YunoHost-Apps/wordpress_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/wordpress_ynh.git synced 2024-09-03 20:36:10 +02:00
Code Issues Activity Actions

add ldap

Browse source
This commit is contained in:
root 2013-12-05 14:50:24 +00:00
parent 965dba23dc
commit f06ba1bed1
5 changed files with 3392 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

150
sources/wp-content/plugins/simple-ldap-login/Simple-LDAP-Login-Admin.php Normal file
View file

@ -0,0 +1,150 @@
<?php
global $SimpleLDAPLogin;
if( isset( $_GET[ 'tab' ] ) ) {
$active_tab = $_GET[ 'tab' ];
} else {
$active_tab = 'simple';
}
?>
<div class="wrap">
<div id="icon-themes" class="icon32"></div>
<h2>Simple LDAP Login Settings</h2>
<h2 class="nav-tab-wrapper">
<a href="<?php echo add_query_arg( array('tab' => 'simple'), $_SERVER['REQUEST_URI'] ); ?>" class="nav-tab <?php echo $active_tab == 'simple' ? 'nav-tab-active' : ''; ?>">Simple</a>
<a href="<?php echo add_query_arg( array('tab' => 'advanced'), $_SERVER['REQUEST_URI'] ); ?>" class="nav-tab <?php echo $active_tab == 'advanced' ? 'nav-tab-active' : ''; ?>">Advanced</a>
<a href="<?php echo add_query_arg( array('tab' => 'help'), $_SERVER['REQUEST_URI'] ); ?>" class="nav-tab <?php echo $active_tab == 'help' ? 'nav-tab-active' : ''; ?>">Help</a>
</h2>
<form method="post" action="<?php echo str_replace( '%7E', '~', $_SERVER['REQUEST_URI']); ?>">
<?php wp_nonce_field( 'save_sll_settings','save_the_sll' ); ?>
<?php if( $active_tab == "simple" ): ?>
<h3>Required</h3>
<p>These are the most basic settings you must configure. Without these, you won't be able to use Simple LDAP Login.</p>
<table class="form-table">
<tbody>
<tr>
<th scope="row" valign="top">Enable LDAP Authentication</th>
<td>
<input type="hidden" name="<?php echo $this->get_field_name('enabled'); ?>" value="false" />
<label><input type="checkbox" name="<?php echo $this->get_field_name('enabled'); ?>" value="true" <?php if( str_true($this->get_setting('enabled')) ) echo "checked"; ?> /> Enable LDAP login authentication for WordPress. (this one is kind of important)</label><br/>
</td>
<tr>
<tr>
<th scope="row" valign="top">Account Suffix</th>
<td>
<input type="text" name="<?php echo $this->get_field_name('account_suffix'); ?>" value="<?php echo $SimpleLDAPLogin->get_setting('account_suffix'); ?>" /><br/>
Often the suffix of your e-mail address. Example: @gmail.com
</td>
</tr>
<tr>
<th scope="row" valign="top">Base DN</th>
<td>
<input type="text" name="<?php echo $this->get_field_name('base_dn'); ?>" value="<?php echo $SimpleLDAPLogin->get_setting('base_dn'); ?>" />
<br/>
Example: For subdomain.domain.suffix, use DC=subdomain,DC=domain,DC=suffix. Do not specify an OU here.
</td>
</tr>
<tr>
<th scope="row" valign="top">Domain Controller(s)</th>
<td>
<input type="text" name="<?php echo $this->get_field_name('domain_controllers', 'array'); ?>" value="<?php echo join(';', (array)$SimpleLDAPLogin->get_setting('domain_controllers')); ?>" />
<br/>Separate with semi-colons.
</td>
</tr>
<tr>
<th scope="row" valign="top">LDAP Directory</th>
<td>
<label><input type="radio" name="<?php echo $this->get_field_name('directory'); ?>" value="ad" <?php if( $this->get_setting('directory') == "ad" ) echo "checked"; ?> /> Active Directory</label><br/>
<label><input type="radio" name="<?php echo $this->get_field_name('directory'); ?>" value="ol" <?php if( $this->get_setting('directory') == "ol" ) echo "checked"; ?> /> Open LDAP (and etc)</label>
</td>
</tr>
</tbody>
</table>
<p><input class="button-primary" type="submit" value="Save Settings" /></p>
<?php elseif ( $active_tab == "advanced" ): ?>
<h3>Typical</h3>
<p>These settings give you finer control over how logins work.</p>
<table class="form-table" style="margin-bottom: 20px;">
<tbody>
<tr>
<th scope="row" valign="top">Required Groups</th>
<td>
<input type="text" name="<?php echo $this->get_field_name('groups', 'array'); ?>" value="<?php echo join(';', (array)$SimpleLDAPLogin->get_setting('groups')); ?>" /><br/>
The groups, if any, that authenticating LDAP users must belong to. <br/>
Empty means no group required. Separate with semi-colons.
