Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000078Active Directory IntegrationGeneralpublic2013-09-17 06:052014-08-27 15:20
Reportermarshalld 
Assigned Tocst 
PrioritynormalSeverityfeatureReproducibilityalways
StatusassignedResolutionopen 
PlatformApache / WordpressOSLinuxOS VersionRHEL 6
Product Version1.1.4 
Target VersionFixed in Version 
Summary0000078: Allow SSO if REMOTE_USER environment variable is set
DescriptionI have seen other discussions about this, but I'd like to add what I think is a simpler alternative to the ones I have seen before.

The option I have developed is an update to the authenticate() function in ad-integration.php

The output of a diff is in the additional information section.

It uses the syncback user to connect to AD on SSO.

Please consider incorporating something like this.
Steps To ReproduceSetup single signon in apache using, e.g. mod_auth_kerberos.

Perform sso login.

I use apache rewrite rules to handle SSO. The idea is to redirect /wp-login.php to /sso-login when it an SSO login is expected. /manual-login can be used to bypass SSO. The error document tells a device that doesn't support sso to redirect to /manual-login.

The rules are:

  <Location /sso-login>
  # SSo directives go here
    require valid-user
  </Location>
  RewriteCond %{REQUEST_METHOD} "POST"
  RewriteRule ^/wp-login.php$ - [L]
  RewriteCond %{QUERY_STRING} "action=logout"
  RewriteRule ^/wp-login.php$ - [L]
  RewriteCond %{QUERY_STRING} "loggedout=true"
  RewriteRule ^/wp-login.php$ / [R,L]
  RewriteRule ^/wp-login.php$ /sso-login [R,L]
  RewriteRule ^/(sso|manual)-login$ /wp-login.php [L]
  ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/manual-login\"></html>"
Additional Information[active-directory-integration]$ diff ad-integration.php.orig ad-integration.php
672a673,675
>
>
> if (empty($_SERVER['REMOTE_USER'])) {
788a792,828
> }
> else {
> $username=strtolower($_SERVER['REMOTE_USER']);
> if (strpos($username, '@') !== FALSE) {
> $username = substr($username, 0, strpos($username, '@'));
> }
> $password = wp_generate_password();
>
> // Log informations
> $this->_log(ADI_LOG_NOTICE,'SSO username: '.$username);
> $this->_log(ADI_LOG_INFO,"Options for adLDAP connection:\n".
> "- account_suffix: $this->_account_suffix\n".
> "- base_dn: $this->_base_dn\n".
> "- domain_controllers: $this->_domain_controllers\n".
> "- ad_port: $this->_port\n".
> "- use_tls: ".(int) $this->_use_tls."\n".
> "- network timeout: ". $this->_network_timeout."\n".
> "- AD user: ". $this->_syncback_global_user);
>
> // Connect to Active Directory
> try {
> $this->_adldap = @new adLDAP(array(
> "base_dn" => $this->_base_dn,
> "domain_controllers" => explode(';', $this->_domain_controllers),
> "ad_port" => $this->_port, // AD port
> "use_tls" => $this->_use_tls, // secure?
> "network_timeout" => $this->_network_timeout, // network timeout
> "ad_username" => $this->_syncback_global_user, // Use syncback user
> "ad_password" => $this->_decrypt($this->_syncback_global_pwd) // Use syncback user
> ));
> } catch (Exception $e) {
> $this->_log(ADI_LOG_ERROR,'adLDAP exception: ' . $e->getMessage());
> return false;
> }
>
> $this->_authenticated = true;
> }
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0000118)
marshalld (reporter)
2013-09-18 07:16

I expect you may also want to set $account_suffix in here:

        if (strpos($username, '@') !== FALSE) {
                $username = substr($username, 0, strpos($username, '@'));
        }
(0000121)
dimagsv (reporter)
2014-08-27 14:29

my diff:
- works on windows with $_SERVER ['REMOTE_USER'] = 'domain\username'
- fixed $wpdb->escape() deprecated notice
- fixed mcrypt_decrypt() password decrypt
- do not show admin bar for new users

