2021-01-17 21:28:57 +00:00
<?php
/**
* Copyright (c)2014-2014 heiglandreas
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIBILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*
* @category
* @author Andreas Heigl< andreas @ heigl . org >
* @copyright ©2014-2014 Andreas Heigl
* @license http://www.opesource.org/licenses/mit-license.php MIT-License
* @version 0.0
* @since 19.12.14
* @link https://github.com/heiglandreas/authLdap
*/
?>< div class = "wrap" >
<?php if ( ! extension_loaded ( 'ldap' )) : ?>
< div class = "error" > < strong > Caveat:< / strong > The LDAP-extension is not loaded!
Without that extension it is not possible to query an LDAP-Server! Please have a look
at < a href = "http://php.net/manual/install.php" > the PHP-Installation page< / a >
< / div >
<?php endif ?>
< h2 > AuthLDAP Options< / h2 >
2021-02-27 21:52:40 +00:00
< form class = "authldap-options" method = "post" id = "authLDAP_options" action = " <?php echo $action ; ?> " >
2023-10-22 22:20:57 +00:00
< input name = "authLdapNonce" type = "hidden" value = " <?php echo wp_create_nonce ( 'authLdapNonce' ); ?> " />
2021-01-17 21:28:57 +00:00
< h3 class = "title" > General Usage of authLDAP< / h3 >
< fieldset class = "options" >
< table class = "form-table" >
< tr >
< th >
< label for = "authLDAPAuth" > Enable Authentication via LDAP?< / label >
< / th >
< td >
< input type = "checkbox" name = "authLDAPAuth" id = "authLDAPAuth" value = "1" <?php echo $tChecked ; ?> />
< / td >
< / tr >
< tr >
< th >
< label for = "authLDAPDebug" > Debug AuthLDAP?< / label >
< / th >
< td >
< input type = "checkbox" name = "authLDAPDebug" id = "authLDAPDebug" value = "1" <?php echo $tDebugChecked ; ?> />
< / td >
< / tr >
< tr >
< th >
< label for = "authLDAPDoNotOverwriteNonLdapUsers" > Do not authenticate existing WordPress-Users< / label >
< / th >
< td >
< input type = "checkbox" name = "authLDAPDoNotOverwriteNonLdapUsers" id = "authLDAPDoNotOverwriteNonLdapUsers" value = "1" <?php echo $tDoNotOverwriteNonLdapUsers ; ?> />
< p class = "description" >
Shall we prohibit authenticating already in WordPress created users using LDAP? If you enable this, LDAP-Users with the same user-ID
as existing WordPress-Users can no longer take over the WordPress-Users account. This also means that LDAP-Users with the same User-ID as existing
WordPress-Users will < strong > not< / strong > be able to authenticate anymore! Accounts that have been taken over already will not be affected by this setting.
< / p >
< p class = "description" > This should only be checked if you know what you are doing!< / p >
< / td >
< / tr >
< tr >
< th >
< label for = "authLDAPCachePW" > Save entered passwords in the wordpress user table?< / label >
< / th >
< td >
< input type = "checkbox" name = "authLDAPCachePW" id = "authLDAPCachePW" value = "1" <?php echo $tPWChecked ; ?> />
< / td >
< / tr >
< tr >
< th >
< label for = "authLDAPGroupEnable" > Map LDAP Groups to wordpress Roles?< / label >
< / th >
< td >
< input type = "checkbox" name = "authLDAPGroupEnable" id = "authLDAPGroupEnable" value = "1" <?php echo $tGroupChecked ; ?> />
< p class = "description" >
Search LDAP for user's groups and map to Wordpress Roles.
