updated plugin AuthLDAP
version 2.5.2
This commit is contained in:
parent
713de650a5
commit
350836f064
@ -3,7 +3,7 @@
|
||||
Plugin Name: AuthLDAP
|
||||
Plugin URI: https://github.com/heiglandreas/authLdap
|
||||
Description: This plugin allows you to use your existing LDAP as authentication base for WordPress
|
||||
Version: 2.4.10
|
||||
Version: 2.5.2
|
||||
Author: Andreas Heigl <andreas@heigl.org>
|
||||
Author URI: http://andreas.heigl.org
|
||||
License: MIT
|
||||
@ -82,6 +82,7 @@ function authLdap_options_panel()
|
||||
'GroupEnable' => authLdap_get_post('authLDAPGroupEnable', false),
|
||||
'GroupOverUser' => authLdap_get_post('authLDAPGroupOverUser', false),
|
||||
'DoNotOverwriteNonLdapUsers' => authLdap_get_post('authLDAPDoNotOverwriteNonLdapUsers', false),
|
||||
'UserRead' => authLdap_get_post('authLDAPUseUserAccount', false),
|
||||
);
|
||||
if (authLdap_set_options($new_options)) {
|
||||
echo "<div class='updated'><p>Saved Options!</p></div>";
|
||||
@ -112,6 +113,7 @@ function authLdap_options_panel()
|
||||
$authLDAPGroupEnable = authLdap_get_option('GroupEnable');
|
||||
$authLDAPGroupOverUser = authLdap_get_option('GroupOverUser');
|
||||
$authLDAPDoNotOverwriteNonLdapUsers = authLdap_get_option('DoNotOverwriteNonLdapUsers');
|
||||
$authLDAPUseUserAccount= authLdap_get_option('UserRead');
|
||||
|
||||
$tChecked = ($authLDAP) ? ' checked="checked"' : '';
|
||||
$tDebugChecked = ($authLDAPDebug) ? ' checked="checked"' : '';
|
||||
@ -120,6 +122,7 @@ function authLdap_options_panel()
|
||||
$tGroupOverUserChecked = ($authLDAPGroupOverUser) ? ' checked="checked"' : '';
|
||||
$tStartTLSChecked = ($authLDAPStartTLS) ? ' checked="checked"' : '';
|
||||
$tDoNotOverwriteNonLdapUsers = ($authLDAPDoNotOverwriteNonLdapUsers) ? ' checked="checked"' : '';
|
||||
$tUserRead = ($authLDAPUseUserAccount) ? ' checked="checked"' : '';
|
||||
|
||||
$roles = new WP_Roles();
|
||||
|
||||
@ -233,6 +236,7 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
|
||||
$authLDAPDefaultRole = authLdap_get_option('DefaultRole');
|
||||
$authLDAPGroupEnable = authLdap_get_option('GroupEnable');
|
||||
$authLDAPGroupOverUser = authLdap_get_option('GroupOverUser');
|
||||
$authLDAPUseUserAccount = authLdap_get_option('UserRead');
|
||||
|
||||
if (! $username) {
|
||||
authLdap_debug('Username not supplied: return false');
|
||||
@ -281,10 +285,13 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
|
||||
return false;
|
||||
}
|
||||
|
||||
// Make optional querying from the admin account #213
|
||||
if (! authLdap_get_option('UserRead')) {
|
||||
// Rebind with the default credentials after the user has been loged in
|
||||
// Otherwise the credentials of the user trying to login will be used
|
||||
// This fixes #55
|
||||
authLdap_get_server()->bind();
|
||||
}
|
||||
|
||||
if (true !== $result) {
|
||||
authLdap_debug('LDAP authentication failed');
|
||||
@ -293,7 +300,7 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
|
||||
return;
|
||||
}
|
||||
|
||||
authLdap_debug('LDAP authentication successfull');
|
||||
authLdap_debug('LDAP authentication successful');
|
||||
$attributes = array_values(
|
||||
array_filter(
|
||||
apply_filters(
|
||||
@ -440,6 +447,13 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
|
||||
$userid = wp_insert_user($user_info);
|
||||
}
|
||||
|
||||
// if the user exists, wp_insert_user will update the existing user record
|
||||
if (is_wp_error($userid)) {
|
||||
authLdap_debug('Error creating user : ' . $userid->get_error_message());
|
||||
trigger_error('Error creating user: ' . $userid->get_error_message());
|
||||
return $userid;
|
||||
}
|
||||
|
||||
/**
|
||||
* Add hook for custom updates
|
||||
*
|
||||
@ -448,13 +462,6 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
|
||||
*/
|
||||
do_action('authLdap_login_successful', $userid, $attribs[0]);
|
||||
|
||||
// if the user exists, wp_insert_user will update the existing user record
|
||||
if (is_wp_error($userid)) {
|
||||
authLdap_debug('Error creating user : ' . $userid->get_error_message());
|
||||
trigger_error('Error creating user: ' . $userid->get_error_message());
|
||||
return $userid;
|
||||
}
|
||||
|
||||
authLdap_debug('user id = ' . $userid);
|
||||
|
||||
// flag the user as an ldap user so we can hide the password fields in the user profile
|
||||
@ -505,23 +512,25 @@ function authLdap_get_uid($username)
|
||||
*/
|
||||
function authLdap_user_role($uid)
|
||||
{
|
||||
global $wpdb;
|
||||
global $wpdb, $wp_roles;
|
||||
|
||||
if (!$uid) {
|
||||
return '';
|
||||
}
|
||||
|
||||
$meta_value = $wpdb->get_var(
|
||||
"SELECT meta_value FROM {$wpdb->usermeta} WHERE meta_key = '{$wpdb->prefix}capabilities' AND user_id = {$uid}"
|
||||
);
|
||||
|
||||
if (!$meta_value) {
|
||||
/** @var array<string, bool> $usercapabilities */
|
||||
$usercapabilities = get_user_meta( $uid, "{$wpdb->prefix}capabilities", true);
|
||||
if ( ! is_array( $usercapabilities ) ) {
|
||||
return '';
|
||||
}
|
||||
|
||||
$capabilities = unserialize($meta_value);
|
||||
$roles = is_array($capabilities) ? array_keys($capabilities) : array('');
|
||||
$role = $roles[0];
|
||||
/** @var array<string, array{name: string, capabilities: array<mixed>} $editable_roles */
|
||||
$editable_roles = $wp_roles->roles;
|
||||
|
||||
// By using this approach we are now using the order of the roles from the WP_Roles object
|
||||
// and not from the capabilities any more.
