updated plugin AuthLDAP
version 2.6.2
This commit is contained in:
parent
4e493c268e
commit
65d26d4d83
@ -4,7 +4,7 @@
|
||||
Plugin Name: AuthLDAP
|
||||
Plugin URI: https://github.com/heiglandreas/authLdap
|
||||
Description: This plugin allows you to use your existing LDAP as authentication base for WordPress
|
||||
Version: 2.6.0
|
||||
Version: 2.6.2
|
||||
Author: Andreas Heigl <andreas@heigl.org>
|
||||
Author URI: http://andreas.heigl.org
|
||||
License: MIT
|
||||
@ -255,8 +255,8 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
|
||||
$authLDAPUidAttr = authLdap_get_option('UidAttr');
|
||||
$authLDAPWebAttr = authLdap_get_option('WebAttr');
|
||||
$authLDAPDefaultRole = authLdap_get_option('DefaultRole');
|
||||
$authLDAPGroupEnable = authLdap_get_option('GroupEnable');
|
||||
$authLDAPGroupOverUser = authLdap_get_option('GroupOverUser');
|
||||
$authLDAPGroupEnable = filter_var(authLdap_get_option('GroupEnable'), FILTER_VALIDATE_BOOLEAN);
|
||||
$authLDAPGroupOverUser = filter_var(authLdap_get_option('GroupOverUser'), FILTER_VALIDATE_BOOLEAN);
|
||||
$authLDAPUseUserAccount = authLdap_get_option('UserRead');
|
||||
|
||||
if (!$username) {
|
||||
@ -373,7 +373,7 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
|
||||
|
||||
// we only need this if either LDAP groups are disabled or
|
||||
// if the WordPress role of the user overrides LDAP groups
|
||||
if (!$authLDAPGroupEnable || $authLDAPGroupOverUser) {
|
||||
if ($authLDAPGroupEnable === false || $authLDAPGroupOverUser === false) {
|
||||
$userRoles = authLdap_user_role($uid);
|
||||
if ($userRoles !== []) {
|
||||
$roles = array_merge($roles, $userRoles);
|
||||
@ -383,8 +383,8 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
|
||||
}
|
||||
|
||||
// do LDAP group mapping if needed
|
||||
// (if LDAP groups override worpress user role, $role is still empty)
|
||||
if (empty($roles) && $authLDAPGroupEnable) {
|
||||
// (if LDAP groups override wordpress user role, $role is still empty)
|
||||
if ((empty($roles) || $authLDAPGroupOverUser === true) && $authLDAPGroupEnable === true) {
|
||||
$mappedRoles = authLdap_groupmap($realuid, $dn);
|
||||
if ($mappedRoles !== []) {
|
||||
$roles = $mappedRoles;
|
||||
|
@ -284,6 +284,25 @@ LDIF',
|
||||
return trim($item);
|
||||
}, explode(',', $user['roles']));
|
||||
Assert::false(in_array($arg2, $roles));
|
||||
}
|
||||
|
||||
}
|
||||
/**
|
||||
* @Given LDAP user :arg1 is not member of LDAP group :arg2
|
||||
*/
|
||||
public function ldapUserIsNotMemberOfLdapGroup($arg1, $arg2)
|
||||
{
|
||||
exec(sprintf(
|
||||
'ldapmodify -x -H %1$s -D "%2$s" -w %3$s 2>&1 <<LDIF
|
||||
%4$s
|
||||
LDIF',
|
||||
'ldap://openldap',
|
||||
'cn=admin,dc=example,dc=org',
|
||||
'insecure',
|
||||
<<<LDIF
|
||||
dn: cn=$arg2,dc=example,dc=org
|
||||
changetype: modify
|
||||
delete: uniqueMember
|
||||
uniqueMember: uid=$arg1,dc=example,dc=org
|
||||
LDIF
|
||||
)); }
|
||||
}
|
||||
|
@ -61,3 +61,24 @@ Feature: Log in without group assignment
|
||||
And the WordPress user "ldapuser" is member of role "wordpressrole"
|
||||
And the WordPress user "ldapuser" is not member of role "editor"
|
||||
And the WordPress user "ldapuser" is not member of role "subscriber"
|
||||
|
||||
Scenario: Second Login with group assignment that changes between first and second login
|
||||
Given a default configuration
|
||||
And configuration value "GroupEnable" is set to "true"
|
||||
And configuration value "DefaultRole" is set to "subscriber"
|
||||
And configuration value "Groups" is set to "administrator=ldapgroup1" and "editor=ldapgroup2"
|
||||
And configuration value "GroupAttr" is set to "cn"
|
||||
