Role assignment based on ldap attribute

[otichy]

Hi,

Our ldap stores departmental affiliation in an attribute, not via groups. Would it be possible to match WP groups based on such a ldap attribute(s)?

Best

Ondrej

[heiglandreas]

Hi there.

That's possible.

You'd want to use a group-filter like dn=%dn% (which will select the ldap-node that has the users DN as dn-attribute (so it'll use the user-node) and set your atribute as group-value.

That way your group-attribute will be used to select the roles.

Is that what you had in mind?

[otichy]

Hi,

Thanks a lot for getting back to me! We just had a week-long server downtime due to some upgrades, so I was able to try it out only now.

The problem I have with this setting is that when I set
Group-Filter: dn=%dn%
Group-Attribute: cuniStudySubject

and I set no value for any Role-group mapping, the login works fine, but of course no mapping happens.

But whenever I set any value to match for any role (whether it is something that I actually expect in the attribute or some nonsense string), I get stuck on the login screen (ie browser waiting for the site to respond after I click Login).

I'll check the logs (I ask the server admin to give me access), but is there anything else I should be aware of with this setting?

Best

Ondrej

[heiglandreas]

Hei Ondrei.

I'm currently not sure whether you should use a lowercase version of the attribute name.

But appart from that it should work...

I'd be glad to hear what the server log says!

[otichy]

Wow, fastest support reply ever :)
I tried to change the name of the attribute to "cunistudysubject", but no luck either. Also, if I use "cuniStudySubject" e.g. instead of the mail attribute, it imports it just fine...

[heiglandreas]

Strange. I need to get to my laptop to check that further (which won't be until tonight). I'll be back on that!

[otichy]

OK, I got the access to the log file and with its help I got it working. My colleague was initially setting up the plugin and I haven't noticed that he set the Filter under General Filter Settings (quite correctly) to
(&(uid=%s)(objectclass=cuniPerson))
Now when I set the Group Filter to the same value, all works fine.

Or actually, two more hiccups - the attribute value I was after includes some non-ascii characters, which interestingly disappear when I load them e.g. into the email field in WP, but need to be there for Group Matching.

Which made me thinking, it might be quite useful to have some pattern matching (regex) there so that you could only enter part of the group/attribute value.

After that all worked smoothly, though an error pops up in the log:

[Sun Aug 28 01:36:30 2016] [error] [client x.x.x.x.x] Chyba datab\xc3\xa1ze WordPressu: Duplicate entry '2-16' for key 1. Konkr\xc3\xa9tn\xc3\xad dotaz: INSERT INTO wp_111_wysija_user_list (user_id, list_id, sub_date) VALUES (16, 2, 1472340990). P\xc5\x99\xc3\xadslu\xc5\xa1n\xc3\xa1 funkce: wp_signon, wp_authenticate, apply_filters('authenticate'), call_user_func_array, authLdap_login, wp_insert_user, do_action('user_register'), call_user_func_array, WYSIJA::hook_add_WP_subscriber, WYSIJA_model->insert, WYSIJA_model->save., referer: http://x.x.x.x.x/authldap/wp-login.php?redirect_to=http%3A%2F%2Fx.x.x.x.x%2Fauthldap%2Fwp-admin%2F&reauth=1

Parts of the error are unfortunately Czech, "Chyba datab\xc3\xa1ze WordPressu" means "WP Database Error", "Konkr\xc3\xa9tn\xc3\xad dotaz" means "Specific query" and "P\xc5\x99\xc3\xadslu\xc5\xa1n\xc3\xa1 funkce" means "Requested function".

Could this be because we have a multisite configuration?

In any case, thanks a lot for your help and for the plugin!

[heiglandreas]

Sorry for not getting back earlier.

I'll have a look at that later today…