</td>
</tr>
<tr>
<th scope="row" valign="top">LDAP Exclusive</th>
<td>
<input type="hidden" name="<?php echo $this->get_field_name('high_security'); ?>" value="false" />
<label><input type="checkbox" name="<?php echo $this->get_field_name('high_security'); ?>" value="true" <?php if( str_true($this->get_setting('high_security')) ) echo "checked"; ?> /> Force all logins to authenticate against LDAP. Do NOT fallback to default authentication for existing users.<br/>Formerly known as high security mode.</label><br/>
</td>
</tr>
<tr>
<th scope="row" valign="top">User Creations</th>
<td>
<input type="hidden" name="<?php echo $this->get_field_name('create_users'); ?>" value="false" />
<label><input type="checkbox" name="<?php echo $this->get_field_name('create_users'); ?>" value="true" <?php if( str_true($this->get_setting('create_users')) ) echo "checked"; ?> /> Create WordPress user for authenticated LDAP login with appropriate roles.</label><br/>
</td>
<tr>
<th scope="row" valign="top">New User Role</th>
<td>
<select name="<?php echo $this->get_field_name('role'); ?>">
<?php wp_dropdown_roles( strtolower($this->get_setting('role')) ); ?>
</select>
</td>
</tr>
</tbody>
</table>
<hr />
<h3>Extraordinary</h3>
<p>Most users should leave these alone.</p>
<table class="form-table">
<tbody>
<tr>
<th scope="row" valign="top">LDAP Login Attribute</th>
<td>
<input type="text" name="<?php echo $this->get_field_name('ol_login'); ?>" value="<?php echo $SimpleLDAPLogin->get_setting('ol_login'); ?>" />
<br />
In case your installation uses something other than <b>uid</b>;
</td>
</tr>
<tr>
<th scope="row" valign="top">Use TLS</th>
<td>
<input type="hidden" name="<?php echo $this->get_field_name('use_tls'); ?>" value="false" />
<label><input type="checkbox" name="<?php echo $this->get_field_name('use_tls'); ?>" value="true" <?php if( str_true($this->get_setting('use_tls')) ) echo "checked"; ?> /> Transport Layer Security. This feature is beta, very beta.</label><br/>
</td>
</tr>
<tr>
<th scope="row" valign="top">LDAP Port</th>
<td>
<input type="text" name="<?php echo $this->get_field_name('ldap_port'); ?>" value="<?php echo $SimpleLDAPLogin->get_setting('ldap_port'); ?>" /><br/>
This is usually 389.
</td>
</tr>
<tr>
<th scope="row" valign="top">LDAP Version</th>
<td>
<input type="text" name="<?php echo $this->get_field_name('ldap_version'); ?>" value="<?php echo $SimpleLDAPLogin->get_setting('ldap_version'); ?>" /><br/>
Only applies to Open LDAP. Typically 3.
</td>
</tr>
</tbody>
</table>
<p><input class="button-primary" type="submit" value="Save Settings" /></p>
<?php else: ?>
<h3>Help</h3>
<p>Here's a brief primer on how to effectively use and test Simple LDAP Login.</p>
<h4>Testing</h4>
<p>The most effective way to test logins is to use two browsers. In other words, keep WordPress Admin open in Chrome, and use Firefox to try logging in. This will give you real time feedback on your settings and prevent you from inadvertently locking yourself out.</p>
<h4>Which raises the question, what happens if I get locked out?</h4>
<p>If you accidentally lock yourself out, the easiest way to get back in is to rename <strong><?php echo plugin_dir_path(__FILE__); ?></strong> to something else and then refresh. WordPress will detect the change and disable Simple LDAP Login. You can then rename the folder back to its previous name.</p>
<?php endif; ?>
</form>
</div>

389
sources/wp-content/plugins/simple-ldap-login/Simple-LDAP-Login.php Normal file
View file

@ -0,0 +1,389 @@
<?php
/*
Plugin Name: Simple LDAP Login
Plugin URI: http://clifgriffin.com/simple-ldap-login/
Description: Authenticate WordPress against LDAP.
Version: 1.5.5
Author: Clif Griffin Development Inc.
