Support » Plugin: Authorizer » Disable LDAP mail field auth.

  • Resolved edemir206

    (@edemir206)


    Hi,

    I’m using authorizer to auth against a LDAP base.

    The problem is, there’s a “change email mecanism” on this LDAP that doesn’t verify the EMAIL, so if somebody changes his email to someone already registered on wp he/she gets all permissions from that other PERSON. AMAZINGLY INSECURE I KNOW.

    I already tried removing the “mail” field from LDAP config, it works, login only via UID and no email auth, but now we can’t send any email to users :/

    As of today it seems authorizer uses UID and MAIL, is there a way to disable “mail” auth leaving only the UID field keeping mail field only for reference ?

Viewing 1 replies (of 1 total)
  • Plugin Author pkarjala

    (@pkarjala)

    This sounds like an issue that needs to be resolved at the organization level.

    WordPress requires a unique email address per user account, so we are required to add an email when we generate a user through Authorizer. The best way for us to keep this up to date is to always poll the most recent information from LDAP (or other auth systems) and update the user’s account accordingly, otherwise WordPress will fall out of sync with the LDAP information.

    While WordPress can be configured to use user accounts without email addresses, that removes any “forgot my password” functionality and is not best practice in case the user disables Authorizer at some point in time and reverts to WordPress authentication.

Viewing 1 replies (of 1 total)
  • The topic ‘Disable LDAP mail field auth.’ is closed to new replies.