. If you know exactly what you do, have a look at
<a href="https://github.com/heiglandreas/authLdap/issues/65">issue 65</a>
where <a href="https://github.com/wtfiwtz">wtfiwtz</a> shows how to implement that feature.
</dd>
</dl>
\ No newline at end of file
1.4.20
\ No newline at end of file
apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
name: wp-auth-ldap
annotations:
github.com/project-slug: lampo/wp-auth-ldap
spec:
type: general
lifecycle: production
owner: B2C Developers
{
"name" : "lampo/wp-auth-ldap",
"type" : "wordpress-plugin",
"description": "Fork of http://github.com/heiglandreas/authLdap, moves settings to defined constants.",
"keywords": ["ldap","authenticate", "auth", "wordpress"],
"homepage": "http://github.com/lampo/wp-auth-ldap",
"license": "MIT",
"authors": [{
"name": "Andreas Heigl",
"email": "andreas@heigl.org",
"homepage": "http://andreas.heigl.org",
"role": "Developer"
},{
"name": "Micah Flatt",
"email": "mflatt@flattware.net",
"role": "Developer"
}],
"require" : {
"php": ">=5.4",
"composer/installers": "~1.0"
},
"autoload" : {
"psr-4" : {
"Org_Heigl\\AuthLdap\\" : "./"
}
}
}
<?php
/**
* $Id: ldap.php 381646 2011-05-06 09:37:31Z heiglandreas $
*
* authLdap - Authenticate Wordpress against an LDAP-Backend.
* Copyright (c) 2008 Andreas Heigl<andreas@heigl.org>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* This file handles the basic LDAP-Tasks
*
* @author Andreas Heigl<andreas@heigl.org>
* @package authLdap
* @category authLdap
* @since 2008
*/
namespace Org_Heigl\AuthLdap;
use Exception;
class LDAP
{
private $_server = '';
private $_scheme = 'ldap';
private $_port = 389;
private $_baseDn = '';
private $_debug = false;
/**
* This property contains the connection handle to the ldap-server
*
* @var Ressource
*/
private $_ch = null;
private $_username = '';
private $_password = '';
private $_starttls = false;
public function __construct($URI, $debug = false, $starttls = false)
{
$this->_debug=$debug;
$array = parse_url($URI);
if (! is_array($array)) {
throw new Exception($URI . ' seems not to be a valid URI');
}
$url = array_map(function ($item) { return urldecode($item); }, $array);
if (false === $url) {
throw new Exception($URI . ' is an invalid URL');
}
if (! isset ( $url['scheme'] )) {
throw new Exception($URI . ' does not provide a scheme');
}
if (0 !== strpos($url['scheme'], 'ldap')) {
throw new Exception($URI . ' is an invalid LDAP-URI');
}
if (! isset ( $url['host'] )) {
throw new Exception($URI . ' does not provide a server');
}
if (! isset ( $url['path'] )) {
throw new Exception($URI . ' does not provide a search-base');
}
if (1 == strlen($url['path'])) {
throw new Exception($URI . ' does not provide a valid search-base');
}
$this -> _server = $url['host'];
$this -> _scheme = $url['scheme'];
$this -> _baseDn = substr($url['path'], 1);
if (isset ( $url['user'] )) {
$this -> _username = $url['user'];
}
if ('' == trim($this -> _username)) {
$this -> _username = 'anonymous';
}
if (isset ( $url['pass'] )) {
$this -> _password = $url['pass'];
}
if (isset ( $url['port'] )) {
$this -> _port = $url['port'];
}
$this->_starttls = $starttls;
}
/**
* Connect to the given LDAP-Server
*
* @return LDAP
* @throws AuthLdap_Exception
*/
public function connect()
{
$this -> disconnect();
if ('ldaps' == $this->_scheme && 389 == $this->_port) {
$this->_port = 636;
}
$this->_ch = @ldap_connect($this->_scheme . '://' . $this->_server . ':' . $this -> _port);
if (! $this->_ch) {
throw new AuthLDAP_Exception('Could not connect to the server');
}
ldap_set_option($this->_ch, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($this->_ch, LDAP_OPT_REFERRALS, 0);
//if configured try to upgrade encryption to tls for ldap connections
if ($this->_starttls) {
ldap_start_tls($this->_ch);
}
return $this;
}
/**
* Disconnect from a resource if one is available
*
* @return LDAP
*/
public function disconnect()
{
if (is_resource($this->_ch)) {
@ldap_unbind($this->_ch);
}
$this->_ch = null;
return $this;
}
/**
* Bind to an LDAP-Server with the given credentials
*
* @return LDAP
* @throw AuthLdap_Exception
*/
public function bind()
{
if (! $this->_ch) {
$this->connect();
}
if (! is_resource($this->_ch)) {
throw new AuthLDAP_Exception('No Resource-handle given');
}
$bind = false;
if (( ( $this->_username )
&& ( $this->_username != 'anonymous') )
&& ( $this->_password != '' ) ) {
$bind = @ldap_bind($this->_ch, $this->_username, $this->_password);
} else {
$bind = @ldap_bind($this->_ch);
}
if (! $bind) {
throw new AuthLDAP_Exception('bind was not successfull: ' . ldap_error($this->_ch));
}
return $this;
}
public function getErrorNumber()
{
return @ldap_errno($this->_ch);
}
public function getErrorText()
{
return @ldap_error($this->_ch);
}
/**
* This method does the actual ldap-serch.