|
||||
$userroles = array_keys(array_intersect_key($editable_roles, $usercapabilities));
|
||||
$role = $userroles[0];
|
||||
|
||||
authLdap_debug("Existing user's role: {$role}");
|
||||
return $role;
|
||||
|
@ -1,6 +1,6 @@
|
||||
<?php
|
||||
/**
|
||||
* $Id: ldap.php 2450394 2021-01-05 07:38:43Z heiglandreas $
|
||||
* $Id: ldap.php 2676679 2022-02-10 18:26:37Z heiglandreas $
|
||||
*
|
||||
* authLdap - Authenticate Wordpress against an LDAP-Backend.
|
||||
* Copyright (c) 2008 Andreas Heigl<andreas@heigl.org>
|
||||
@ -46,7 +46,7 @@ class LDAP
|
||||
/**
|
||||
* This property contains the connection handle to the ldap-server
|
||||
*
|
||||
* @var Ressource
|
||||
* @var Ressource|Connection|null
|
||||
*/
|
||||
private $ch = null;
|
||||
|
||||
@ -117,7 +117,8 @@ class LDAP
|
||||
}
|
||||
|
||||
$this->ch = @ldap_connect($this->scheme . '://' . $this->server . ':' . $this -> port);
|
||||
if (! $this->ch) {
|
||||
if (false === $this->ch) {
|
||||
$this->ch = null;
|
||||
throw new Error('Could not connect to the server');
|
||||
}
|
||||
ldap_set_option($this->ch, LDAP_OPT_PROTOCOL_VERSION, 3);
|
||||
@ -136,7 +137,7 @@ class LDAP
|
||||
*/
|
||||
public function disconnect()
|
||||
{
|
||||
if (is_resource($this->ch)) {
|
||||
if (null !== $this->ch ) {
|
||||
@ldap_unbind($this->ch);
|
||||
}
|
||||
$this->ch = null;
|
||||
@ -154,8 +155,8 @@ class LDAP
|
||||
if (! $this->ch) {
|
||||
$this->connect();
|
||||
}
|
||||
if (! is_resource($this->ch)) {
|
||||
throw new Error('No Resource-handle given');
|
||||
if (null === $this->ch) {
|
||||
throw new Error('No valid LDAP connection available');
|
||||
}
|
||||
$bind = false;
|
||||
if (( ( $this->username )
|
||||
@ -195,7 +196,7 @@ class LDAP
|
||||
*/
|
||||
public function search($filter, $attributes = array('uid'), $base = '')
|
||||
{
|
||||
if (! is_Resource($this->ch)) {
|
||||
if (null === $this->ch) {
|
||||
throw new Error('No resource handle avbailable');
|
||||
}
|
||||
if (! $base) {
|
||||
|
@ -2,7 +2,7 @@
|
||||
Contributors: heiglandreas
|
||||
Tags: ldap, auth, authentication, active directory, AD, openLDAP, Open Directory
|
||||
Requires at least: 2.5.0
|
||||
Tested up to: 5.6.0
|
||||
Tested up to: 5.9.0
|
||||
Requires PHP: 7.2
|
||||
Stable tag: trunk
|
||||
License: MIT
|
||||
@ -41,6 +41,12 @@ Please use the issuetracker at https://github.com/heiglandreas/authLdap/issues
|
||||
|
||||
== Changelog ==
|
||||
|
||||
= 2.5.0 =
|
||||
* Ignore the order of capabilities to tell the role. In addition the filter `editable_roles` can be used to limit the roles
|
||||
|
||||
= 2.4.11 =
|
||||
* Fix issue with running on PHP8.1
|
||||
|
||||
= 2.4.9 =
|
||||
* Improve group-assignement UI
|
||||
|
||||
|
@ -42,6 +42,7 @@ class LdapList
|
||||
|
||||
public function authenticate($username, $password, $filter = '(uid=%s)')
|
||||
{
|
||||
/** @var LDAP $item */
|
||||
foreach ($this->items as $key => $item) {
|
||||
if (! $item->authenticate($username, $password, $filter)) {
|
||||
unset($this->items[$key]);
|
||||
|
@ -185,6 +185,18 @@
|
||||
<fieldset class="options">
|
||||
<table class="form-table">
|
||||
<tr>
|
||||
<th scope="row">
|
||||
<label for="authLDAPUseUserAccount">User-Read</label>
|
||||
</th>
|
||||
<td>
|
||||
<input type="checkbox" name="authLDAPUseUserAccount" id="authLDAPUseUserAccount" value="1"<?php echo $tUserRead; ?>/><br />
|
||||
<p class="description">
|
||||
If checked the plugin will use the user's account to query their own information. If not it will use the admin account.
|
||||
</p>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th scope="row">
|
||||
<label for="authLDAPNameAttr">Name-Attribute</label>
|
||||
</th>
|
||||
|
Loading…
Reference in New Issue
Block a user