< / p >
< / td >
< / tr >
< / table >
< / fieldset >
< h3 class = "title" > General Server Settings< / h3 >
< fieldset class = "options" >
< table class = "form-table" >
< tr >
< th >
< label for = "authLDAPURI" > LDAP URI< / label >
< / th >
< td >
< input type = "text" name = "authLDAPURI" id = "authLDAPURI" placeholder = "LDAP-URI"
2024-06-27 12:10:42 +00:00
class="regular-text" value="<?php echo esc_attr ( $authLDAPURI ); ?> "/>
2021-01-17 21:28:57 +00:00
< p class = "description" >
The < abbr title = "Uniform Ressource Identifier" > URI< / abbr >
for connecting to the LDAP-Server. This usualy takes the form
< var > < scheme> ://< user> :< password> @< server> /< path> < / var >
according to RFC 1738.< / p >
< p class = "description" >
In this case it schould be something like
< var > ldap://uid=adminuser,dc=example,c=com:secret@ldap.example.com/dc=basePath,dc=example,c=com< / var > .
< / p >
< p class = "description" >
If your LDAP accepts anonymous login, you can ommit the user and
password-Part of the URI
< / p >
< p class = "description" >
You can use the pseudo-schema < em > env< / em > to provide your LDAP-URI from an environment-variable. So if you have your
LDAP-URI in a variable called < code > LDAP_URI< / code > you can enter < code > env:LDAP_URI< / code > in this field and at runtime the
appropriate value will be taken from the Environment-variable < code > LDAP_URI< / code > . If the varialbe is not set, then the value will be empty.
< / p >
< p class = "description" >
You can also provide different parts of the LDP-URI from environment variables by providing
< code > %env:[VARIABLENAME]%< / code > within your LDAP-URI. So if you want to provide the
password from an Environment-variable < code > LDAP_PASSWORD< / code > your LDAP-URI looks like
< code > ldap://uid=adminuser,dc=example,c=com:%env:LDAP_PASSWORD%@ldap.example.com/dc=basePath,dc=example,c=com< / code >
< / p >
< p class = "description" >
< strong > Caveat!< / strong > < br / >
If you are using Environment-variables for parts of the LDAP-URL then those < strong > must not< / strong > be URL-Encoded!< br / >
Otherwise the different parts < strong > must< / strong > be URL-Encoded!
< / p >
< / td >
< / tr >
< tr >
< th >
< label for = "authLDAPURISeparator" > LDAP URI-Separator< / label >
< / th >
< td >
< input type = "text" name = "authLDAPURISeparator" id = "authLDAPURISeparator" placeholder = "LDAP-URI Separator"
2024-06-27 12:10:42 +00:00
class="regular-text" value="<?php echo esc_attr ( $authLDAPURISeparator ); ?> "/>
2021-01-17 21:28:57 +00:00
< p class = "description" >
A separator that separates multiple LDAP-URIs from one another.
You can use that feature to try to authenticate against multiple LDAP-Servers
as long as they all have the same attribute-settings. The first LDAP-Server the user can
authenticate against will be used to handle the user.
< / td >
< / tr >
< tr >
< th >
< label for = "authLDAPStartTLS" class = "description" > StartTLS< / label >
< / th >
< td >
2024-06-27 12:10:42 +00:00
< input type = "checkbox" name = "authLDAPStartTLS" id = "authLDAPStartTLS" value = "1" <?php echo esc_attr ( $tStartTLSChecked ); ?> />
2021-01-17 21:28:57 +00:00
< p class = "description" >
Use StartTLS for encryption of ldap connections. This setting is not to be used in combination with ldaps connections (ldap:// only).