*
* This is using the filter <var>$filter</var> for retrieving the attributes
* <var>$attributes</var>
*
*
* @param string $filter
* @param array $attributes
* @return array
*/
public function search($filter, $attributes = array('uid'))
{
if (! is_Resource($this->_ch)) {
throw new AuthLDAP_Exception('No resource handle avbailable');
}
$result = @ldap_search($this->_ch, $this->_baseDn, $filter, $attributes);
if ($result === false) {
throw new AuthLDAP_Exception('no result found');
}
$this->_info = @ldap_get_entries($this->_ch, $result);
if ($this->_info === false) {
throw new AuthLDAP_Exception('invalid results found');
}
return $this -> _info;
}
/**
* This method sets debugging to ON
*/
public function debugOn()
{
$this->_debug = true;
return $this;
}
/**
* This method sets debugging to OFF
*/
public function debugOff()
{
$this->_debug = false;
return $this;
}
/**
* This method authenticates the user <var>$username</var> using the
* password <var>$password</var>
*
* @param string $username
* @param string $password
* @param string $filter OPTIONAL This parameter defines the Filter to be used
* when searchin for the username. This MUST contain the string '%s' which
* will be replaced by the vaue given in <var>$username</var>
* @return boolean true or false depending on successfull authentication or not
*/
public function authenticate($username, $password, $filter = '(uid=%s)')
{
//return true;
$this->connect();
$this->bind();
$res = $this->search(sprintf($filter, $username));
if (! $res || ! is_array($res) || ( $res ['count'] != 1 )) {
return false;
}
$dn = $res[0]['dn'];
if ($username && $password) {
if (@ldap_bind($this->_ch, $dn, $password)) {
return true;
}
}
return false;
}
/**
* $this method loggs errors if debugging is set to ON
*/
public function logError()
{
if ($this->_debug) {
$_v = debug_backtrace();
throw new AuthLDAP_Exception('[LDAP_ERROR]' . ldap_errno($this->_ch) . ':' . ldap_error($this->_ch), $_v[0]['line']);
}
}
}
class AuthLDAP_Exception extends Exception
{
public function __construct($message, $line = null)
{
parent :: __construct($message);
if ($line) {
$this -> line = $line;
}
}
}
=== authLdap ===
Contributors: heiglandreas
Tags: ldap, auth
Requires at least: 2.5.0
Tested up to: 4.6.1
Stable tag: trunk
Use your existing LDAP flexible as authentication backend for WordPress
== Description ==
Use your existing LDAP as authentication-backend for your wordpress!
So what are the differences to other Wordpress-LDAP-Authentication-Plugins?
* Flexible: You are totaly free in which LDAP-backend to use. Due to the extensive configuration you can
freely decide how to do the authentication of your users. It simply depends on your
filters
* Independent: As soon as a user logs in, it is added/updated to the Wordpress' user-database
to allow wordpress to always use the correct data. You only have to administer your users once.
* Failsafe: Due to the users being created in Wordpress' User-database they can
also log in when the LDAP-backend currently is gone.