Author URI: http://cgd.io
*/
class SimpleLDAPLogin {
static $instance = false;
var $prefix = 'sll_';
var $settings = array();
var $adldap;
var $ldap;
public function __construct () {
$this->settings = $this->get_settings_obj( $this->prefix );
if( $this->get_setting('directory') == "ad" ) {
require_once( plugin_dir_path(__FILE__) . "/includes/adLDAP.php" );
$this->adldap = new adLDAP(
array (
"account_suffix" => $this->get_setting('account_suffix'),
"use_tls" => str_true( $this->get_setting('use_tls') ),
"base_dn" => $this->get_setting('base_dn'),
"domain_controllers" => (array)$this->get_setting('domain_controllers'),
"ad_port" => $this->get_setting('ldap_port')
)
);
}
add_action('admin_init', array($this, 'save_settings') );
add_action('admin_menu', array($this, 'menu') );
if ( str_true($this->get_setting('enabled')) ) {
add_filter('authenticate', array($this, 'authenticate'), 1, 3);
}
register_activation_hook( __FILE__, array($this, 'activate') );
// If version is false, and old version detected, run activation
if( $this->get_setting('version') === false || get_option('simpleldap_domain_controllers', false) !== false ) $this->activate();
}
public static function getInstance () {
if ( !self::$instance ) {
self::$instance = new self;
}
return self::$instance;
}
function activate () {
// Default settings
$this->add_setting('account_suffix', "@mydomain.org");
$this->add_setting('base_dn', "DC=mydomain,DC=org");
$this->add_setting('domain_controllers', array("dc01.mydomain.local") );
$this->add_setting('directory', "ad");
$this->add_setting('role', "Contributor");
$this->add_setting('high_security', "true");
$this->add_setting('ol_login', "uid");
$this->add_setting('use_tls', "false");
$this->add_setting('ldap_port', 389);
$this->add_setting('ldap_version', 3);
$this->add_setting('create_users', "false");
$this->add_setting('enabled', "false");
if( $this->get_setting('version') === false ) {
$this->set_setting('version', '1.5');
$this->set_setting('enabled', 'true');
if ( $this->set_setting('account_suffix', get_option('simpleldap_account_suffix')) ) {
//delete_option('simpleldap_account_suffix');
}
if ( $this->set_setting('base_dn', get_option('simpleldap_base_dn')) ) {
//delete_option('simpleldap_base_dn');
}
if ( $this->set_setting('domain_controllers', get_option('simpleldap_domain_controllers')) ) {
//delete_option('simpleldap_domain_controllers');
}
$directory_result = false;
if ( get_option('simpleldap_directory_type') == "directory_ad" ) {
$directory_result = $this->set_setting('directory', 'ad');
} else {
$directory_result = $this->set_setting('directory', 'ol');
}
//if( $directory_result ) delete_option('simpleldap_directory_type');
unset($directory_result);
if ( $this->set_setting('groups', (array)get_option('simpleldap_group') ) ) {
//delete_option('simpleldap_group');
}
if ( $this->set_setting('role', get_option('simpleldap_account_type')) ) {
//delete_option('simpleldap_account_type');
}
if ( $this->set_setting('ol_login', get_option('simpleldap_ol_login')) ) {
//delete_option('simpleldap_ol_login');
}
if ( $this->set_setting('use_tls', str_true( get_option('simpleldap_use_tls') ) ) ) {
//delete_option('simpleldap_use_tls');
}
$create_users = false;
if ( get_option('simpleldap_login_mode') == "mode_create_all" || get_option('simpleldap_login_mode') == "mode_create_group" ) {
$create_users = true;
}
if ( $this->set_setting('create_users', $create_users) ) {
//delete_option('simpleldap_login_mode');
}
$high_security = false;
if ( get_option('simpleldap_security_mode') == "security_high" ) {
$high_security = true;
}
if ( $this->set_setting('high_security', $high_security) ) {
//delete_option('simpleldap_security_mode');
}
}
}
function menu () {
add_options_page("Simple LDAP Login", "Simple LDAP Login", 'manage_options', "simple-ldap-login", array($this, 'admin_page') );
}
function admin_page () {
include 'Simple-LDAP-Login-Admin.php';
}
function get_settings_obj () {
return get_option("{$this->prefix}settings", false);
}
function set_settings_obj ( $newobj ) {
return update_option("{$this->prefix}settings", $newobj);
}
function set_setting ( $option = false, $newvalue ) {
if( $option === false ) return false;
$this->settings = $this->get_settings_obj($this->prefix);
$this->settings[$option] = $newvalue;
return $this->set_settings_obj($this->settings);
}
function get_setting ( $option = false ) {
if($option === false || ! isset($this->settings[$option]) ) return false;
return apply_filters($this->prefix . 'get_setting', $this->settings[$option], $option);
}
function add_setting ( $option = false, $newvalue ) {
if($option === false ) return false;
if ( ! isset($this->settings[$option]) ) {
return $this->set_setting($option, $newvalue);
} else return false;
}
function get_field_name($setting, $type = 'string') {
return "{$this->prefix}setting[$setting][$type]";
}
function save_settings()
{
if( isset($_REQUEST["{$this->prefix}setting"]) && check_admin_referer('save_sll_settings','save_the_sll') ) {
$new_settings = $_REQUEST["{$this->prefix}setting"];
foreach( $new_settings as $setting_name => $setting_value ) {
foreach( $setting_value as $type => $value ) {
if( $type == "array" ) {
$this->set_setting($setting_name, explode(";", $value));
} else {
$this->set_setting($setting_name, $value);
}
}
}
add_action('admin_notices', array($this, 'saved_admin_notice') );
}
}
function saved_admin_notice(){
echo '<div class="updated">
<p>Simple LDAP Login settings have been saved.</p>
</div>';
if( ! str_true($this->get_setting('enabled')) ) {
echo '<div class="error">
<p>Simple LDAP Login is disabled.</p>
</div>';
}
}
function authenticate ($user, $username, $password) {
// If previous authentication succeeded, respect that
if ( is_a($user, 'WP_User') ) { return $user; }
// Determine if user a local admin
$local_admin = false;
$user_obj = get_user_by('login', $username);
if( user_can($user_obj, 'update_core') ) $local_admin = true;
if ( empty($username) || empty($password) ) {
$error = new WP_Error();
if ( empty($username) )
$error->add('empty_username', __('<strong>ERROR</strong>: The username field is empty.'));
if ( empty($password) )
$error->add('empty_password', __('<strong>ERROR</strong>: The password field is empty.'));
return $error;
}
// If high security mode is enabled, remove default WP authentication hook
if ( str_true( $this->get_setting('high_security') ) && ! $local_admin ) {
remove_filter('authenticate', 'wp_authenticate_username_password', 20, 3);
}
// Sweet, let's try to authenticate our user and pass against LDAP
$auth_result = $this->ldap_auth($username, $password, $this->get_setting('directory') );
if( $auth_result ) {
// Authenticated, does user have required groups, if any?
