authLdap icon indicating copy to clipboard operation
authLdap copied to clipboard

Published 20 hours ago verified publisher icon heiglandreas

Multiple roles matching multiple groups

Open pauldistel opened this issue 3 years ago • 5 comments

I was looking at an older issue which still seems to be an issue: https://github.com/heiglandreas/authLdap/issues/121

I have multiple roles defined in WP and corresponding groups in Active Directory. Authentication works fine but the administrator account was locked out because the administrator role was replaced by another role. I can prevent that by narrowing down the tree to search in for AD.

The main problem is that roles are deleted and only a default role remains after login of a user which has multiple AD groups assigned.

Is it possible not to have only one, primary or first group in a list matched (difficult to predict which role remains) but process the array of groups for multiple roles being assigned to a user?

pauldistel avatar Apr 16 '21 10:04 pauldistel

Hey @pauldistel: We are currently digging into that to allow not only one role to be matched but multiple roles. You would still need to configure the mapping between the LDAP-roles and the Wordpress-Roles though.

I can not give you an ETA for that feature though :-/

heiglandreas avatar Apr 16 '21 10:04 heiglandreas

I did configure that of course. For almost all roles I have a corresponding AD group setup.

My main purpose is not to validate if a user is allowed to login (that should be an function to be checked or not) but to have those multiple roles automaticly assigned so I can use that to determine the behaviour of the site. For example, somebody can be a news editor but also allowed user management. For that I have 2 roles and somebody can be assigned both.

So suggestion to add as functionality:

  • checkbox if all LDAP users should be allowed to login or not (if not, only those who have at least one ldap group assigned should be allowed to login)

  • process all groups for the role assignments by default instead of stopping at the first match just to determine if the user is allowed to login

  • users being authenticated through LDAP (and their settings synced to WP) should not be allowed to change the synced settings in WP because the source of those settings are elsewhere. I added some custom code already but that prevents the whole profile page not being allowed to access (created a role to allow profile editing).

In the group-filter you can narrow down the collection of groups to be processed and preventing many groups to be processed by adding a prefix in the name of groups, for example: (&(objectClass=group)(cn=*)(member=%dn%))

pauldistel avatar Apr 16 '21 10:04 pauldistel

Andreas, in what specific part is that role to group mapping coded? I might do some investigation and checking so I can maybe contribute for a solution?

pauldistel avatar Apr 16 '21 10:04 pauldistel

Check out https://github.com/heiglandreas/authLdap/pull/200 😉

heiglandreas avatar Apr 16 '21 10:04 heiglandreas

Will have a look!!

pauldistel avatar Apr 16 '21 10:04 pauldistel

THis has been released sinced v2.5.4

heiglandreas avatar Aug 29 '23 09:08 heiglandreas