* Role-Aware: You can map Wordpress' roles to values of an existing LDAP-attribute.
For more Information on the configuration have a look at https://github.com/heiglandreas/authLdap
== Installation ==
1. Upload the extracted folder `authLdap` to the `/wp-content/plugins/` directory
2. Activate the plugin through the 'Plugins' menu in WordPress
3. Configure the Plugin via the 'authLdap'-Configuration-Page.
== Frequently Asked Questions ==
= Where can I find more Informations about the plugin? =
Go to https://github.com/heiglandreas/authLdap
= Where can I report issues with the plugin? =
Please use the issuetracker at https://github.com/heiglandreas/authLdap/issues
== Changelog ==
= 1.4.20 =
* Allows multiple LDAP-servers to be queried (given that they use the same attributes)
* Fixes issue with URL-Encoded informations (see https://github.com/heiglandreas/authLdap/issues/108)
= 1.4.19 =
* Adds support for TLS
= 1.4.14 =
* Update to showing password-fields check (thanks to @chaplina)
= 1.4.13 =
* Removed generation of default email-address (thanks to @henryk)
* Fixes password-hashing when caching passwords (thanks to @litinoveweedle)
* Removes the possibility to reset a password for LDAP-based users (thanks to @chaplina)
* Removes the password-change-Email from 4.3 on (thanks to @litinoveweedle)
* Fixes double authentication-attempt (that resulted in failed authentication) (thanks to @litinoveweedle)
= 1.4.10 =
* Cleanup by removing deprecated code
* Fixes issues with undefined variables
* Enables internal option-versioning
* Setting users nickname initially to the realname instead of the uid
* Fixes display of password-change possibility in users profile-page
= 1.4.9 =
* Fixed an issue with changing display name on every login
* Use proper way of looking up user-roles in setups w/o DB-prefix
= 1.4.8 =
* Updated version string
= 1.4.7 =
* Use default user to retrieve group menberships and not logging in user.
* return the UID from the LDAP instead of the value given by the user
* remove unnecessary checkbox
* Adds a testsuite
* Fixes PSR2 violations
[…]
= 1.2.1 =
* Fixed an issue with group-ids
* Moved the code to GitHub (https://github.com/heiglandreas/authLdap)
= 1.1.0 =
* Changed the login-process. Now users that are not allowed to login due to
missing group-memberships are not created within your blog as was the standard
until Version 1.0.3 - Thanks to alex@tayts.com
* Changed the default mail-address that is created when no mail-address can be
retrieved from the LDAP from me@example.com to $username@example.com so that
a new user can be created even though the mail address already exists in your
blog - Also thanks to alex@tayts.com
* Added support for WordPress-Table-prefixes as the capabilities of a user
are interlany stored in a field that is named "$tablePrefix_capabilities" -
again thanks to alex@tayts.com and also to sim0n of silicium.mine.nu
<?php
/**
* Copyright (c) Andreas Heigl<andreas@heigl.org>
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*
* @author Andreas Heigl<andreas@heigl.org>
* @copyright Andreas Heigl
* @license http://www.opensource.org/licenses/mit-license.php MIT-License
* @since 07.07.2016
* @link http://github.com/heiglandreas/authLDAP
*/
namespace Org_Heigl\AuthLdap;
class LdapList
{
/**
* @var \LDAP[]
*/
protected $items = [];
public function addLdap(LDAP $ldap)
{
$this->items[] = $ldap;
}
public function authenticate($username, $password, $filter = '(uid=%s)')
{
foreach ($this->items as $key => $item) {
if (! $item->authenticate($username, $password, $filter)) {
unset ($this->items[$key]);
continue;
}
return true;
}
return false;
}
public function bind()
{
$allFailed = true;
foreach ($this->items as $key => $item) {
try {
$item->bind();
} catch (\Exception $e) {
unset($this->items[$key]);
continue;
}
$allFailed = false;
}
if ($allFailed) {
throw new AuthLDAP_Exception('No bind successfull');
}
}
public function search($filter, $attributes = array('uid'))
{
foreach ($this->items as $item) {
try {
$result = $item->search($filter, $attributes);
return $result;
} catch (Exception $e) {
throw $e;
}
}
throw new \AuthLDAP_Exception('No Results found');
}
}
\ No newline at end of file