if( $this->user_has_groups( $username, $this->get_setting('directory') ) ) {
$user = get_user_by('login', $username);
if ( ! $user || ( strtolower($user->user_login) !== strtolower($username) ) ) {
if( ! str_true($this->get_setting('create_users')) ) {
do_action( 'wp_login_failed', $username );
return new WP_Error('invalid_username', __('<strong>Simple LDAP Login Error</strong>: LDAP credentials are correct, but there is no matching WordPress user and user creation is not enabled.'));
}
$new_user = wp_insert_user( $this->get_user_data( $username, $this->get_setting('directory') ) );
if( ! is_wp_error($new_user) )
{
// Successful Login
$new_user = new WP_User($new_user);
do_action_ref_array($this->prefix . 'auth_success', array($new_user) );
return $new_user;
}
else
{
do_action( 'wp_login_failed', $username );
return new WP_Error("{$this->prefix}login_error", __('<strong>Simple LDAP Login Error</strong>: LDAP credentials are correct and user creation is allowed but an error occurred creating the user in WordPress. Actual error: '.$new_user->get_error_message() ));
}
} else {
return new WP_User($user->ID);
}
} else {
return new WP_Error("{$this->prefix}login_error", __('<strong>Simple LDAP Login Error</strong>: Your LDAP credentials are correct, but you are not in an authorized LDAP group.'));
}
} elseif ( str_true($this->get_setting('high_security')) ) {
return new WP_Error('invalid_username', __('<strong>Simple LDAP Login</strong>: Simple LDAP Login could not authenticate your credentials. The security settings do not permit trying the WordPress user database as a fallback.'));
}
do_action($this->prefix . 'auth_failure');
return false;
}
function ldap_auth( $username, $password, $directory ) {
$result = false;
if ( $directory == "ad" ) {
$result = $this->adldap->authenticate( $username, $password );
} elseif ( $directory == "ol" ) {
$this->ldap = ldap_connect( join(' ', (array)$this->get_setting('domain_controllers')), (int)$this->get_setting('ldap_port') );
ldap_set_option($this->ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$this->get_setting('ldap_version'));
if ( str_true($this->get_setting('use_tls')) ) {
ldap_start_tls($this->ldap);
}
$ldapbind = @ldap_bind($this->ldap, $this->get_setting('ol_login') .'=' . $username . ',' . $this->get_setting('base_dn'), $password);
$result = $ldapbind;
}
return apply_filters($this->prefix . 'ldap_auth', $result);
}
function user_has_groups( $username = false, $directory ) {
$result = false;
$groups = (array)$this->get_setting('groups');
$groups = array_filter($groups);
if ( ! $username ) return $result;
if ( count( $groups ) == 0 ) return true;
if ( $directory == "ad" ) {
foreach ($groups as $gp) {
if ( $this->adldap->user_ingroup ($username, $gp ) ) {
$result = true;
break;
}
}
} elseif ( $directory == "ol" ) {
if( $this->ldap === false ) return false;
$result = ldap_search($this->ldap, $this->get_setting('base_dn'), '(' . $this->get_setting('ol_login') . '=' . $username . ')', array('cn'));
$ldapgroups = ldap_get_entries($this->ldap, $result);
// Ok, we should have the user, all the info, including which groups he is a member of.
// Let's make sure he's in the right group before proceeding.
$user_groups = array();
for ( $i = 0; $i < $ldapgroups['count']; $i++) {
$user_groups[] .= $ldapgroups[$i]['cn'][0];
}
$result = (bool)(count( array_intersect($user_groups, $groups) ) > 0);
}
return apply_filters($this->prefix . 'user_has_groups', $result);
}
function get_user_data( $username, $directory ) {
$user_data = array(
'user_pass' => md5( microtime() ),
'user_login' => $username,
'user_nicename' => '',
'user_email' => '',
'display_name' => '',
'first_name' => '',
'last_name' => '',
'role' => $this->get_setting('role')
);
if ( $directory == "ad" ) {
$userinfo = $this->adldap->user_info($username, array("samaccountname","givenname","sn","mail"));
$userinfo = $userinfo[0];
} elseif ( $directory == "ol" ) {
if ( $this->ldap == null ) {return false;}
$result = ldap_search($this->ldap, $this->get_setting('base_dn'), '(' . $this->get_setting('ol_login') . '=' . $username . ')', array($this->get_setting('ol_login'), 'sn', 'givenname', 'mail'));
$userinfo = ldap_get_entries($this->ldap, $result);
if ($userinfo['count'] == 1) {
$userinfo = $userinfo[0];
}
} else return false;
if( is_array($userinfo) ) {
$user_data['user_nicename'] = $userinfo['givenname'][0] . ' ' . $userinfo['sn'][0];
$user_data['user_email'] = $userinfo['mail'][0];
$user_data['display_name'] = $user_data['user_nicename'];
$user_data['first_name'] = $userinfo['givenname'][0];
$user_data['last_name'] = $userinfo['sn'][0];
}
return apply_filters($this->prefix . 'user_data', $user_data);
}
}
if ( ! function_exists('str_true') ) {
/**
* Evaluates natural language strings to boolean equivalent
*
* Used primarily for handling boolean text provided in shopp() tag options.
