Stephane Daury (stephdau)
Forum Replies Created
-
Forum: Plugins
In reply to: Feedback wanted for new Directory (LDAP/AD/etc) authentication pluginI have now commited the changes:
- better redirection (thanks tabeverly)
- new optional terms of services acceptance concept
See:
I’ll work on the readme and credits file tonight, as well as on packaging the upcoming 1.0rc1. Maybe it’ll just be 1.0, since I’m about to roll it into production at my institution anyway.
Forum: Plugins
In reply to: Feedback wanted for new Directory (LDAP/AD/etc) authentication plugin@tabeverly: I have modified the code with your patch (only slightly tweaked), but I forgot to commit it before starting on something else (addition of optional TOS agreement step). Ooops.
I’ll commit the whole thing when I’m done with it tomorrow, and I think it might just be time to start packaging 1.0rc1, which I will start running on a pilot project WP install in my institution. The latter is in production, but less high visibility than others soon to come.
On a separate note, feel free to drop me an email at labs [at] tekartist [dot] org with whatever references you want listed in the credit files. 🙂
But for now, it’s 1AM, time to snooze. Ciao.
Forum: Plugins
In reply to: Feedback wanted for new Directory (LDAP/AD/etc) authentication plugin@tabeverly: Ah, excellent.
re: quality: Trust me, I’ve seen worst PHP coming out of much more experienced developers (yes, me included :).
I might just use your patch, but I’ll first take a look at an ultra portable PHP project I worked on a few years ago (netjuke) because I know I’ve had to deal with something like that in there(some vars are not available on Windows, etc). The latter would ahve the benefit to have been tested on a slew of platforms and to insure we end up with the best support possible. Having been coding PHP for *nix exclusively in the last few years, it escaped me in this one. 🙂
I’ll post later tonight.
Forum: Plugins
In reply to: Feedback wanted for new Directory (LDAP/AD/etc) authentication plugin@tabeverly: Thanks for your continued support. 🙂
All the “Require SSL login” should be doing is to scan if the current login screen URL starts https, and redirect to the same URL under https if not. I haven’t tested it too much but it seemed to work in my tests.
See the first few line of wpDirAuth_login_form_extra(). A potential issue would be if the built-in $_SERVER[“SCRIPT_URI”] PHP pre-defined variable is somehow not available in your instance. Could you edit wpDirAuth.php and add something like the following code bits around line 438 of the current dev version (right after if(get_option(“dirAuthRequireSsl”)…) and tell me what the result is?
var_dump($_SERVER[“SCRIPT_URI”]); exit;
It might just be a matter of using another PHP var that would always contain the accessed protocol.
Forum: Plugins
In reply to: Feedback wanted for new Directory (LDAP/AD/etc) authentication plugin@tabeverly: I didn;t offer before because I don’t know your level of sysadmin expertize, but feel free to let me know if you need help troubleshooting the CLI v. http you’re having with PHP.
On another note, I’ve published the wpDirAuth code doc, if anyone is interested: http://labs.tekartist.org/wordpress/wpdirauth/phpdocs/
Forum: Plugins
In reply to: Feedback wanted for new Directory (LDAP/AD/etc) authentication pluginWhile wpDirAuth is being peer reviewed, I released another plugin I use on my site. 🙂
Forum: Plugins
In reply to: Feedback wanted for new Directory (LDAP/AD/etc) authentication plugin@tabeverly: good luck. Let me know how it goes. 🙂
Forum: Plugins
In reply to: Feedback wanted for new Directory (LDAP/AD/etc) authentication plugin@koelly: thanks for the quick note. Glad it can be of use. 🙂
Forum: Plugins
In reply to: Feedback wanted for new Directory (LDAP/AD/etc) authentication pluginSVN Rev. #309
Extra error checking and handling tweaks + cleaned up error messages format for easier future localization.
Forum: Plugins
In reply to: Feedback wanted for new Directory (LDAP/AD/etc) authentication pluginSVN Rev. #308
Added extra security check to make sure only one account is returned during the profile search in wpDirAuth_auth, before returning to wp_login. Better safe than sorry.
Forum: Plugins
In reply to: Feedback wanted for new Directory (LDAP/AD/etc) authentication pluginOh, hadn’t refreshed the page before posting my last comment and I missed your added info.
The code I added will only really help if the username we search for anonymously matches the unique identifier defined in the account filter. This actually translates to sentUsername + accountSuffix if setup in the wpDirAuth prefs [optional].
Here’s an example which might help you with part involving locating the user’s profile, whether for dn pre-mapping (added code), or binding:
In what I’ve seen in other php/ldap related code, people seem to default the field on which we try to locate the profile with to samAccountName (hence the default in wpDirAuth), which seems to be assumed to be the same value as the username used to bind with.
In my context, the samAccount is in one form, but the username used to bind (first.last@myDomaincontroller, not full dn) with simple auth actually matches a field named userPrincipalName.
So in my setup, I expect users to enter first.last@myDomainController, leave the Account Suffix pref empty (since we have multiple ones), and set my Account Filter to userPrincipalName.
As an aside, I’m realizing that I need to make sure the added code didn’t open a hole if the anonymous search returns more than one entry, since we ultimately default to entry[0] when returning to wp_login.
Forum: Plugins
In reply to: Feedback wanted for new Directory (LDAP/AD/etc) authentication pluginThe snag I’m hitting with implementing the solution you suggested is that on my side, my dir server won’t let me search without binding… The old chicken and egg thing. 🙂
Soooo, what I did was to try and couple both approaches.
Since there was already an anonymous bind being performed in the connection pool loop, I’m trying an anonymous search on success, trying to retrieve the targeted user’s full dn.
If the profile is located, user binding is performed with the full dn, or we try the sent username instead.
See lines 363-368 in the updated version available in SVN.
Is that solving it for you?
On another note, could you post details about your setup?
OS, dir server type, ldap configs with “Blah Corp” instead of your company’s info where it matters, etc?PS: I’m in Montreal, and can only devote time to this in the evening, hence my posting timeframe. 🙂
Forum: Plugins
In reply to: Feedback wanted for new Directory (LDAP/AD/etc) authentication pluginAre you by any chance using OpenLDAP?
I wonder if an update to the ldap_bind call similar to the one linked to below would help:
http://ashay.org/?page_id=133#comment-558I’ll see if it works in AD.
Forum: Plugins
In reply to: Feedback wanted for new Directory (LDAP/AD/etc) authentication pluginI also just launched a plugin hosting request to http://dev.wp-plugins.org/ so we can get access to svn and Trac project management tools there.
Forum: Plugins
In reply to: Feedback wanted for new Directory (LDAP/AD/etc) authentication pluginI now added an initial readme file in the subversion repository: http://labs.tekartist.org/wordpress/svn/branches/dev/plugins/wpDirAuth/readme.txt
Based on the standard WordPress readme format: http://codex.wordpress.org/Writing_a_Plugin#Readme_File