[SOLVED] Wordpress with LDAP Login

[sbarmen]

I am using Zentyal version 3.3 and trying to set up Simple LDAP to logon to Wordpress but am failing to get it to work. I have set up php5-ldap and got the plugin to work, and also updated the port to 390 but I am not able to get it to authenticate. I do think the LDAP settings are correct (got them from the admin interface and also tried some few variants)

Now I have read and searched and I get the feeling that OpenLDAP in Zentyal 3.x has some security measures in place that I need to configue, maybe some service authentication or authorization of some sort. Is that so? Would Simple LDAP login plugin for Wordpress not work with the new Zentyal?

Sources: http://wordpress.org/plugins/simple-ldap-login/
Zentyal summit: http://www.slideshare.net/exekias/zentyal-customization-templates-hooks-ldap (slide number 25-26)

Based on the slides from the summit this is a config that they use as example ... could this be updated to work with the current version, pretty please?

Also, how do I debug the errors in slapd/OpenLDAP to see what the failure is? I get no errors in apache logs ....

Sorry for all the stupid questions but I think at this point I really need some pointers on how the security in LDAP for Zentyal is configured so that third party applications can use it for authentication.

Thanks for any help!

[christian]

The very first "security measure" (well, this is not security, I just don't understand the purpose) is that LDAP port (390) is blocked at FW level...

[sbarmen]

Thanks for your reply, the wordpress/apache installation is local and I have tried both the local IP and the localhost adress for LDAP access. Just to make sure I have tested with telnet on the local shell to port 390 and this connects with no issues so I think the firewall part is not blocking my requests (also there is no timeout in wordpress, it seems to be promptly denied and not blocked imo).

[christian]

1 - what's the behaviour ? Any error message somewhere ?
2 - you can change olcloglevel to something like 256 and you will get LDAP messages stored in syslog.

[sbarmen]

I get no error at all except access denied from Wordpress, I will change the loglevel and see. Just need to figure out how to change the LDAP settings

[christian]

olcloglevel in one attribute in cn=config.
You can change it:
- using LDAP graphic client
- using LDAP command line. There is an example posted few days ago posted in this forum. Done using LDIF file (this is quite safe approach).

[sbarmen]

I fixed the LDAP config with ldapmodify worked a charme for getting more debug into syslog. It is at least confirmed not being a firewall issue. Here is what I get when I try to log on with my user "test":

Feb 17 17:32:25 jabber slapd[3465]: conn=33692 fd=31 ACCEPT from IP=10.0.0.6:53632 (IP=0.0.0.0:390)
Feb 17 17:32:25 jabber slapd[3465]: conn=33692 op=0 do_bind: invalid dn (=test,ou=Users,dc=jabber,dc=local)
Feb 17 17:32:25 jabber slapd[3465]: conn=33692 op=0 RESULT tag=97 err=34 text=invalid DN
Feb 17 17:32:25 jabber slapd[3465]: conn=33692 op=1 UNBIND
Feb 17 17:32:25 jabber slapd[3465]: conn=33692 fd=31 closed

The configuration options in Simple LDAP Login is very limited and I have tried to change them a bit on the DN side but any change results in the same error. Do I need to add the password from LDAP config somehow and is that at all possible given the very limited settings in this LDAP plugin?

I attached the settings in two screengrabs

What does err=34 mean?

[sbarmen]

My only idea is that it should be cn=test,cn=users.... etc ... etc? Is the cn part missing? Not sure how that gets stripped though.

[christian]

This means that your this DN doesn't exist.
Wordpress, at least from LDAP standpoint, is a pretty poor application that is, I suppose, building/forging DN before performing LDAP bind. I can't see any other solution than this otherwise it would never find DN like "=test,ou=Users,dc=jabber,dc=local".

If "uid" is missing, you can try a workaround by filling the "LDAP Login Attribute" field shown in your second picture with "uid".
Another evidence that Wordpress is poor: account suffix setting is stupid !

Not entering onto too much detail, LDAP aware application asks you to set baseDN, LDAP server, port, attribute used to login and perhaps filter. Based on this, DN should be retrieved from an anonymous LDAP search and never build or forged.

If there is no mistake in your settings, then try to have a look at Wordpress forum because it looks like a bug to me 

[sbarmen]

Yes there is a bug for sure, because setting uid in, even if it states that it is not necessary made a difference

Feb 17 18:03:06 jabber slapd[3465]: conn=33996 fd=31 ACCEPT from IP=10.0.0.6:53636 (IP=0.0.0.0:390)
Feb 17 18:03:08 jabber slapd[3465]: conn=33996 op=0 BIND dn="uid=test,ou=Users,dc=jabber,dc=local" method=128
Feb 17 18:03:12 jabber slapd[3465]: conn=33996 op=0 BIND dn="uid=test,ou=Users,dc=jabber,dc=local" mech=SIMPLE ssf=0
Feb 17 18:03:12 jabber slapd[3465]: conn=33996 op=0 RESULT tag=97 err=0 text=
Feb 17 18:03:17 jabber slapd[3465]: conn=33996 op=1 UNBIND
Feb 17 18:03:17 jabber slapd[3465]: conn=33996 fd=31 closed

And I am logged in! Jay!

Thanks Christian, great tips! Thank you!!

[christian]

Ah ah ah 
I should stop providing such input or advice because I've been smitten 
Perhaps there is no link... it doesn't really matte but made me launch:
good advice, bad karma    that's life 

Joke aside, Looking at LDAP log, it was pretty obvious that some bug was lying here given the error message. That's a pity that application like Wordpress is not well design for what concern the LDAP part.

[christian]

Please remember that you should, if problem is solved, edit your first post title and stamp it as [SOLVED], it may help other forum members to find solution to similar problem 

[sbarmen]

I accommodate the again!