And configuration value "GroupFilter" is set to "uniquemember=%dn%"
|
||||
And configuration value "GroupOverUser" is set to "true"
|
||||
And an LDAP user "ldapuser" with name "LDAP User", password "P@ssw0rd" and email "ldapuser@example.com" exists
|
||||
And an LDAP group "ldapgroup1" exists
|
||||
And an LDAP group "ldapgroup2" exists
|
||||
And LDAP user "ldapuser" is member of LDAP group "ldapgroup1"
|
||||
And LDAP user "ldapuser" logs in with password "P@ssw0rd"
|
||||
And LDAP user "ldapuser" is member of LDAP group "ldapgroup2"
|
||||
And LDAP user "ldapuser" is not member of LDAP group "ldapgroup1"
|
||||
When LDAP user "ldapuser" logs in with password "P@ssw0rd"
|
||||
Then the login suceeds
|
||||
And the WordPress user "ldapuser" is member of role "editor"
|
||||
And the WordPress user "ldapuser" is not member of role "administrator"
|
||||
And the WordPress user "ldapuser" is not member of role "subscriber"
|
||||
|
@ -2,7 +2,7 @@
|
||||
Contributors: heiglandreas
|
||||
Tags: ldap, auth, authentication, active directory, AD, openLDAP, Open Directory
|
||||
Requires at least: 2.5.0
|
||||
Tested up to: 6.4.0
|
||||
Tested up to: 6.5.0
|
||||
Requires PHP: 7.4
|
||||
Stable tag: trunk
|
||||
License: MIT
|
||||
@ -46,6 +46,9 @@ In essence: Report a security vulnerability at https://github.com/heiglandreas/a
|
||||
Please see https://github.com/heiglandreas/authLdap/blob/master/SECURITY.md for more details
|
||||
|
||||
== Changelog ==
|
||||
= 2.6.2 =
|
||||
|
||||
* Fix issue with Groups not being updated on existing accounts (see https://github.com/heiglandreas/authLdap/issues/250 for details)
|
||||
|
||||
= 2.6.0 =
|
||||
|
||||
|
@ -1,13 +1,13 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
/**
|
||||
* Copyright Andreas Heigl <andreas@heigl.org>
|
||||
*
|
||||
* Licensed under the MIT-license. For details see the included file LICENSE.md
|
||||
*/
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace Org_Heigl\AuthLdap\Exception;
|
||||
|
||||
use RuntimeException;
|
||||
|
@ -1,13 +1,13 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
/**
|
||||
* Copyright Andreas Heigl <andreas@heigl.org>
|
||||
*
|
||||
* Licensed under the MIT-license. For details see the included file LICENSE.md
|
||||
*/
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace Org_Heigl\AuthLdap;
|
||||
|
||||
use function json_decode;
|
||||
|
@ -1,16 +1,17 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
/**
|
||||
* Copyright Andreas Heigl <andreas@heigl.org>
|
||||
*
|
||||
* Licensed under the MIT-license. For details see the included file LICENSE.md
|
||||
*/
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace Org_Heigl\AuthLdap;
|
||||
|
||||
use Org_Heigl\AuthLdap\Exception\UnknownOption;
|
||||
|
||||
use function array_key_exists;
|
||||
|
||||
class Options
|
||||
|
@ -101,7 +101,7 @@
|
||||
</th>
|
||||
<td>
|
||||
<input type="text" name="authLDAPURI" id="authLDAPURI" placeholder="LDAP-URI"
|
||||
class="regular-text" value="<?php echo $authLDAPURI; ?>"/>
|
||||
class="regular-text" value="<?php echo esc_attr($authLDAPURI); ?>"/>
|
||||
<p class="description">
|
||||
The <abbr title="Uniform Ressource Identifier">URI</abbr>
|
||||
for connecting to the LDAP-Server. This usualy takes the form
|
||||
@ -139,7 +139,7 @@
|
||||
</th>
|
||||
<td>
|
||||
<input type="text" name="authLDAPURISeparator" id="authLDAPURISeparator" placeholder="LDAP-URI Separator"
|
||||
class="regular-text" value="<?php echo $authLDAPURISeparator; ?>"/>
|
||||
class="regular-text" value="<?php echo esc_attr($authLDAPURISeparator); ?>"/>
|
||||
<p class="description">
|
||||
A separator that separates multiple LDAP-URIs from one another.
