Active Directory : Bind OK, auth OK, group mapping failing

[necarnot]

Hello Andreas,

Thank you for your work. I've setup your plugin (last version on 20231019) and I'm trying to plug it to our Active Directory server. So far, what is working is :

• binding : OK
• authenticating : OK. I can tell it's working because when I'm setting "Editor" for a default role, I can log in WordPress. (And of course, when trying a wrong password, I see it failing) What is not working is the group mapping.

I've read tons of comments in the issues of this github repo, especially this one (https://github.com/heiglandreas/authLdap/issues/242) but nonetheless I was not able to male this work.

Our Active Directory LDAP is storing the users in a branch, and the groups in another branch :

• Users are in OU=Utilisateurs,OU=FON,OU=Sitpi,OU=Global,DC=sitpi,DC=lan
• Groups are in OU=Securite,OU=Groupes,OU=FON,OU=Sitpi,OU=Global,DC=sitpi,DC=lan

Here is the sanitized setup :

Here are the logs when trying to connect (I don't know why the CR/LF are not kept in /var/log/nginx/*.log) :

2023/10/19 16:52:06 [error] 636#636: *4408 FastCGI sent in stderr: "PHP message: [AuthLDAP] User 'necarnot2' logging inPHP message: [AuthLDAP] about to do LDAP authenticationPHP message: [A
uthLDAP] connect to LDAP serverPHP message: [AuthLDAP] LDAP authentication successfulPHP message: [AuthLDAP] Existing user, uid = 10PHP message: [AuthLDAP] Array
(
    [administrator] => GG_SITPI_INFRA
    [editor] =>
    [author] =>
    [contributor] =>
    [subscriber] =>
)
PHP message: [AuthLDAP] Array
(
    [administrator] => GG_SITPI_INFRA
    [editor] =>
    [author] =>
    [contributor] =>
    [subscriber] =>
)
PHP message: [AuthLDAP] Group Filter: "(&(objectClass=user)(sAMAccountName=%s)(memberOf=*))"PHP message: [AuthLDAP] Group Base: OU=Securite,OU=Groupes,OU=FON,OU=Sitpi,OU=Global,DC=sitpi,DC=
lanPHP message: [AuthLDAP] LDAP groups: []PHP message: [AuthLDAP] Roles from LDAP group: []PHP message: [AuthLDAP] user is not in any group that is allowed access" while reading response he
ader from upstream, client: 10.32.11.99, server: , request: "POST /wp-login.php HTTP/1.0", upstream: "fastcgi://unix:/run/php/php7.4-fpm.sock:", host: "www.sitpi.fr", referrer: "https://www
.sitpi.fr/wp-login.php?loggedout=true&wp_lang=fr_FR"

Amongst the points I don't understand, is why every advice I read about AD and authLdap tells me to use "memberOf" group attribute, though there is no such attribute in AD, neither in a user object not in a group object. In a user object, there is just nothing related to groups. In a group object, the attribute is called "member", and is a list of CN=..., CN=..., CN=... users.

Of course, I tried to replace 'memberOf' by 'member' everywhere related, but to no avail.

May I ask you some help, please? Thank you.

[heiglandreas]

Hey there.

Thanks for getting in touch!

Amongst the points I don't understand, is why every advice I read about AD and authLdap tells me to use "memberOf" group attribute, though there is no such attribute in AD, neither in a user object not in a group object. In a user object, there is just nothing related to groups.

That is always depending on how the AD is set up. I'm not an expert on AD-setup but it might be that that is the default setup?

But back to your issue:

In a group object you have multiple entries of member attributes that contain the dn of the group-members.

So for the group-filter we need to use this dn.

(member=%dn%)

Should do the trick for the group filter.

Along with that you will need to set the Group-Attribute as well to the attribute that contains the values you want to use further down in the "Role-group mapping" section. So there is one group that is named GG_SITPI_INFRA. Chewck that group and which LDAP-Attribute contains that value. I assume it's cn but I might be wrong. Nevertheless, that attribute needs to be set as "Group-Attribute". Otherwise we can't figure out where that GG_SITPI_INFRA comes from.

Please test that and check back whether it works or not.

Cheers

[necarnot]

Hello @heiglandreas ,

Thank you for your quick answer. In our Active Directory LDAP, each group object actually has only one member attribute that contains a list of CN=user01,CN=user42...

So I followed you advice and for the group filter, I've setup (member=%dn%) and for the group attribute, I've used CN

The other options were unchanged.

And it worked!

Thank you Andreas.

Have a nice day.

[YoishoDev]

The following configuration also works with an Active Directory. The group name can then be specified in the short form (cn):