< / p >
< / td >
< tr >
< th scope = "row" >
< label for = "authLDAPFilter" class = "description" > Filter< / label >
< / th >
< td >
< input type = "text" name = "authLDAPFilter" id = "authLDAPFilter" placeholder = "(uid=%s)"
2024-06-27 12:10:42 +00:00
class="regular-text" value="<?php echo esc_attr ( $authLDAPFilter ); ?> "/>
2021-01-17 21:28:57 +00:00
< p class = "description" >
Please provide a valid filter that can be used for querying the
< abbr title = "Lightweight Directory Access Protocol" > LDAP< / abbr >
for the correct user. For more information on this
feature have a look at < a href = "http://andreas.heigl.org/cat/dev/wp/authldap" > http://andreas.heigl.org/cat/dev/wp/authldap< / a >
< / p >
< p class = "description" >
This field < strong > should< / strong > include the string < code > %s< / code >
that will be replaced with the username provided during log-in
< / p >
< p class = "description" >
If you leave this field empty it defaults to < strong > (uid=%s)< / strong >
< / p >
< / td >
< / tr >
< / table >
< / fieldset >
< h3 class = "title" > Settings for creating new Users< / h3 >
< fieldset class = "options" >
< table class = "form-table" >
< tr >
2022-03-21 13:34:57 +00:00
< th scope = "row" >
< label for = "authLDAPUseUserAccount" > User-Read< / label >
< / th >
< td >
2024-06-27 12:10:42 +00:00
< input type = "checkbox" name = "authLDAPUseUserAccount" id = "authLDAPUseUserAccount" value = "1" <?php echo esc_attr ( $tUserRead ); ?> />< br />
2022-03-21 13:34:57 +00:00
< p class = "description" >
If checked the plugin will use the user's account to query their own information. If not it will use the admin account.
< / p >
2023-10-22 22:20:57 +00:00
2022-03-21 13:34:57 +00:00
< / td >
< / tr >
< tr >
2021-01-17 21:28:57 +00:00
< th scope = "row" >
< label for = "authLDAPNameAttr" > Name-Attribute< / label >
< / th >
< td >
< input type = "text" name = "authLDAPNameAttr" id = "authLDAPNameAttr" placeholder = "name"
2024-06-27 12:10:42 +00:00
class="regular-text" value="<?php echo esc_attr ( $authLDAPNameAttr ); ?> "/>< br />
2021-01-17 21:28:57 +00:00
< p class = "description" >
Which Attribute from the LDAP contains the Full or the First name
of the user trying to log in.
< / p >
< p class = "description" >
This defaults to < strong > name< / strong >
< / p >
< / td >
< / tr >
< tr >
< th scope = "row" >
< label for = "authLDAPSecName" > Second Name Attribute< / label >
< / th >
< td >
< input type = "text" name = "authLDAPSecName" id = "authLDAPSecName" placeholder = ""
2024-06-27 12:10:42 +00:00
class="regular-text" value="<?php echo esc_attr ( $authLDAPSecName ); ?> " />
2021-01-17 21:28:57 +00:00
< p class = "description" >
If the above Name-Attribute only contains the First Name of the
user you can here specify an Attribute that contains the second name.
< / p >
< p class = "description" >
This field is empty by default
< / p >
< / td >
< / tr >
< tr >
< th scope = "row" >
< label for = "authLDAPUidAttr" > User-ID Attribute< / label >
< / th >
< td >
< input type = "text" name = "authLDAPUidAttr" id = "authLDAPUidAttr" placeholder = "uid"
2024-06-27 12:10:42 +00:00
class="regular-text" value="<?php echo esc_attr ( $authLDAPUidAttr ); ?> " />
2021-01-17 21:28:57 +00:00
< p class = "description" >
Please give the Attribute, that is used to identify the user. This
should be the same as you used in the above < em > Filter< / em > -Option
< / p >
< p class = "description" >
This field defaults to < strong > uid< / strong >
< / p >
< / td >
< / tr >
< tr >
< th scope = "row" >
< label for = "authLDAPMailAttr" > Mail Attribute< / label >
< / th >
< td >
< input type = "text" name = "authLDAPMailAttr" id = "authLDAPMailAttr" placeholder = "mail"
2024-06-27 12:10:42 +00:00
class="regular-text" value="<?php echo esc_attr ( $authLDAPMailAttr ); ?> " />
2021-01-17 21:28:57 +00:00
< p class = "description" >
Which Attribute holds the eMail-Address of the user?
