LDAP Errors –
-
First let me say this plugin looks fantastic. It’s exactly what I need.
It seems as though I’m hitting an error on trying to get this setup though. I am on multi-site but right now working on the global config to ensure it’s clean.
My ldap strings seem great and work with other plugins –
LDAP Host: ldap.mydomain.com
Ldap Port: 389
LDAP Search Base: cn=users,cn=accounts,dc=mydomain,dc=com
LDAP attribute containing username: uid
LDAP attribute containing email: mail
LDAP attribute containing first name: givenName
Ldap attribute containing last name: snI’m pointing to a Red Hat IPA server so it does have two CN’s; this hasn’t been an issue with any plugins or ldap searches. It’s also used as the base for the OS itself to auth.
So when I take a new user and attempt to login the user is created. Review of the fields show that all were populated properly. I added an ACI in LDAP to allow for the address book fields to come over easily and that cleared up my mail mappings.
What’s happening though is that no matter what it always say’s Password Failed. I can attempt to login as many times as I want using copy paste or anything to ensure it’s a meat space issue but it’s always password failed. Is there a more verbose logging I can do?
I have another ldap plugin and can copy paste the my URI/Attributes over and auth works perfectly. I’m sure I’m missing something rather easy so any guidance would be greatly appreciated.
Thanks so much and I need to find your “but me a beer” link. 🙂
-
I was looking into the code here
if ( ! $result ) { // We have a real ldap user, but an invalid password. Pass // through to wp authentication after failing LDAP (since // this could be a local account that happens to be the // same name as an LDAP user). return new WP_Error( 'using_wp_authentication', __( 'Moving on to WordPress authentication.', 'authorizer' ) ); }From what I can guess** this is happening by default. I’ve even commented this out but it does not appear to be working.
Hm, let’s try to track down where exactly it’s failing in the LDAP auth routine.
https://github.com/uhm-coe/authorizer/blob/master/authorizer.php#L1095-L1169If you’re familiar with finding your web server error logs, we can add some debug lines to the plugin to trigger log entries and trace our code (this is probably easier than having you set up xdebug, which can be a pain).
In the code block linked above, try adding an
error_log()line above each of thereturn new WP_Error()lines with a descriptive error message. Then check your log after attempting a login to see where it’s failing. It could be on the first ldap_bind to do the user lookup or the second ldap_bind to authenticate the user’s password. Example:error_log( 'Could not authenticate using LDAP.' ); return new WP_Error( 'ldap_error', __( 'Could not authenticate using LDAP.', 'authorizer' ) );FYI, when I return a WP_Error in the
authenticatefilter hook, it will just fall back to WordPress authentication. So that’s ultimately what’s happening for you–LDAP auth is failing, so it checks the same username and password against the local WordPress user list, and then fails since it doesn’t match. We’ll try to figure out the specific spot the LDAP auth is failing so we can solve it (or I can update the plugin to work for your specific configuration).As an aside, I’m kind of waiting for the following core enhancement to integrate better logging into the plugin:
https://core.trac.ww.wp.xz.cn/ticket/30934So an interesting item. I’ve added the _log statements to every spot within the ldap routine. On each login attempt I never get any logs. The only way I can get a log with the _log is when I type in something I know is not my password. Then I get the
“giving up, moving to wordpress auth”
I’ve gone through my other plugins to ensure that I’m not getting conflict and I’m almost down to a base wordpress site now.Here’s my commented section –
http://pastebin.com/Vvj1cYSROne other item. I can fail the ldap login with my user and as I mentioned get the error. However the local wordpress user is only created when I auth properly; thus telling me that at least an initial auth is being made to ldap so it’s creating my local wordpress account.
I’m able to view the wp_users table and see the random password it generated me ( well at least that it made one; can’t read it of course ).