* All values defined as true will return true, anything else is false.
*
* Boolean values will be passed through.
*
* Replaces the 1.0-1.1 value_is_true()
*
* @author Jonathan Davis
* @since 1.2
*
* @param string $string The natural language value
* @param array $istrue A list strings that are true
* @return boolean The boolean value of the provided text
**/
function str_true ( $string, $istrue = array('yes', 'y', 'true','1','on','open') ) {
if (is_array($string)) return false;
if (is_bool($string)) return $string;
return in_array(strtolower($string),$istrue);
}
}
$SimpleLDAPLogin = SimpleLDAPLogin::getInstance();

2413
sources/wp-content/plugins/simple-ldap-login/includes/adLDAP.php Normal file
View file

File diff suppressed because it is too large Load diff

220
sources/wp-content/plugins/simple-ldap-login/readme.md Normal file
View file

@ -0,0 +1,220 @@
# Plugin Name #
**Contributors:** clifgriffin
**Donate link:** http://cgd.io
**Tags:** LDAP, authentication, login, active directory, adLDAP
**Requires at least:** 3.4
**Tested up to:** 3.6
**Stable tag:** 1.5.5
**License:** GPLv2 or later
Integrating WordPress with LDAP shouldn't be difficult. Now it isn't. Simple LDAP Login provides all of the features, none of the hassles.
## Description ##
Having a single login for every service is a must in large organizations. This plugin allows you to integrate WordPress with LDAP quickly and easily. Like, really really easy.
**Contributing**
The easiest way to contribute to this plugin is to submit a GitHub pull request. Here's the repo:
https://github.com/clifgriffin/simple-ldap-login
**NEW VERSION -- 1.5**
Just when you thought this project was dead, it sprang to life. I have spent some time completely rewriting Simple LDAP Login from the ground up. Proceed with caution as it's possible I have broken something in the process, but I'm reasonably certain it's fundamentally stable.
**If you have any problems with 1.5, please let me know:** clifgriffin@gmail.com
**Support**
If you need support, I recommend you leave a comment on the appropriate post on my blog:
http://clifgriffin.com/2009/05/13/simple-ldap-login-13-for-wordpress/
**Special Requests**
**If you need a customization or change specific to your install, I am available for hire. Shoot me an e-mail:** clifgriffin[at]gmail.com
### Features ###
* Supports Active Directory and OpenLDAP (and other directory systems which comply to the LDAP standard, such as OpenDS)
* Supports TLS
* Uses up-to-date methods for WordPress authentication routines.
* Authenticates existing WordPress usernames against LDAP.
* Can be configured to automatically create WordPress users for valid LDAP logins.
* You can restrict logins based on one or more LDAP groups.
* Intuitive control panel.
### Architecture ###
Simple LDAP Login adds an authentication filter to WordPress that authentication requests must pass. In doing so, it makes several decisions.
* Can the provided credentials be authenticated against LDAP?
* * If so, is the LDAP user a member of the required LDAP groups (if any)?
* * * Does a matching WordPress user exist?
* * * * If so, log the user in.
* * * * If not, is user creation enabled?
* * * * * Create the user and log them in.
This is high level overview. This should answer the philosophical questions about how the plugin works. If the plugin is unable to authenticate the user, it should pass it down the chain to WordPress. (Unless LDAP Exclusive is turned on, in which case it won't.)
## Upgrade Notice ##
I have spent some time completely rewriting Simple LDAP Login from the ground up. Proceed with caution as it's possible I have broken something in the process, but I'm reasonably certain it's fundamentally stable.
**If you have any problems with 1.5, please let me know:** clifgriffin@gmail.com
## Changelog ##
**Version 1.5.5**
* Fix syntax error.
* Dont sanitize user info.
**Version 1.5.4**
* Local admins will always fall back to local WP password.
* Fixes bug where new users do not have name or other information from LDAP directory
**Version 1.5.3**
* Fixing apparent security problem with blank passwords. (!)
* Fixing typo in filter name (did not affect any functionality)
* Local admin exception coming soon, as well as more bug fixes.
* Possible fix for login error upon arriving at login page when LDAP exclusive enabled.
**Version 1.5.2**
* Fixed bug with groups setting.
* Removed delete_option references in upgrade code to allow for easier rollbacks (sorry about that!)
* Fixed a few bugs in the user creation code.
* Fixed bug with storing default user role.
**Version 1.5.1**
* Fixed a bug where the domain controllers are passed as a string.
**Version 1.5**
* Complete rewritten from the ground up.
* It's Object Oriented, DRY and Singleton.
* The options have been overhauled to make configuration much easier. Focuses on individual features rather than "modes" that encapsulate several behaviors.