< / p >
< p class = "description" >
If more than one eMail-Address are stored in the LDAP, only the first given is used
< / p >
< p class = "description" >
This field defaults to < strong > mail< / strong >
< / p >
< / td >
< / tr >
< tr >
< th scope = "row" >
< label for = "authLDAPWebAttr" > Web-Attribute< / label >
< / th >
< td >
< input type = "text" name = "authLDAPWebAttr" id = "authLDAPWebAttr" placeholder = ""
2024-06-27 12:10:42 +00:00
class="regular-text" value="<?php echo esc_attr ( $authLDAPWebAttr ); ?> " />
2021-01-17 21:28:57 +00:00
< p class = "description" >
If your users have a personal page (URI) stored in the LDAP, it can
be provided here.
< / p >
< p class = "description" >
This field is empty by default
< / p >
< / td >
< / tr >
< tr >
< th scope = "row" >
< label for = "authLDAPDefaultRole" > Default Role< / label >
< / th >
< td >
< select name = "authLDAPDefaultRole" id = "authLDAPDefaultRole" >
< option value = "" <?php echo ( $authLDAPDefaultRole == '' ? 'selected="selected"' : '' ); ?> >
None (deny access)
< / option >
<?php foreach ( $roles -> get_names () as $group => $vals ) : ?>
< option value = " <?php echo $group ; ?> " <?php echo ( $authLDAPDefaultRole == $group ? 'selected="selected"' : '' ); ?> >
2024-06-27 12:10:42 +00:00
<?php echo esc_attr ( $vals ); ?>
2021-01-17 21:28:57 +00:00
< / option >
<?php endforeach ; ?>
< / select >
< p class = "description" >
Here you can select the default role for users.
If you enable LDAP Groups below, they will take precedence over the Default Role.
< / p >
< p class = "description" >
Existing users will retain their roles unless overriden by LDAP Groups below.
< / p >
< / td >
< / tr >
< / table >
< / fieldset >
< div id = "authldaprolemapping" >
< h3 class = "title" > Groups for Roles< / h3 >
< fieldset class = "options" >
< table class = "form-table" >
< tr >
< th >
< label for = "authLDAPGroupOverUser" > LDAP Groups override role of existing users?< / label >
< / th >
< td >
2024-06-27 12:10:42 +00:00
< input type = "checkbox" name = "authLDAPGroupOverUser" id = "authLDAPGroupOverUser" value = "1" <?php echo esc_attr ( $tGroupOverUserChecked ); ?> />
2021-01-17 21:28:57 +00:00
< p class = "description" >
If role determined by LDAP Group differs from existing Wordpress User's role, use LDAP Group.
< / p >
< / td >
< / tr >
< tr >
< th scope = "row" >
< label for = "authLDAPGroupBase" > Group-Base< / label >
< / th >
< td >
< input type = "text" name = "authLDAPGroupBase" id = "authLDAPGroupBase" placeholder = ""
2024-06-27 12:10:42 +00:00
class="regular-text" value="<?php echo esc_attr ( $authLDAPGroupBase ); ?> " />
2021-01-17 21:28:57 +00:00
< p class = "description" >
This is the base dn to lookup groups.