So while my error_log isn’t telling me exactly where it’s failing I feel good that I’m able to get past that initial auth and creation.It sounds like it’s actually going through the whole LDAP auth routine successfully. Can you put one more
error_log()at the very bottom of the function, right before the return of the user data for the logging in user?If that’s the case, then the problem might be later in the process:
https://github.com/uhm-coe/authorizer/blob/master/authorizer.php#L414-L432My Edits
// Try LDAP authentication if it's enabled and we don't have an // authenticated user yet. if ( $auth_settings['ldap'] === '1' && count( $externally_authenticated_emails ) === 0 ) { error_log( 'running custom auth.' ); $result = $this->custom_authenticate_ldap( $auth_settings, $username, $password ); if ( ! is_wp_error( $result ) ) { if ( is_array( $result['email'] ) ) { error_log( 'email 1.' ); $externally_authenticated_emails = $result['email']; } else { error_log( 'email 2.' ); $externally_authenticated_emails[] = $result['email']; } error_log( 'authenticated by.' ); $authenticated_by = $result['authenticated_by']; } } // Skip to WordPress authentication if we don't have an externally // authenticated user. if ( count( array_filter( $externally_authenticated_emails ) ) < 1 ) { error_log( 'skip to wordpress auth.' ); return null; }Logs of the login
==> /var/log/httpd/wordpress.example.com-nss-error_log <== [Thu Aug 25 14:04:52.189811 2016] [:error] [pid 5936] [client 192.168.1.2:51988] running custom auth., referer: https://wordpress.example.com/wp-login.php?redirect_to=%2F [Thu Aug 25 14:04:52.346691 2016] [:error] [pid 5936] [client 192.168.1.2:51988] email 2., referer: https://wordpress.example.com/wp-login.php?redirect_to=%2F [Thu Aug 25 14:04:52.346741 2016] [:error] [pid 5936] [client 192.168.1.2:51988] authenticated by., referer: https://wordpress.example.com/wp-login.php?redirect_to=%2FI was poking around on a few settings in wordpress to make sure I’m as default as can be and the logs showed one more; it’s what we expected and spoke about but here’s the log. #3 shows that the user auth’d and then was passed down to wordpress.
When a new user comes in and auth’s via LDAP, that user is then created a local wordpress account with the attributes it pulls from ldap right? That’s the mappings in tab 2 I think… those are working really well and I see my account created with proper email, uid, sn and givenname.
That local wordpress user is then generated a random password right? So I guess what’s the code that returns an ok status from LDAP? Can I put a logging statement there to ensure that LDAP sent back the good auth? Forgive me if it’s something we already did; my PHP is light at best.
This is also on a subsequent login. After my user first logged in, failed but user created.==> /var/log/httpd/wordpress.example.com-nss-error_log <== [Thu Aug 25 14:21:06.041174 2016] [:error] [pid 5950] [client 192.168.1.2:44030] running custom auth. [Thu Aug 25 14:21:06.041239 2016] [:error] [pid 5950] [client 192.168.1.2:44030] email 2. [Thu Aug 25 14:21:06.041249 2016] [:error] [pid 5950] [client 192.168.1.2:44030] authenticated by. [Thu Aug 25 14:21:06.041258 2016] [:error] [pid 5950] [client 192.168.1.2:44030] skip to wordpress auth.I added in a bunch more error_log statements and pasted it all here
These are the logs from a new user
[Thu Aug 25 16:29:02.998653 2016] [:error] [pid 8001] [client 192.168.1.2:54722] ldaptls is set., referer: https://wordpress.example.com.com/wp-login.php?redirect_to=%2F [Thu Aug 25 16:29:02.999304 2016] [:error] [pid 8001] [client 192.168.1.2:54722] ldap first name lookup., referer: https://wordpress.example.com.com/wp-login.php?redirect_to=%2F [Thu Aug 25 16:29:02.999340 2016] [:error] [pid 8001] [client 192.168.1.2:54722] ldap surname lookup., referer: https://wordpress.example.com.com/wp-login.php?redirect_to=%2F [Thu Aug 25 16:29:02.999361 2016] [:error] [pid 8001] [client 192.168.1.2:54722] ldap email lookup., referer: https://wordpress.example.com.com/wp-login.php?redirect_to=%2F [Thu Aug 25 16:29:03.001375 2016] [:error] [pid 8001] [client 192.168.1.2:54722] get bind dn of first/surname., referer: https://wordpress.example.com.com/wp-login.php?redirect_to=%2F [Thu Aug 25 16:29:03.001416 2016] [:error] [pid 8001] [client 192.168.1.2:54722] user first get., referer: https://wordpress.example.com.com/wp-login.php?redirect_to=%2F [Thu Aug 25 16:29:03.001461 