* Admin pages now use WordPress admin styles and behaviors.
* Tested with Active Directory. I recommend OpenLDAP users test carefully before implementing in their production environments.
* Added global on off switch so you can easily disable LDAP authentication without deactivating.
**Version 1.4.0.5.1**
* I broke it. Sorry guys! :(
* Downgraded adLDAP as some referenced functions no longer exist.
**Version 1.4.0.5**
* Updated adLDAP to version 4.x
* Fixed error in OpenLDAP group membership check
* As always TEST this first. Don't assume it works...I don't have a testing environment to ensure it will work correctly.
**Version 1.4.0.4**
* Fixes nickname bug accidentally put back in in last version. (My bad!)
**Version 1.4.0.3**
* Reverts bug introduced in 1.4.0.2
* If you installed 1.4.0.2 and use OpenLDAP, please update as soon as possible and verify users cannot login with incorrect passwords (and vice versa).
**Version 1.4.0.2 - Patches submitted by Jonas Genannt and Ilya Kozlov**
* Updates adLDAP to 3.3.2
* Fixes issue with users in recursive OUs not being found.
* Fixes issues with different Base DN formats.
*** NOTE:** Please be catious in updating. As I don't have an OpenLDAP install, I am unable to independently confirm these fix the problems. If you have issues, revert to 1.4.0.1 and e-mail me: clifgriffin[at]gmail.com. Likewise, If you can confirm these changes are effective, also let me know. :)
**Version 1.4.0.1**
* Fix for e-mail exists issue with WP 3.0+ for LDAP installations that don't populate the e-mail address attribute.
* Shows actual error message from WordPress upon failure.
**Version 1.4**
* First update in about a year. Thanks for your patience.
* Completely rewritten to support changes in WordPress 2.8+. Now fully supports WordPress 3.0.
* Much more manageable and efficient code structure. Less code repetition.
* Includes TLS support.
* Allows OpenLDAP users to specify an alternate LDAP attribute to use for logins for those not using UID.
**Version 1.3.0.3**
* Test form now implements wp_authenticate and uses the same routines as the actual login. This also means account creation and group membership are tested.
* Implemented stripslashes() to correct issue with some special characters such as a single quote and backslash.
* WordPress account "admin" is now allowed to login using local password even when security mode is set to high. For safety.
* Made some minor wording changes to the admin panel.
**Version 1.3.0.2.1**
* Fixed case sensitivity issue that could result in multiple accounts. There may be lingering case insensitivity issues due to the get_userdatabylogin function being case-sensitive. We'll figure this out in due time.
* Sorry for posting two updates on the same day!
**Version 1.3.0.2**
* Fixes several tickets including role assignment, case sensitivity, and potential compatibility issues with other themes/plugins.
* Added security mode setting to allow security to be tightened.
* Changed auto created accounts to use a random password rather than the LDAP password given.
* Fixed error with the way announcements are displayed in the admin panel.
* More code clean up.
**Version 1.3.0.1**
* Never officially released.
* Contained code cleanup and some attempted fixes.
**Version 1.3 Beta**
* Support for both Active Directory and OpenLDAP.
* The ability to create WordPress users automatically upon login based on LDAP group membership OR by LDAP authentication alone.
* The ability to test domain settings straight from admin panel.
* Announcements pane that allows me to update you with fixes, cautions, new beta versions, or other important information.
**Version 1.2.0.1**
* Changed required user level for admin page to 10, Administrators only.
**Version 1.2**
* Implemented multiple domain controllers.
* Changed field sizes on admin page to be more user friendly.
**Version 1.1**
* Moved settings to administration pages under settings.
* Upgraded to latest version of adLDAP 2.1.
* Got rid of credentials. (They are not neccessary for the authenticate function in adLDAP!)
* Plugin is now upgrade proof. Settings are stored using WordPress's setting functions.
**Version 1.0**
* Original release.
## Installation ##
1. Use the WordPress plugin directory to install the plugin or upload the directory `simple-ldap-login` to the `/wp-content/plugins/` directory.
1. Activate the plugin through the 'Plugins' menu in WordPress
1. Update the settings to those that best match your environment by going to Settings -> Simple LDAP Login
1. If you don't get the settings right the first time, don't fret! Just use your WordPress credentials. They should always work
1. Once you have the settings correct, you can toggle LDAP Exclusive mode (if you like).
1. To make your life easier, consider using two different browsers (e.g., Chrome and Firefox) to do testing. Change settings in one. Test in the other. This will prevent any chance of being locked out.
## Frequently Asked Questions ##
### Other than WordPress, what does my system require? ###
Your install of PHP must be configured/compiled with LDAP support.
### How do I know what the correct settings are? ###
I have tried to make the settings as self-explanatory as possible. If you are struggling figuring them out, you may need to speak with your LDAP administrator. I realize this is an obnoxious response, but there is no good, fool proof way to help you discover these settings. A good place to start, if you're feeling daring, might be to use ADSIEdit for Windows and Active Directory, or GQ for Linux and OpenLDAP.
