Support » Plugin: Authorizer » LDAP Configuration Issues

  • Resolved Johnny P

    (@jingleballs)



    This plugin sounds like it should do what I need it to, but can you confirm: Will this plugin password protect a blog, making it private, and allow people who authenticate with LDAP to view it, without having to register them as users in WordPress?

    I’ve tried the settings that our system admin provided and verified that work, along with other variations, but I keep getting the “Invalid Username” login error. If I try too many times, I get the too many invalid attempts error, so I believe the plugin is installed properly, but not configured correctly.

    We’re running WP multisite 4.8.4, PHP 5.3.3, the extensions are loaded I believe (curl.so, dom.so, and ldap.so are in the php\modules directory) and listed in the phpinfo.php file. We’re not using SSL, and we have WordFence and Securi Security plugins enabled.

    I tried with and without TLS but that didn’t make a difference. Here are a some of the settings we’re using, with institution and SERVERNAME replaced:

    LDAP Search Base: dc=institution,dc=edu
    LDAP Directory User: CN=LDAP\, SERVERNAME,OU=Service Accounts,DC=institution,DC=edu
    LDAP Directory User Password: ****************

    My test user is listed in the Access List just in case, but I’m hoping I don’t need to list all of our faculty in that list, and that they can just validate with LDAP against a faculty Active Directory group. We just want this blog accessible to faculty, but without having to register them as users in WP.

    Does anyone have any suggestions or advice?

    thanks for any help,

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author pkarjala

    (@pkarjala)

    Hi @jingleballs,

    I’d highly recommend putting your site behind an SSL certificate to start, unless it is just an internal testing website.

    You can set Authorizer to allow all CAS / LDAP login users to have a new account created with the specified permission without having to preemptively add them to the Authorizer Access List.

    With regards to the errors you are seeing, can you try updating your PHP install to 5.4 or later and testing again?

    Can you also verify that your WordPress system is able to communicate with the LDAP server and is not returning any errors?

    Hi @pkarjala,

    Thanks for your response and the tips. I can’t update PHP at this time, because we’re using multisite, and some other plugins are not compatible w/ the latest PHP. I think I might be stuck until I do that maintenance.

    I’m not sure how to verify that WP is able to communicate with the LDAP server. I tried another plugin that validates using Active Directory, but it doesn’t do what I’d want it to.

    Unless you have any other suggestions, I’ll probably need to revisit this later after updating PHP and SSL.

    thanks for your help!

    J

    Plugin Author pkarjala

    (@pkarjala)

    Glad to assist; you may also want to try updating Authorizer to the latest release version, as we may have fixed some bugs that will help with functionality under older PHP versions.

    Plugin Author pkarjala

    (@pkarjala)

    @jingleballs chiming in real quick; if you are comfortable doing so, you can add some logging statements to the Authorizer codebase in the authorizer.php file inside of the custom_authenticate_ldap function on line 1266.

    Use error_log( print_r( $variable, true ) ); to output content to the web server’s error log. You an use this to see if the LDAP server is being bound to correctly, and check why the username isn’t matching up.

    As a thought, do your LDAP usernames contain any uppercase characters? We have run into some interesting issues with this in the past.

    LDAP Directory User: CN=LDAP\, SERVERNAME,OU=Service Accounts,DC=institution,DC=edu
    strange config for active directory.
    i have configured plugin for active directory and it work well. let’s say if your domain is “institution.edu” then it will look like this:

    ldap host: domain controller ip address
    ldap port: 389
    use tls: no (“yes” if your servers connected via public network)
    ldap search base: cn=Users,dc=institution,dc=edu (don’t know why microsoft uses cn instead of ou)
    ldap attribute containing username: sAMAccountName
    ldap attribute containing email address: mail
    ldap directory user: cn=username with read rights,cn=Users,dc=institution,dc=edu
    ldap attribute containing first name: givenName
    ldap attribute containing last name: sN

    path like “cn=Users,dc=institution,dc=edu” your system administrator can always view in adsiedit utility on windows server.

    • This reply was modified 6 months, 3 weeks ago by  igroykt.
    Plugin Author pkarjala

    (@pkarjala)

    Hi @jingleballs, checking in if you still need assistance on this issue!

    @pkarjala Thanks for checking in. Sorry I missed your previous responses. I put this on the back burner, and went with another solution. We’re migrating our WP server, so I’ll need to revisit this in the near future. I’ll try to keep you posted once I have a chance to revisit. Thanks again for following up!

    Plugin Author pkarjala

    (@pkarjala)

    Good to know! We are going to go ahead and mark this issue resolved for now; please open a new issue and reference this one if you need additional assistance.

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.