|
||||
You can use that feature to try to authenticate against multiple LDAP-Servers
|
||||
@ -152,7 +152,7 @@
|
||||
<label for="authLDAPStartTLS" class="description">StartTLS</label>
|
||||
</th>
|
||||
<td>
|
||||
<input type="checkbox" name="authLDAPStartTLS" id="authLDAPStartTLS" value="1"<?php echo $tStartTLSChecked; ?>/>
|
||||
<input type="checkbox" name="authLDAPStartTLS" id="authLDAPStartTLS" value="1"<?php echo esc_attr($tStartTLSChecked); ?>/>
|
||||
<p class="description">
|
||||
Use StartTLS for encryption of ldap connections. This setting is not to be used in combination with ldaps connections (ldap:// only).
|
||||
</p>
|
||||
@ -163,7 +163,7 @@
|
||||
</th>
|
||||
<td>
|
||||
<input type="text" name="authLDAPFilter" id="authLDAPFilter" placeholder="(uid=%s)"
|
||||
class="regular-text" value="<?php echo $authLDAPFilter; ?>"/>
|
||||
class="regular-text" value="<?php echo esc_attr($authLDAPFilter); ?>"/>
|
||||
<p class="description">
|
||||
Please provide a valid filter that can be used for querying the
|
||||
<abbr title="Lightweight Directory Access Protocol">LDAP</abbr>
|
||||
@ -190,7 +190,7 @@
|
||||
<label for="authLDAPUseUserAccount">User-Read</label>
|
||||
</th>
|
||||
<td>
|
||||
<input type="checkbox" name="authLDAPUseUserAccount" id="authLDAPUseUserAccount" value="1"<?php echo $tUserRead; ?>/><br />
|
||||
<input type="checkbox" name="authLDAPUseUserAccount" id="authLDAPUseUserAccount" value="1"<?php echo esc_attr($tUserRead); ?>/><br />
|
||||
<p class="description">
|
||||
If checked the plugin will use the user's account to query their own information. If not it will use the admin account.
|
||||
</p>
|
||||
@ -203,7 +203,7 @@
|
||||
</th>
|
||||
<td>
|
||||
<input type="text" name="authLDAPNameAttr" id="authLDAPNameAttr" placeholder="name"
|
||||
class="regular-text" value="<?php echo $authLDAPNameAttr; ?>"/><br />
|
||||
class="regular-text" value="<?php echo esc_attr($authLDAPNameAttr); ?>"/><br />
|
||||
<p class="description">
|
||||
Which Attribute from the LDAP contains the Full or the First name
|
||||
of the user trying to log in.
|
||||
@ -220,7 +220,7 @@
|
||||
</th>
|
||||
<td>
|
||||
<input type="text" name="authLDAPSecName" id="authLDAPSecName" placeholder=""
|
||||
class="regular-text" value="<?php echo $authLDAPSecName; ?>" />
|
||||
class="regular-text" value="<?php echo esc_attr($authLDAPSecName); ?>" />
|
||||
<p class="description">
|
||||
If the above Name-Attribute only contains the First Name of the
|
||||
user you can here specify an Attribute that contains the second name.
|
||||
@ -236,7 +236,7 @@
|
||||
</th>
|
||||
<td>
|
||||
<input type="text" name="authLDAPUidAttr" id="authLDAPUidAttr" placeholder="uid"
|
||||
class="regular-text" value="<?php echo $authLDAPUidAttr; ?>" />
|
||||
class="regular-text" value="<?php echo esc_attr($authLDAPUidAttr); ?>" />
|
||||
<p class="description">
|
||||
Please give the Attribute, that is used to identify the user. This
|
||||
should be the same as you used in the above <em>Filter</em>-Option
|
||||
@ -252,7 +252,7 @@
|
||||
</th>
|
||||
<td>
|
||||
<input type="text" name="authLDAPMailAttr" id="authLDAPMailAttr" placeholder="mail"
|
||||
class="regular-text" value="<?php echo $authLDAPMailAttr; ?>" />
|
||||
class="regular-text" value="<?php echo esc_attr($authLDAPMailAttr); ?>" />
|
||||
<p class="description">
|
||||
Which Attribute holds the eMail-Address of the user?
|
||||
</p>
|
||||
@ -270,7 +270,7 @@
|
||||
</th>
|
||||
<td>
|
||||
<input type="text" name="authLDAPWebAttr" id="authLDAPWebAttr" placeholder=""
|
||||
class="regular-text" value="<?php echo $authLDAPWebAttr; ?>" />
|
||||
class="regular-text" value="<?php echo esc_attr($authLDAPWebAttr); ?>" />
|
||||
<p class="description">
|
||||
If your users have a personal page (URI) stored in the LDAP, it can
|
||||
be provided here.