### It's still not working, what other things can I try? ###
If you are confident your settings are correct and it still does not work, it may be time to check for port or firewall issues. If your LDAP server is running on a non-standard port or an obsolete version of the LDAP protocol you are going to have issues. Port 389 is the port this plugin, and nearly every other LDAP enabled software expects. They are also expecting protocol version 3. If you are using an old version of LDAP or running a non-standard port you may need to modify the code that the plugin runs or update your LDAP installation.
Unfortunately I can't be relied upon to assist with these types of requests. I chose not to support these scenarios because they are infrequent and because they confuse everyone else.
### It's still not working! How can I get help? ###
**The easiest way to get help is to post a comment on my blog:** http://clifgriffin.com/simple-ldap-login/. I'll do my best to get you up and running!
## Screenshots ##
1. Easy to use admin panel.
2. Advanced options for power users.

220
sources/wp-content/plugins/simple-ldap-login/readme.txt Normal file
View file

@ -0,0 +1,220 @@
=== Plugin Name ===
Contributors: clifgriffin
Donate link: http://cgd.io
Tags: LDAP, authentication, login, active directory, adLDAP
Requires at least: 3.4
Tested up to: 3.6
Stable tag: 1.5.5
License: GPLv2 or later
Integrating WordPress with LDAP shouldn't be difficult. Now it isn't. Simple LDAP Login provides all of the features, none of the hassles.
== Description ==
Having a single login for every service is a must in large organizations. This plugin allows you to integrate WordPress with LDAP quickly and easily. Like, really really easy.
**Contributing**
The easiest way to contribute to this plugin is to submit a GitHub pull request. Here's the repo:
https://github.com/clifgriffin/simple-ldap-login
**NEW VERSION -- 1.5**
Just when you thought this project was dead, it sprang to life. I have spent some time completely rewriting Simple LDAP Login from the ground up. Proceed with caution as it's possible I have broken something in the process, but I'm reasonably certain it's fundamentally stable.
If you have any problems with 1.5, please let me know: clifgriffin@gmail.com
**Support**
If you need support, I recommend you leave a comment on the appropriate post on my blog:
http://clifgriffin.com/2009/05/13/simple-ldap-login-13-for-wordpress/
**Special Requests**
If you need a customization or change specific to your install, I am available for hire. Shoot me an e-mail: clifgriffin[at]gmail.com
= Features =
* Supports Active Directory and OpenLDAP (and other directory systems which comply to the LDAP standard, such as OpenDS)
* Supports TLS
* Uses up-to-date methods for WordPress authentication routines.
* Authenticates existing WordPress usernames against LDAP.
* Can be configured to automatically create WordPress users for valid LDAP logins.
* You can restrict logins based on one or more LDAP groups.
* Intuitive control panel.
= Architecture =
Simple LDAP Login adds an authentication filter to WordPress that authentication requests must pass. In doing so, it makes several decisions.
* Can the provided credentials be authenticated against LDAP?
* * If so, is the LDAP user a member of the required LDAP groups (if any)?
* * * Does a matching WordPress user exist?
* * * * If so, log the user in.
* * * * If not, is user creation enabled?
* * * * * Create the user and log them in.
This is high level overview. This should answer the philosophical questions about how the plugin works. If the plugin is unable to authenticate the user, it should pass it down the chain to WordPress. (Unless LDAP Exclusive is turned on, in which case it won't.)
== Upgrade Notice ==
I have spent some time completely rewriting Simple LDAP Login from the ground up. Proceed with caution as it's possible I have broken something in the process, but I'm reasonably certain it's fundamentally stable.
If you have any problems with 1.5, please let me know: clifgriffin@gmail.com
== Changelog ==
**Version 1.5.5**
* Fix syntax error.
* Dont sanitize user info.
**Version 1.5.4**
* Local admins will always fall back to local WP password.
* Fixes bug where new users do not have name or other information from LDAP directory
**Version 1.5.3**
* Fixing apparent security problem with blank passwords. (!)
* Fixing typo in filter name (did not affect any functionality)
* Local admin exception coming soon, as well as more bug fixes.
* Possible fix for login error upon arriving at login page when LDAP exclusive enabled.
**Version 1.5.2**
* Fixed bug with groups setting.
* Removed delete_option references in upgrade code to allow for easier rollbacks (sorry about that!)
* Fixed a few bugs in the user creation code.
* Fixed bug with storing default user role.
**Version 1.5.1**
* Fixed a bug where the domain controllers are passed as a string.
**Version 1.5**
* Complete rewritten from the ground up.
* It's Object Oriented, DRY and Singleton.
* The options have been overhauled to make configuration much easier. Focuses on individual features rather than "modes" that encapsulate several behaviors.
* Admin pages now use WordPress admin styles and behaviors.
* Tested with Active Directory. I recommend OpenLDAP users test carefully before implementing in their production environments.
* Added global on off switch so you can easily disable LDAP authentication without deactivating.
**Version 1.4.0.5.1**
* I broke it. Sorry guys! :(
* Downgraded adLDAP as some referenced functions no longer exist.
**Version 1.4.0.5**
* Updated adLDAP to version 4.x
* Fixed error in OpenLDAP group membership check
* As always TEST this first. Don't assume it works...I don't have a testing environment to ensure it will work correctly.
**Version 1.4.0.4**
* Fixes nickname bug accidentally put back in in last version. (My bad!)