2016] [:error] [pid 8001] [client 192.168.1.2:54722] user surname get., referer: https://wordpress.example.com.com/wp-login.php?redirect_to=%2F [Thu Aug 25 16:29:03.001557 2016] [:error] [pid 8001] [client 192.168.1.2:54722] user email get., referer: https://wordpress.example.com.com/wp-login.php?redirect_to=%2F [Thu Aug 25 16:29:03.003870 2016] [:error] [pid 8001] [client 192.168.1.2:54722] email 2., referer: https://wordpress.example.com.com/wp-login.php?redirect_to=%2F [Thu Aug 25 16:29:03.003907 2016] [:error] [pid 8001] [client 192.168.1.2:54722] authenticated by., referer: https://wordpress.example.com.com/wp-login.php?redirect_to=%2F2nd login attempt after the user was created
[Thu Aug 25 16:34:41.572818 2016] [:error] [pid 8005] [client 192.168.1.2:33156] running custom auth., referer: https://wordpress.example.com.com/wp-login.php [Thu Aug 25 16:34:41.572898 2016] [:error] [pid 8005] [client 192.168.1.2:33156] remove tld because its in the username., referer: https://wordpress.example.com.com/wp-login.php [Thu Aug 25 16:34:41.724220 2016] [:error] [pid 8005] [client 192.168.1.2:33156] ldaptls is set., referer: https://wordpress.example.com.com/wp-login.php [Thu Aug 25 16:34:41.724732 2016] [:error] [pid 8005] [client 192.168.1.2:33156] ldap first name lookup., referer: https://wordpress.example.com.com/wp-login.php [Thu Aug 25 16:34:41.724768 2016] [:error] [pid 8005] [client 192.168.1.2:33156] ldap surname lookup., referer: https://wordpress.example.com.com/wp-login.php [Thu Aug 25 16:34:41.724784 2016] [:error] [pid 8005] [client 192.168.1.2:33156] ldap email lookup., referer: https://wordpress.example.com.com/wp-login.php [Thu Aug 25 16:34:41.726266 2016] [:error] [pid 8005] [client 192.168.1.2:33156] get bind dn of first/surname., referer: https://wordpress.example.com.com/wp-login.php [Thu Aug 25 16:34:41.726302 2016] [:error] [pid 8005] [client 192.168.1.2:33156] user first get., referer: https://wordpress.example.com.com/wp-login.php [Thu Aug 25 16:34:41.726315 2016] [:error] [pid 8005] [client 192.168.1.2:33156] user surname get., referer: https://wordpress.example.com.com/wp-login.php [Thu Aug 25 16:34:41.726326 2016] [:error] [pid 8005] [client 192.168.1.2:33156] user email get., referer: https://wordpress.example.com.com/wp-login.php [Thu Aug 25 16:34:41.728792 2016] [:error] [pid 8005] [client 192.168.1.2:33156] email 2., referer: https://wordpress.example.com.com/wp-login.php [Thu Aug 25 16:34:41.728833 2016] [:error] [pid 8005] [client 192.168.1.2:33156] authenticated by., referer: https://wordpress.example.com.com/wp-login.phpA question, my usernames are ‘first.surname’; I know as a whole WordPress doesn’t like that but the other ldap modules seem to handle it well. Could it be something with that? That on 2nd login he’s seeing a ” bad username ” so not querying ldap and going to local and that fails? Grasping at the wind but thought I’d ask and give more info.
Thanks again for all your help!I attempted login with a service account; it had a _ in the name but not a . and it still failed. So may have answered my own question.
Hi Paul, hope your weekend went well. I wondered if you had time to look at the info I sent. Again, I really appreciate all your time and hard work.
Looking at the last set of logs you posted, it appears that the LDAP authentication is actually working ok, so the problem must be happening later. Let’s add one more set of logs to hopefully get it figured out. Find this section:
// Remove duplicate and blank emails, if any. $externally_authenticated_emails = array_filter( array_unique( $externally_authenticated_emails ) );Below it, add:
error_log( 'authenticated ldap user with email:' ); error_log( print_r( $externally_authenticated_emails, true ) );Just verify that we’re getting a valid email address back from LDAP that matches the email address of a WordPress user.
If everything still looks good, go a bit farther down and add another error_log():
// Check this external user's access against the access lists // (pending, approved, blocked) $result = $this->check_user_access( $user, $externally_authenticated_emails, $result ); error_log( print_r( $result, true ) );Hopefully this will narrow it down enough to figure out what’s going on!
I’m adding this now but can mention that email does = mail in our ldap as normal. The email address populates on the user when it’s created properly.
Just wanted to mention that as I start the edit.