673c673
<
---
> if (empty($_SERVER['REMOTE_USER'])) {
788c788,824
<
---
> } else {
> // SSO
> $username = strtolower ( $_SERVER ['REMOTE_USER'] );
> if (strpos ( $username, '@' ) !== FALSE) {
> $account_suffix = substr ( $username, strpos ( $username, '@' ) );
> $username = substr ( $username, 0, strpos ( $username, '@' ) );
> } elseif (strpos ( $username, '\\\\' ) !== FALSE) {
> list ( $account_suffix, $username ) = explode ( '\\\\', $_SERVER ['REMOTE_USER'] );
> $account_suffix = '@' . $account_suffix;
> }
> $password = wp_generate_password ();
> $this->_auto_update_password = false;
>
> // Log informations
> $this->_log ( ADI_LOG_NOTICE, 'SSO username: ' . $username );
> $this->_log ( ADI_LOG_INFO, "Options for adLDAP connection:\n" . "- account_suffix: $this->_account_suffix\n" . "- base_dn: $this->_base_dn\n" . "- domain_controllers: $this->_domain_controllers\n" . "- ad_port: $this->_port\n" . "- use_tls: " . ( int ) $this->_use_tls . "\n" . "- network timeout: " . $this->_network_timeout . "\n" . "- AD user: " . $this->_syncback_global_user );
>
> // Connect to Active Directory
> try {
> $this->_adldap = @new adLDAP ( array (
> "account_suffix" => $this->_account_suffix,
> "base_dn" => $this->_base_dn,
> "domain_controllers" => explode ( ';', $this->_domain_controllers ),
> "ad_port" => $this->_port, // AD port
> "use_tls" => $this->_use_tls, // secure?
> "network_timeout" => $this->_network_timeout, // network timeout
> "ad_username" => $this->_syncback_global_user, // Use syncback user
> "ad_password" => $this->_decrypt($this->_syncback_global_pwd) // Use syncback user
> ));
> } catch ( Exception $e ) {
> $this->_log ( ADI_LOG_ERROR, 'adLDAP exception: ' . $e->getMessage () );
> return false;
> }
>
> $this->_authenticated = true;
> }
> // end SSO
2390c2426
< $sql = "INSERT INTO $table_name (user_login, failed_login_time) VALUES ('" . $wpdb->escape($username)."'," . time() . ")";
---
> $sql = "INSERT INTO $table_name (user_login, failed_login_time) VALUES ('" . esc_sql($username)."'," . time() . ")";
2408c2444
< $sql = "SELECT count(*) AS count from $table_name WHERE user_login = '".$wpdb->escape($username)."' AND failed_login_time >= $time";
---
> $sql = "SELECT count(*) AS count from $table_name WHERE user_login = '".esc_sql($username)."' AND failed_login_time >= $time";
2429c2465
< $sql .= " OR user_login = '".$wpdb->escape($username)."'";
---
> $sql .= " OR user_login = '".esc_sql($username)."'";
2447c2483
< $sql = "SELECT max(failed_login_time) FROM $table_name WHERE user_login = '".$wpdb->escape($username)."'";
---
> $sql = "SELECT max(failed_login_time) FROM $table_name WHERE user_login = '".esc_sql($username)."'";
2573a2610,2611
> update_user_meta($user_id, 'show_admin_bar_front', 'false'); // Do not show admin bar
>
3174c3212
< $text = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $encrypted_text, MCRYPT_MODE_ECB, $iv);
---
> $text = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $encrypted_text, MCRYPT_MODE_ECB, $iv), "\0");
(0000122)
dimagsv (reporter)
2014-08-27 15:20
edited on: 2014-08-27 15:21

Additional filter for auto-SSO for this plugin or theme functions.php:

function d25_after_setup_theme() {

    // Single Sign On
    if ( !is_user_logged_in() && !empty($_SERVER['REMOTE_USER']) ) {
        $user = wp_signon(); // authorization in active-directory-integration
        if ($user) wp_set_current_user($user->ID, $user->user_login);
    }
    
}
add_action('after_setup_theme', 'd25_after_setup_theme' );


- Issue History
Date Modified Username Field Change
2013-09-17 06:05 marshalld New Issue
2013-09-17 06:05 marshalld Status new => assigned
2013-09-17 06:05 marshalld Assigned To => cst
2013-09-18 07:16 marshalld Note Added: 0000118
2014-08-27 14:29 dimagsv Note Added: 0000121
2014-08-27 15:20 dimagsv Note Added: 0000122
2014-08-27 15:21 dimagsv Note Edited: 0000122 View Revisions


Copyright © 2000 - 2010 MantisBT Group
Powered by Mantis Bugtracker