Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Groups not being updated on existing accounts #250

Open
aglavic opened this issue Feb 26, 2024 · 9 comments
Open

Groups not being updated on existing accounts #250

aglavic opened this issue Feb 26, 2024 · 9 comments

Comments

@aglavic
Copy link

aglavic commented Feb 26, 2024

Thanks for providing this awesome plugin!

I've setup the plugin to correctly resolve my users and groups. All works great on the first login and changes of LDAP passwords also reflect correctly when login in the next time.

However, if I change the group mapping or the LDAP group membership of the user the WP association is not updated accordingly.
The debug output is as follows:

[AuthLDAP] User '#######' logging in
[AuthLDAP] about to do LDAP authentication
[AuthLDAP] connect to LDAP server
[AuthLDAP] LDAP authentication successful
[AuthLDAP] Existing user, uid = ##
[AuthLDAP] Existing user's roles: author
[AuthLDAP] The LDAP user has an entry in the WP-Database
[AuthLDAP] user id = ##

So it seems the group mapping is not queried anymore and thus kept from the first login. This also means it is impossible to revoke the right to access WP from LDAP.

Would be happy for any help.
@heiglandreas
Copy link
Owner

Hey Artur.

Would you mind sharing your config? Either (redacted) as screenshot or via email to andreas AT heigl DOT org?

That would help me immensly in figuring out what went south.

@aglavic
Copy link
Author

aglavic commented Feb 27, 2024
edited
Loading

Sure, thanks for the quick response:

Config:
image

LDAP URI: ldap://cn=admin,dc={domain},dc=de:{password}@127.0.0.1/dc={domain},dc=de
LDAP URI-Separator: <empty>
StartTLS: False
Filter: ==> (uid=%s)

image

LDAP Groups override role of existing users?: True
Group-Base: ou=groups,dc={domain},dc=de

image

image

@heiglandreas
Copy link
Owner

Hm. That looks perfectly valid. I'll have to check some tests and will get back to you.

heiglandreas added a commit that referenced this issue Mar 6, 2024
@heiglandreas
Add test to verify issue #250
c272594 
When users change their groups in LDAP that is not followed up in
WordPress. THis newly added test verifies that.

Next up is fixing this problem
@heiglandreas
Copy link
Owner

Thanks for raising the issue! I was able to verify the problem in a new test. Fix will be upcoming!

@aglavic
Copy link
Author

aglavic commented Mar 8, 2024

Perfect, you're great!

@matbr
Copy link

matbr commented May 13, 2024

Hi @heiglandreas ,
any news on this? Facing the same issue. Anything to support on this?

btw, I tried to install 2.6.1 from github but WP says the zip contains already installed 2.6.0...

cheers,

Mat

heiglandreas added a commit that referenced this issue May 17, 2024
@heiglandreas
Add test to verify issue #250
2f2e440 
When users change their groups in LDAP that is not followed up in
WordPress. THis newly added test verifies that.

Next up is fixing this problem
@heiglandreas
Copy link
Owner

Thank you all for your patience! I just released a new fix version that should fix the issue.

It also fixes the missing version increment 🙈

@matbr
Copy link

matbr commented May 24, 2024

@heiglandreas
not sure why, but still not working for multi-role support...

[24-May-2024 15:53:05 UTC] [AuthLDAP] User '' logging in
[24-May-2024 15:53:05 UTC] [AuthLDAP] Username not supplied: return false
[24-May-2024 15:53:12 UTC] [AuthLDAP] User 'max.muster' logging in
[24-May-2024 15:53:12 UTC] [AuthLDAP] about to do LDAP authentication
[24-May-2024 15:53:12 UTC] [AuthLDAP] connect to LDAP server
[24-May-2024 15:53:12 UTC] [AuthLDAP] LDAP authentication successful
[24-May-2024 15:53:12 UTC] [AuthLDAP] Existing user, uid = 4
[24-May-2024 15:53:12 UTC] [AuthLDAP] Array
(
    [administrator] => xxxx-web-admin
    [editor] => xxxx-web-redaktion
    [author] => xxxx-web-autor
    [contributor] =>
    [subscriber] =>
    [translator] =>
    [teacher] => lehrer-xxxx
    [custom_permalinks_manager] =>
    [personalkreis] => xxxx-Demo
    [wpseo_manager] =>
    [wpseo_editor] =>
    [matomo_view_role] =>
    [matomo_write_role] =>
    [matomo_admin_role] =>
    [matomo_superuser_role] =>
)

[24-May-2024 15:53:12 UTC] [AuthLDAP] Array
(
    [administrator] => xxxx-web-admin
    [editor] => xxxx-web-redaktion
    [wpseo_manager] =>
    [wpseo_editor] =>
    [author] => xxxx-web-autor
    [contributor] =>
    [personalkreis] => xxxx-Demo
    [subscriber] =>
    [translator] =>
    [teacher] => lehrer-xxxx
    [custom_permalinks_manager] =>
    [matomo_view_role] =>
    [matomo_write_role] =>
    [matomo_admin_role] =>
    [matomo_superuser_role] =>
)

[24-May-2024 15:53:12 UTC] [AuthLDAP] Group Filter: "(&(objectClass=posixGroup)(memberUid=%s))"
[24-May-2024 15:53:12 UTC] [AuthLDAP] Group Base:
[24-May-2024 15:53:12 UTC] [AuthLDAP] LDAP groups: ["Domain Users","Administrators","admins-xxxx","lehrer-xxxx","mitarbeiter-xxxx","Domain Users xxxx","xxxx-import-all","xxxx-lehrer","xxxx-Verwaltung","xxxx-Demo","xxxx-web-admin"]
[24-May-2024 15:53:12 UTC] [AuthLDAP] Roles from LDAP group: ["administrator"]
[24-May-2024 15:53:12 UTC] [AuthLDAP] role from group mapping: ["administrator"]
[24-May-2024 15:53:12 UTC] [AuthLDAP] The LDAP user has an entry in the WP-Database
[24-May-2024 15:53:12 UTC] [AuthLDAP] user id = 4

image

so any additional role assigned to the user is removed and only the administrator role remains.

@heiglandreas
Copy link
Owner

Ahhhh. OK. I think in that case the "highes" role "wins"....

I need to dig into that but think that needs a separate config flag...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@heiglandreas @aglavic @matbr