Thanks Paul!Here are the logs after adding the items mentioned
==> /var/log/httpd/portal_example.com-nss-error_log <== [Wed Aug 31 20:41:54.329869 2016] [:error] [pid 21775] [client 192.168.1.203:60816] running custom auth., referer: https://portal.example.com/wp-login.php [Wed Aug 31 20:41:54.329966 2016] [:error] [pid 21775] [client 192.168.1.203:60816] remove tld because its in the username., referer: https://portal.example.com/wp-login.php [Wed Aug 31 20:41:54.487562 2016] [:error] [pid 21775] [client 192.168.1.203:60816] ldaptls is set., referer: https://portal.example.com/wp-login.php [Wed Aug 31 20:41:54.488471 2016] [:error] [pid 21775] [client 192.168.1.203:60816] ldap first name lookup., referer: https://portal.example.com/wp-login.php [Wed Aug 31 20:41:54.488504 2016] [:error] [pid 21775] [client 192.168.1.203:60816] ldap surname lookup., referer: https://portal.example.com/wp-login.php [Wed Aug 31 20:41:54.488534 2016] [:error] [pid 21775] [client 192.168.1.203:60816] ldap email lookup., referer: https://portal.example.com/wp-login.php [Wed Aug 31 20:41:54.489991 2016] [:error] [pid 21775] [client 192.168.1.203:60816] get bind dn of first/surname., referer: https://portal.example.com/wp-login.php [Wed Aug 31 20:41:54.490043 2016] [:error] [pid 21775] [client 192.168.1.203:60816] user first get., referer: https://portal.example.com/wp-login.php [Wed Aug 31 20:41:54.490093 2016] [:error] [pid 21775] [client 192.168.1.203:60816] user surname get., referer: https://portal.example.com/wp-login.php [Wed Aug 31 20:41:54.490191 2016] [:error] [pid 21775] [client 192.168.1.203:60816] user email get., referer: https://portal.example.com/wp-login.php [Wed Aug 31 20:41:54.497927 2016] [:error] [pid 21775] [client 192.168.1.203:60816] email 2., referer: https://portal.example.com/wp-login.php [Wed Aug 31 20:41:54.497976 2016] [:error] [pid 21775] [client 192.168.1.203:60816] authenticated by., referer: https://portal.example.com/wp-login.php [Wed Aug 31 20:41:54.498018 2016] [:error] [pid 21775] [client 192.168.1.203:60816] authenticated ldap user with email:, referer: https://portal.example.com/wp-login.php [Wed Aug 31 20:41:54.498060 2016] [:error] [pid 21775] [client 192.168.1.203:60816] Array\n(\n [0] => [email protected]\n)\n, referer: https://portal.example.com/wp-login.php [Wed Aug 31 20:41:54.541672 2016] [:error] [pid 21775] [client 192.168.1.203:60816] WP_User Object\n(\n [data] => stdClass Object\n (\n [ID] => 290\n [user_login] => matt.wells\n [user_pass] => $P$BtXXXXXXXXXXXXXXXXXXXXXXXXXXXTQlh50\n [user_nicename] => matt-wells\n [user_email] => [email protected]\n [user_url] => \n [user_registered] => 2016-08-31 20:41:54\n [user_activation_key] => \n [user_status] => 0\n [display_name] => Matt Wells\n [spam] => 0\n [deleted] => 0\n )\n\n [ID] => 290\n [caps] => Array\n (\n [subscriber] => 1\n )\n\n [cap_key] => wp_capabilities\n [roles] => Array\n (\n [0] => subscriber\n )\n\n [allcaps] => Array\n (\n [read] => 1\n [level_0] => 1\n [edit_documents] => \n [edit_others_documents] => \n [edit_private_documents] => \n [edit_published_documents] => \n [read_documents] => 1\n [read_document_revisions] => \n [read_private_documents] => \n [delete_documents] => \n [delete_others_documents] => \n [delete_private_documents] => \n [delete_published_documents] => \n [publish_documents] => \n [override_document_lock] => \n [subscriber] => 1\n )\n\n [filter] => \n)\n, referer: https://portal.example.com/wp-login.php ==> /var/log/httpd/portal.example.com-nss-access_log <== 192.168.1.203 - - [31/Aug/2016:20:41:53 +0000] "POST /wp-login.php HTTP/1.1" 200 6597 192.168.1.203 - - [31/Aug/2016:20:41:54 +0000] "GET /favicon.ico HTTP/1.1" 200 - ^CHow does it lookup my account? Is it based on UID or MAIL attributes? I can see the auth happens and it makes the user with the proper attributes; after that what’s next? Is that a lookup to the directory again based on email?
Yeah, it does a lookup based on email address. So even if the usernames of your WordPress user and LDAP user don’t match, it will still work.
Those logs show a successful login. The last line is the WP_User object that was found that matches the LDAP user (matt.wells, [email protected]). The only thing it does after that is return that WP_User object to WordPress as the authenticated user.
This code hooks into the
authenticateWordPress action hook. Other plugins (and WordPress itself) also hook into that action, and everything that has hooked into that action gets run sequentially. Anyone who hooks intoauthenticateis supposed to pass through if the incoming parameter is already a WP_User (i.e., that user has already been authenticated). Authorizer hooks in at priority 1 (it runs first); WordPress hooks in at priority 20 and 99.
https://codex.ww.wp.xz.cn/Plugin_API/Filter_Reference/authenticateMy best guess at this point is that you have some other plugin that’s hooking into
authenticateand not honoring the user that Authorizer says has logged in. Do you have other authentication plugins enabled?You can get a debug list of all registered actions and filters with the following:
global $wp_filter; error_log( 'Showing all actions and filters:' ); error_log( print_r( $wp_filter, true ) );
The topic ‘LDAP Errors –’ is closed to new replies.