< / p >
< p class = "description" >
If empty the base dn of the LDAP URI will be used
< / p >
< / td >
< / tr >
< tr >
< th scope = "row" >
< label for = "authLDAPGroupAttr" > Group-Attribute< / label >
< / th >
< td >
< input type = "text" name = "authLDAPGroupAttr" id = "authLDAPGroupAttr" placeholder = "gidNumber"
2024-06-27 12:10:42 +00:00
class="regular-text" value="<?php echo esc_attr ( $authLDAPGroupAttr ); ?> " />
2021-01-17 21:28:57 +00:00
< p class = "description" >
This is the attribute that defines the Group-ID that can be matched
against the Groups defined further down
< / p >
< p class = "description" >
This field defaults to < strong > gidNumber< / strong >
< / p >
< / td >
< / tr >
< tr >
< th scope = "row" >
< label for = "authLDAPGroupSeparator" > Group-Separator< / label >
< / th >
< td >
< input type = "text" name = "authLDAPGroupSeparator" id = "authLDAPGroupSeparator" placeholder = ","
2024-06-27 12:10:42 +00:00
class="regular-text" value="<?php echo esc_attr ( $authLDAPGroupSeparator ); ?> " />
2021-01-17 21:28:57 +00:00
< p class = "description" >
This attribute defines the separator used for the Group-IDs listed in the
Groups defined further down. This is useful if the value of Group-Attribute
listed above can contain a comma (for example, when using the memberof attribute)
< / p >
< p class = "description" >
This field defaults to < strong > , (comma)< / strong >
< / p >
< / td >
< / tr >
< tr >
< th scope = "row" >
< label for = "authLDAPGroupFilter" > Group-Filter< / label >
< / th >
< td >
< input type = "text" name = "authLDAPGroupFilter" id = "authLDAPGroupFilter"
placeholder="(& (objectClass=posixGroup)(memberUid=%s))"
2024-06-27 12:10:42 +00:00
class="regular-text" value="<?php echo esc_attr ( $authLDAPGroupFilter ); ?> " />
2021-01-17 21:28:57 +00:00
< p class = "description" >
Here you can add the filter for selecting groups for ther
currentlly logged in user
< / p >
< p class = "description" >
The Filter should contain the string < code > %s< / code > which will be replaced by
the login-name of the currently logged in user
< / p >
< p class = "description" >
Alternatively the string < code > %dn%< / code > will be replaced by the
DN of the currently logged in user. This can be helpfull if
group-memberships are defined with DNs rather than UIDs
< / p >
< p class = "description" > This field defaults to
< strong > (& (objectClass=posixGroup)(memberUid=%s))< / strong >
< / p >
< / td >
< / tr >
< / table >
< / fieldset >
< h3 class = "title" > Role - group mapping< / h3 >
< fieldset class = "options" >
2021-02-27 21:52:40 +00:00
< p class = "description" > You can set multiple values per role by separating them with a coma< / p >
< p class = "description" > The values are empty by default< / p >
2021-01-17 21:28:57 +00:00
< table class = "form-table" >
2021-02-27 21:52:40 +00:00
< thead >
< th scope = "row" > Assign this WordPress-Role< / th >
< th style = "width:auto;" > to members of this/these LDAP-Groups< / th >
< / thead >
< tbody >
2021-01-17 21:28:57 +00:00
<?php
foreach ($roles->get_names() as $group => $vals) :
$aGroup=$authLDAPGroups[$group]; ?>
< tr >
2021-02-27 21:52:40 +00:00
< th scope = "row" style = "width:auto; min-width: 200px;" >
2021-01-17 21:28:57 +00:00
< label for = "authLDAPGroups[ <?php echo $group ; ?> ]" >
2024-06-27 12:10:42 +00:00
<?php echo esc_attr ( $vals ); ?>
2021-01-17 21:28:57 +00:00
< / label >
< / th >
< td >
2024-06-27 12:10:42 +00:00
< textarea name = "authLDAPGroups[ <?php echo $group ; ?> ]" id = "authLDAPGroups[ <?php echo $group ; ?> ]" cols = 60 rows = 5 > <?php
echo esc_textarea($aGroup);
?>< / textarea >
2021-01-17 21:28:57 +00:00
< / td >
< / tr >
<?php endforeach ; ?>
2021-02-27 21:52:40 +00:00
< / tbody >
2021-01-17 21:28:57 +00:00
< / table >
< / fieldset >
< / div >
< fieldset class = "buttons" >
< p class = "submit" >
< input type = "submit" name = "ldapOptionsSave" class = "button button-primary" value = "Save Changes" / >
< / p >
< / fieldset >
< / form >
< / div >
< script type = "text/javascript" >
elem = document.getElementById('authLDAPGroupEnable');
if(! elem.checked) {
document.getElementById('authldaprolemapping').setAttribute('style', 'display:none;');
}
elem.addEventListener('change', function(e){
if(! e.target.checked) {
document.getElementById('authldaprolemapping').setAttribute('style', 'display:none;');
} else {
document.getElementById('authldaprolemapping').removeAttribute('style');
}
});
< / script >