Support » Plugin: wpDirAuth » LDAP with group restriction and automatic creation

  • Hi,

    We managed to configure WP to authenticate against our LDAP, and to get the accounts automatically created thanks to your addon.

    However, we want to be able to filter based on membership on a posix group. I understand that we’re supposed to use ” Authentication Groups” to do that.

    The problem is that once we enable this, we can no longer login, and the automatic account creation is disabled.

    Is there any way to solve this ?

    Thanks,


    ———————————
    Maxime Boissonneault

Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Author Paul Gilzow

    (@gilzow)

    I don’t have much experience with posixGroups, but my understanding is that the posixGroup does not show up in the user’s memberOf property which is why you aren’t able to log in, as wpDirAuth uses the memberOf property for group membership stuff.

    HOWEVER, wpDirAuth has a filter hook, wpdirauth_filterquery, you can use to adjust the filter query that wpDirAuth uses to query the user object from LDAP. The filter will hand your callback function three parameters: current constructed ldap filter, ldap account filter (from the settings page) and the user name (account requesting authentication). Your callback function just needs to pass back the fully constructed filter you want it to use.

    You can see the filter call at line 417 in the plugin: https://plugins.trac.wordpress.org/browser/wpdirauth/tags/1.8.1/wpDirAuth.php#L417

    Plugin Author Paul Gilzow

    (@gilzow)

    If what I said makes absolutely no sense, send me the ldap filter you would use to look up a user in the posixGroup and I can help you build the rest.

    So, do I understand that we have to modify the addon, i.e. it can’t be done through the web UI ?

    Having the ability to specify an LDAP filter would be awesomely flexible.

    For example, through ldapsearch, I would use:

    ldapsearch -x -LLL -H ldaps://ldapurl -b “ou=People,dc=domain,dc=ca” “custom-attribute=custom-value”

    And indeed, posixGroup do not show up in the person’s information.

    Plugin Author Paul Gilzow

    (@gilzow)

    so in the UI, you can designate a different property to use as the filter for an account ID. The default is samAccountName. For groups, through the UI, you can use the CN of the group, as long as that group is in the user’s memberOf property. From why i understand about posixGroup, that group does not appear in the memberOf property which is why wpDirAuth isn’t working for you as you expect it to right now.

    You don’t need to modify the plugin though. You can add the filter hook into your theme’s function.php file, or if it’s not a custom theme, you can make your own plugin file to hook into wpDirAuth. Here’s an example of one we did where they needed the user to be a member of multiple subgroups (which you can query if it’s Active Directory, but not other systems):

    
    <?php
    add_filter('wpdirauth_filterquery',function($strCurrentFilter,$strBaseFilter,$strUserName){
        return "(&($strBaseFilter=$strUserName)(|memberOf:1.2.840.113556.1.4.1941:=CN=Some Group,OU=Groups,OU=SomeDepartment,OU=OrgName,DC=TreeName,DC=domain,DC=tld)(memberOf:1.2.840.113556.1.4.1941:=CN=Another Group Name,OU=Groups,OU=SomeDepartment,OU=OrgName,DC=TreeName,DC=domain,DC=tld)(memberOf:1.2.840.113556.1.4.1941:=CN=Dept Admins,OU=Groups,OU=SomeDepartment,OU=OrgName,DC=TreeName,DC=domain,DC=tld))) ";
    },10,3);
    
    Plugin Author Paul Gilzow

    (@gilzow)

    version 1.9.3 is now out with the filter hook built-in. Were you ever able to test out the hooking into this filter to see if it addresses your situation?

    mboisson

    (@mboisson)

    We have not tested to modify the source code (of that or the wordpress instance). However, we’ll see if we can make it work with the new version.

    Hi Paul,
    I don’t see a parameter in the config page even with version 1.9.4. I don’t have access to wordpress files directly on our WP site. I thought the new version was supposed to introduce some way of changing the filter query through the web UI, is that not the case ?

    Thanks,

    Maxime

    Plugin Author Paul Gilzow

    (@gilzow)

    I thought the new version was supposed to introduce some way of changing the filter query through the web UI, is that not the case ?

    No. You can change the filter used for account ID, and you can designate a memberOf CN in the UI, but your case is unique (posixGroup). 1.9.3 introduced numerous hooks so it can handle situations like yours. You’ll want to use the wpdirauth_filterquery filter documented here: http://www.gilzow.com/_wpdirauth/hooks/filters/filterquery/.

    If you dont have the ability to add the filter to your functions file in your theme, you could add it to a plugin file. Let me know if you need assistance creating that file.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘LDAP with group restriction and automatic creation’ is closed to new replies.