Hi bluesoul.
Can you test setting the group-attribute to “dn” instead of “distinguishedName” and when that doesn’t work please set it to “cn” and set under the author-role only “MySecurityGroup” instead of “CN=MySecurityGroup,OU=My OU,DC=corp,DC=domain,DC=int”?
Thanks for helping me out.
We’re very much on the same wavelength, I’ve tried both of those already with no change. $role is coming back empty, even though when I take the string from the debug output and run it, I get back 13 security groups.
Looking through the code:
// Check whether the user is member of one of the groups that are
// allowed acces to the blog. If the user is not member of one of
// The groups throw her out! ;-)
// If the user is member of more than one group only the first one
// will be taken into account!
Is this correct? Only the first group to be returned will apply?
EDIT: $groups[‘count’] is also returning 0. $authLDAPGroupFilter looks correct, so the problematic point is $groups = authLdap_get_server()->search(sprintf($authLDAPGroupFilter, $username), array($authLDAPGroupAttr));. I will continue debugging with that in mind.
Yes, only the first group will be applied. But that’S not the first LDAP-Group, but the first WordPress-Group the user belongs to. So when the user is in an LDAP-Group that maps to the WP-Admin-group and also in an LDAP-Group that maps to the Author-group in WP, the user will be member of the WP-Admin group.
Do you have debugging enabled? Can you post the debugging entries from the servers log? You could also send them via email if that’s better for you.
Yeah, I’ll redact a little bit.
[Wed Jun 01 13:41:59.014899 2016] [:error] [pid 14530] [client 172.17.6.54:64752] [AuthLDAP] Array\n(\n [administrator] => \n [editor] => \n [author] => CN={snip},OU={snip},DC={snip},DC={snip},DC={snip},DC={snip}\n [contributor] => \n [subscriber] => \n)\n, referer: http://ogweb/wp-login.php
[Wed Jun 01 13:41:59.014936 2016] [:error] [pid 14530] [client 172.17.6.54:64752] [AuthLDAP] Array\n(\n [administrator] => \n [editor] => \n [author] => CN={snip},OU={snip},DC={snip},DC={snip},DC={snip},DC={snip}\n [contributor] => \n [subscriber] => \n)\n, referer: http://ogweb/wp-login.php
[Wed Jun 01 13:41:59.014968 2016] [:error] [pid 14530] [client 172.17.6.54:64752] [AuthLDAP] Group Filter: "(&(objectclass=group)(member=CN={snip},OU={snip},OU={snip},OU={snip},OU={snip},DC={snip},DC={snip},DC={snip},DC={snip}))", referer: http://ogweb/wp-login.php
[Wed Jun 01 13:41:59.015457 2016] [:error] [pid 14530] [client 172.17.6.54:64752] [AuthLDAP] Role from LDAP group: , referer: http://ogweb/wp-login.php
[Wed Jun 01 13:41:59.015473 2016] [:error] [pid 14530] [client 172.17.6.54:64752] [AuthLDAP] role from group mapping: , referer: http://ogweb/wp-login.php
[Wed Jun 01 13:41:59.015484 2016] [:error] [pid 14530] [client 172.17.6.54:64752] PHP Notice: no group found in /{{snip}}/wp-content/plugins/authldap/authLdap.php on line 302, referer: http://ogweb/wp-login.php
[Wed Jun 01 13:41:59.015500 2016] [:error] [pid 14530] [client 172.17.6.54:64752] [AuthLDAP] user is not in any group that is allowed access, referer: http://ogweb/wp-login.php
Of note, if I take the string it generates under Group Filter, and run it as an LDAP query through either ldifde or AD Users & Computers, I get the expected result of 13 security groups. But if I do a print_r($groups) all it returns is [count] => 0.
Would you mind setting the GroupFilter like this: (&(objectclass=group)(member="%dn%"))? (Note the added double quotes)
[Wed Jun 01 14:15:46.594836 2016] [:error] [pid 13255] [client 172.17.6.54:49250] PHP Warning: ldap_search(): Search: Bad search filter in /{snip}/wp-content/plugins/authldap/ldap.php on line 190, referer: http://ogweb/wp-login.php
[Wed Jun 01 14:15:46.594878 2016] [:error] [pid 13255] [client 172.17.6.54:49250] [AuthLDAP] Exception getting LDAP group attributes: no result found, referer: http://ogweb/wp-login.php
EDIT: It turned into a real mess with double quotes:
[Wed Jun 01 14:15:46.594800 2016] [:error] [pid 13255] [client 172.17.6.54:49250] [AuthLDAP] Group Filter: “(&(objectclass=group)(member=\\\\\\”CN=snip,OU=snip,DC=etc\\\\\\”))”, referer: http://ogweb/wp-login.php
Solved.
The issue was with the LDAP URI. I set it too tight, as security groups and users are in different OUs off of my base domain.
So, incorrect:
ldap://CN=ldap.bind,CN=Managed Service Accounts,DC=snip,DC=snip,DC=snip,DC=snip:password@domaincontroller/OU=Users,DC=snip,DC=snip,DC=snip,DC=snip
Correct:
ldap://CN=ldap.bind,CN=Managed Service Accounts,DC=snip,DC=snip,DC=snip,DC=snip:password@domaincontroller/DC=snip,DC=snip,DC=snip,DC=snip
Thanks!
I was beginning to run out of ideas!
But yes, no wonder there couldn’t be any groups found when they aren’t in the subtree 😉
Nice that you found it yourself! And thanks for letting me know!
Cheers
Andreas