|
||||
@ -291,7 +291,7 @@
|
||||
</option>
|
||||
<?php foreach ($roles->get_names() as $group => $vals) : ?>
|
||||
<option value="<?php echo $group; ?>" <?php echo ( $authLDAPDefaultRole == $group ? 'selected="selected"' : '' ); ?>>
|
||||
<?php echo $vals; ?>
|
||||
<?php echo esc_attr($vals); ?>
|
||||
</option>
|
||||
<?php endforeach; ?>
|
||||
</select>
|
||||
@ -317,7 +317,7 @@
|
||||
<label for="authLDAPGroupOverUser">LDAP Groups override role of existing users?</label>
|
||||
</th>
|
||||
<td>
|
||||
<input type="checkbox" name="authLDAPGroupOverUser" id="authLDAPGroupOverUser" value="1"<?php echo $tGroupOverUserChecked; ?>/>
|
||||
<input type="checkbox" name="authLDAPGroupOverUser" id="authLDAPGroupOverUser" value="1"<?php echo esc_attr($tGroupOverUserChecked); ?>/>
|
||||
<p class="description">
|
||||
If role determined by LDAP Group differs from existing Wordpress User's role, use LDAP Group.
|
||||
</p>
|
||||
@ -329,7 +329,7 @@
|
||||
</th>
|
||||
<td>
|
||||
<input type="text" name="authLDAPGroupBase" id="authLDAPGroupBase" placeholder=""
|
||||
class="regular-text" value="<?php echo $authLDAPGroupBase; ?>" />
|
||||
class="regular-text" value="<?php echo esc_attr($authLDAPGroupBase); ?>" />
|
||||
<p class="description">
|
||||
This is the base dn to lookup groups.
|
||||
</p>
|
||||
@ -344,7 +344,7 @@
|
||||
</th>
|
||||
<td>
|
||||
<input type="text" name="authLDAPGroupAttr" id="authLDAPGroupAttr" placeholder="gidNumber"
|
||||
class="regular-text" value="<?php echo $authLDAPGroupAttr; ?>" />
|
||||
class="regular-text" value="<?php echo esc_attr($authLDAPGroupAttr); ?>" />
|
||||
<p class="description">
|
||||
This is the attribute that defines the Group-ID that can be matched
|
||||
against the Groups defined further down
|
||||
@ -360,7 +360,7 @@
|
||||
</th>
|
||||
<td>
|
||||
<input type="text" name="authLDAPGroupSeparator" id="authLDAPGroupSeparator" placeholder=","
|
||||
class="regular-text" value="<?php echo $authLDAPGroupSeparator; ?>" />
|
||||
class="regular-text" value="<?php echo esc_attr($authLDAPGroupSeparator); ?>" />
|
||||
<p class="description">
|
||||
This attribute defines the separator used for the Group-IDs listed in the
|
||||
Groups defined further down. This is useful if the value of Group-Attribute
|
||||
@ -378,7 +378,7 @@
|
||||
<td>
|
||||
<input type="text" name="authLDAPGroupFilter" id="authLDAPGroupFilter"
|
||||
placeholder="(&(objectClass=posixGroup)(memberUid=%s))"
|
||||
class="regular-text" value="<?php echo $authLDAPGroupFilter; ?>" />
|
||||
class="regular-text" value="<?php echo esc_attr($authLDAPGroupFilter); ?>" />
|
||||
<p class="description">
|
||||
Here you can add the filter for selecting groups for ther
|
||||
currentlly logged in user
|
||||
@ -416,12 +416,13 @@
|
||||
<tr>
|
||||
<th scope="row" style="width:auto; min-width: 200px;">
|
||||
<label for="authLDAPGroups[<?php echo $group; ?>]">
|
||||
<?php echo $vals; ?>
|
||||
<?php echo esc_attr($vals); ?>
|
||||
</label>
|
||||
</th>
|
||||
<td>
|
||||
<input type="text" name="authLDAPGroups[<?php echo $group; ?>]" id="authLDAPGroups[<?php echo $group; ?>]"
|
||||
value="<?php echo $aGroup; ?>" />
|
||||
<textarea name="authLDAPGroups[<?php echo $group; ?>]" id="authLDAPGroups[<?php echo $group; ?>]" cols=60 rows=5><?php
|
||||
echo esc_textarea($aGroup);
|
||||
?></textarea>
|
||||
</td>
|
||||
</tr>
|
||||
<?php endforeach; ?>
|
||||
|
1
wp-content/plugins/authldap/wordpress/info.php
Normal file
1
wp-content/plugins/authldap/wordpress/info.php
Normal file
@ -0,0 +1 @@
|
||||
<?php
|
Loading…
Reference in New Issue
Block a user