After migration from Unmanaged to Managed, users can login with both LDAP and old local credentials for same user.

d19dotca

Hello,

I have a project of migrating from Unmanaged to Managed (for various reasons) all the sites I manage on Cloudron. And unfortunately I have come across an odd behaviour. Thankfully it's a minimal impact because it's just my user on most of the sites, but I see this behaviour...

When migrating using All-In-One WP Migration plugin, which moves the database, after completion I have to login with old credentials which is expected. After re-enabling the AuthLDAP plugin to link it back up with Cloudron and remove the local user login credentials, I find that I can login to the site with both my Cloudron credentials and the old WordPress credentials.

Any ideas how I'd go about fixing this, essentially removing the old link / old password? I assume I need to modify some data in the database? Has anyone run into this yet?

marcusquinn

ARI Adminer is a quick way to inspect the DB from within the WP Admin if that helps:

https://github.com/andrewcy86/ari-adminer

I'd try disabling AuthLDAP, changing your WP L/P and the re-enabling the plugin, see if the issue remains.

Readme suggests it's an either/or choice:

https://github.com/heiglandreas/authLdap

Not used before so only speculation but be interested in your results.

d19dotca

@marcusquinn Nice tool, I'll check that out. Thanks Marcus. I'll probably be working on this later in the week.

nebulon

That is indeed an interesting behavior. Just to add some clarification, our LDAP code matches by username, not some unique uuid, since that allows for easier migration, but presumably bites you here.

d19dotca

@nebulon Yeah I think it does, but that's okay I guess as this is a pretty fringe-scenario I suspect. I'm hoping it's as easy as me only needing to remove the local password from the user in the database which will force it to use the LDAP authentication. Fingers crossed. haha.

marcusquinn

@d19dotca and check that doesn't then allow for blank-password logins

d19dotca

Update: It is thankfully as easy as removing the data from the users table in the user_pass column.

Removing the value from the user_pass column on each user who you want to only authenticate using LDAP/Cloudron, will force that expected behaviour. If there is a password in the database, authentication will succeed with the local password OR the LDAP/Cloudron password, so removing that password will force it to rely only on LDAP/Cloudron authentication.