**Version 1.4.0.3**
* Reverts bug introduced in 1.4.0.2
* If you installed 1.4.0.2 and use OpenLDAP, please update as soon as possible and verify users cannot login with incorrect passwords (and vice versa).
**Version 1.4.0.2 - Patches submitted by Jonas Genannt and Ilya Kozlov**
* Updates adLDAP to 3.3.2
* Fixes issue with users in recursive OUs not being found.
* Fixes issues with different Base DN formats.
* NOTE: Please be catious in updating. As I don't have an OpenLDAP install, I am unable to independently confirm these fix the problems. If you have issues, revert to 1.4.0.1 and e-mail me: clifgriffin[at]gmail.com. Likewise, If you can confirm these changes are effective, also let me know. :)
**Version 1.4.0.1**
* Fix for e-mail exists issue with WP 3.0+ for LDAP installations that don't populate the e-mail address attribute.
* Shows actual error message from WordPress upon failure.
**Version 1.4**
* First update in about a year. Thanks for your patience.
* Completely rewritten to support changes in WordPress 2.8+. Now fully supports WordPress 3.0.
* Much more manageable and efficient code structure. Less code repetition.
* Includes TLS support.
* Allows OpenLDAP users to specify an alternate LDAP attribute to use for logins for those not using UID.
**Version 1.3.0.3**
* Test form now implements wp_authenticate and uses the same routines as the actual login. This also means account creation and group membership are tested.
* Implemented stripslashes() to correct issue with some special characters such as a single quote and backslash.
* WordPress account "admin" is now allowed to login using local password even when security mode is set to high. For safety.
* Made some minor wording changes to the admin panel.
**Version 1.3.0.2.1**
* Fixed case sensitivity issue that could result in multiple accounts. There may be lingering case insensitivity issues due to the get_userdatabylogin function being case-sensitive. We'll figure this out in due time.
* Sorry for posting two updates on the same day!
**Version 1.3.0.2**
* Fixes several tickets including role assignment, case sensitivity, and potential compatibility issues with other themes/plugins.
* Added security mode setting to allow security to be tightened.
* Changed auto created accounts to use a random password rather than the LDAP password given.
* Fixed error with the way announcements are displayed in the admin panel.
* More code clean up.
**Version 1.3.0.1**
* Never officially released.
* Contained code cleanup and some attempted fixes.
**Version 1.3 Beta**
* Support for both Active Directory and OpenLDAP.
* The ability to create WordPress users automatically upon login based on LDAP group membership OR by LDAP authentication alone.
* The ability to test domain settings straight from admin panel.
* Announcements pane that allows me to update you with fixes, cautions, new beta versions, or other important information.
**Version 1.2.0.1**
* Changed required user level for admin page to 10, Administrators only.
**Version 1.2**
* Implemented multiple domain controllers.
* Changed field sizes on admin page to be more user friendly.
**Version 1.1**
* Moved settings to administration pages under settings.
* Upgraded to latest version of adLDAP 2.1.
* Got rid of credentials. (They are not neccessary for the authenticate function in adLDAP!)
* Plugin is now upgrade proof. Settings are stored using WordPress's setting functions.
**Version 1.0**
* Original release.
== Installation ==
1. Use the WordPress plugin directory to install the plugin or upload the directory `simple-ldap-login` to the `/wp-content/plugins/` directory.
1. Activate the plugin through the 'Plugins' menu in WordPress
1. Update the settings to those that best match your environment by going to Settings -> Simple LDAP Login
1. If you don't get the settings right the first time, don't fret! Just use your WordPress credentials. They should always work
1. Once you have the settings correct, you can toggle LDAP Exclusive mode (if you like).
1. To make your life easier, consider using two different browsers (e.g., Chrome and Firefox) to do testing. Change settings in one. Test in the other. This will prevent any chance of being locked out.
== Frequently Asked Questions ==
= Other than WordPress, what does my system require? =
Your install of PHP must be configured/compiled with LDAP support.
= How do I know what the correct settings are? =
I have tried to make the settings as self-explanatory as possible. If you are struggling figuring them out, you may need to speak with your LDAP administrator. I realize this is an obnoxious response, but there is no good, fool proof way to help you discover these settings. A good place to start, if you're feeling daring, might be to use ADSIEdit for Windows and Active Directory, or GQ for Linux and OpenLDAP.
= It's still not working, what other things can I try? =
If you are confident your settings are correct and it still does not work, it may be time to check for port or firewall issues. If your LDAP server is running on a non-standard port or an obsolete version of the LDAP protocol you are going to have issues. Port 389 is the port this plugin, and nearly every other LDAP enabled software expects. They are also expecting protocol version 3. If you are using an old version of LDAP or running a non-standard port you may need to modify the code that the plugin runs or update your LDAP installation.
Unfortunately I can't be relied upon to assist with these types of requests. I chose not to support these scenarios because they are infrequent and because they confuse everyone else.
= It's still not working! How can I get help? =
The easiest way to get help is to post a comment on my blog: http://clifgriffin.com/simple-ldap-login/. I'll do my best to get you up and running!
== Screenshots ==
1. Easy to use admin panel.
2. Advanced options for power users.