Opened 6 years ago

Closed 6 years ago

#2048 closed task (wontfix)

[wordpress] Install OpenID plugin

Reported by: strk Owned by: robe
Priority: normal Milestone:
Component: WebSite Keywords:
Cc:

Description

Change History (11)

comment:1 by robe, 6 years ago

Why do we need this? Aren't we going to have everyone go thru LDAP except possibly local admins?

comment:2 by strk, 6 years ago

My idea about this is that we won't allow registering as new users but only associating an OpenID URL to the existing account, as an additional authentication mechanism.

Also the plugin runs a *provider*, meaning you would be able to connect to other OpenID accepting services with that OSGeo URL.

Both points are probably useless at the moment so consider this mostly an experiment/test/idea (not a need)

comment:3 by robe, 6 years ago

strk I made you a wordpress admin, so feel free to install.

comment:4 by strk, 6 years ago

I've installed the plugin but it fails by getting a "Forbidden 403 -You don't have permission to access /wp-login.php on this server." error.

I'm running that plugin in the same version on the same version of Wordpress and it works fine so must be a configuration issue or interaction with another plugin (security plugin, maybe ?)

comment:5 by robe, 6 years ago

Perhaps it's interfering with the LDAP WPAuthDir plugin. I suspect each user can only be authenticated by one plugin.

Is your email etc. the same in open id as it is in LDAP?

comment:6 by robe, 6 years ago

I was able to still log in, but I did see the option to log in via OpenId now so I guess the plugin is installed.

Probably to really test, we'd need to test with an openid account that doesn't have same login or email as one in system. Probably what happens is much like when I setup LDAP, it will auto create the account and flag it to use that authentication thenceforward.

comment:7 by strk, 6 years ago

I tried with non-recognized openid and while the error page was ugly (just a Forbidden) I could read in the URL parameters a nice error message (something like: "creating new accounts via openid is not allowed").

What does the wp-auth plugin do ? Is it the one we use for LDAP ?

comment:8 by robe, 6 years ago

It auto-creates accounts on Login if they don't exist - we are using this plugin - https://wordpress.org/plugins/wpdirauth/

There was a checkbox for that option though and I think it was turned off by default. I had to explicitly check it. I confirmed it did create my new account by renaming my old one first and changing the email on it so it wouldn't clash.

comment:9 by strk, 6 years ago

What created your account ? OpenID or wp-auth ? What we want it:

  • Users can only login as long as a LDAP entry exists
  • OpenID can be accepted IFF the user logged in once via LDAP and specified an OpenID URI.

Now I see this leaves open the possibility for an attacker to obtain a LDAP account, register an OpenID URI and survive removal of the account from LDAP, so I guess the OpenID login we don't really want to enable.

comment:10 by robe, 6 years ago

WPDirAuth created it. Didn't try Open-ID at all.

The way it works

1) Registration is closed, so from thenceforward there will be no local accounts except for local admins (I created a local reginaadmin just in case).

2) LDAP login will create the account on first login (assuming existing account is not in place with same user id or email)

and will only authenticate LDAP flagged accounts via LDAP (unless the LDAP server is down) then I think it downgrades to local. Though I haven't tested that.

I still have yet to convert the remaining local accounts to LDAP. Should have that done in day or so.

Last edited 6 years ago by robe (previous) (diff)

comment:11 by robe, 6 years ago

Resolution: wontfix
Status: assignedclosed

I think we said we aren't going to bother with this so closing it out.

Note: See TracTickets for help on using tickets.