Changes to WordPress apps
-
@jdaviescoates What @imc67 did should not be possible, so I am not sure how it works for him. The LDAP will only be available for new installations since this flag is chosen at install time and there is no way to change it post installation without tinkering with the database. Might be easier to export/import into a new install. Just backup current app, make a new LDAP based install and import that backup into new app.
@girish said in Changes to WordPress apps:
@jdaviescoates What @imc67 did should not be possible, so I am not sure how it works for him. The LDAP will only be available for new installations since this flag is chosen at install time and there is no way to change it post installation without tinkering with the database. Might be easier to export/import into a new install. Just backup current app, make a new LDAP based install and import that backup into new app.
Oh, gotcha, it can only be set at install time. So, do you think your suggestion to "set the flag without DB voodoo" (which I'm gonna do because I can't get the cloudron app db to work with remote sql, I've tried a lot). Do you think that method will clash with multisite database URL location changes (Wordpress storing the URL in a different place than single site)?
-
@imc67 Ah, "installed the ldap plugin used the managed ldap settings". I missed this. So you put the credentials of managed LDAP app into this existing unmanaged app? Note that this will stop working when the managed app goes away!
-
@imc67 Ah, "installed the ldap plugin used the managed ldap settings". I missed this. So you put the credentials of managed LDAP app into this existing unmanaged app? Note that this will stop working when the managed app goes away!
-
-
@Lonk credentials are generated per app, he copied one app's LDAP credentials.
If that app goes away, so do the unique credentials.
-
@girish huh why? These โcodesโ / settings are even from a managed app on another Cloudron, arenโt they the same for all?
@imc67 Ah yes, I see why it works.
From a security perspective, each app gets it's own addon credentials (database, redis, ldap etc). When app is installed/uninstalled, we create/destroy a separate username/password/database for each app. Now, Cloudron could have gone a step further and implemented a security measure that these credentials will work only when the specific app uses it. This can be done because each app has it's own IP address internally (via Docker). We haven't implemented this, and as a result, the credentials of one app (say mysql username/password/database) can be copied over to another app and it will work. But it will only work until the other app exists. When the other app is uninstalled or repaired/restored etc, the credentials are regenerated.
In the case of LDAP addon, there is a so called "bind" password which allows apps to make LDAP queries. We generate a bind password per app. However, currently, we don't enforce this password since some apps do not support it. This WordPress LDAP plugin we use is one such case (probably one of the remaining 3-4 apps in Cloudron). Because, it doesn't use a bind username/password, all you are copying over is the LDAP server credentials (server name/port which is the same across all cloudrons). So, this happens to work now. But later when we fix the plugin to use LDAP credentials, it will stop working.
Also, you will see inconsistency in the UI since Cloudron is not aware that LDAP is enabled for the app. You will see a different access control view than what @jdaviescoates posted. You also can't control which users have access to ldap from the Cloudron UI. In fact, I am going to guess only admins can access your WP install (since they are allowed by default).
-
@imc67 Ah yes, I see why it works.
From a security perspective, each app gets it's own addon credentials (database, redis, ldap etc). When app is installed/uninstalled, we create/destroy a separate username/password/database for each app. Now, Cloudron could have gone a step further and implemented a security measure that these credentials will work only when the specific app uses it. This can be done because each app has it's own IP address internally (via Docker). We haven't implemented this, and as a result, the credentials of one app (say mysql username/password/database) can be copied over to another app and it will work. But it will only work until the other app exists. When the other app is uninstalled or repaired/restored etc, the credentials are regenerated.
In the case of LDAP addon, there is a so called "bind" password which allows apps to make LDAP queries. We generate a bind password per app. However, currently, we don't enforce this password since some apps do not support it. This WordPress LDAP plugin we use is one such case (probably one of the remaining 3-4 apps in Cloudron). Because, it doesn't use a bind username/password, all you are copying over is the LDAP server credentials (server name/port which is the same across all cloudrons). So, this happens to work now. But later when we fix the plugin to use LDAP credentials, it will stop working.
Also, you will see inconsistency in the UI since Cloudron is not aware that LDAP is enabled for the app. You will see a different access control view than what @jdaviescoates posted. You also can't control which users have access to ldap from the Cloudron UI. In fact, I am going to guess only admins can access your WP install (since they are allowed by default).
-
@imc67 Ah yes, I see why it works.
From a security perspective, each app gets it's own addon credentials (database, redis, ldap etc). When app is installed/uninstalled, we create/destroy a separate username/password/database for each app. Now, Cloudron could have gone a step further and implemented a security measure that these credentials will work only when the specific app uses it. This can be done because each app has it's own IP address internally (via Docker). We haven't implemented this, and as a result, the credentials of one app (say mysql username/password/database) can be copied over to another app and it will work. But it will only work until the other app exists. When the other app is uninstalled or repaired/restored etc, the credentials are regenerated.
In the case of LDAP addon, there is a so called "bind" password which allows apps to make LDAP queries. We generate a bind password per app. However, currently, we don't enforce this password since some apps do not support it. This WordPress LDAP plugin we use is one such case (probably one of the remaining 3-4 apps in Cloudron). Because, it doesn't use a bind username/password, all you are copying over is the LDAP server credentials (server name/port which is the same across all cloudrons). So, this happens to work now. But later when we fix the plugin to use LDAP credentials, it will stop working.
Also, you will see inconsistency in the UI since Cloudron is not aware that LDAP is enabled for the app. You will see a different access control view than what @jdaviescoates posted. You also can't control which users have access to ldap from the Cloudron UI. In fact, I am going to guess only admins can access your WP install (since they are allowed by default).
@girish said in Changes to WordPress apps:
In the case of LDAP addon, there is a so called "bind" password which allows apps to make LDAP queries. We generate a bind password per app.
Where might I be able to find this bind password? I made up my own tiny PHP library for LDAP in the VPN Client and I did not use a bind password even though it's not required "for now". So, I would def like to fix that preemptively.
But later when we fix the plugin to use LDAP credentials, it will stop working.
Did you write this pugin yourself or do you need to make the fix upstream with another team?
-
@girish that's sad, as the expectations with "upgrading" the app to 'developer' suggested all the long awaited new functionality.
So what's the best, step-by-step approach?
@imc67 said in Changes to WordPress apps:
@girish that's sad, as the expectations with "upgrading" the app to 'developer' suggested all the long awaited new functionality.
Yeah. For LDAP, we don't have a mechanism to easily to turn it on/off dynamically ie after an app installed. Let me discuss this with @nebulon to see if this is something we should do for Cloudron 6 because it's easy to do on Cloudron side (but we have to test with all the apps to check how well they cope).
If it's urgent, the easiest way is to just:
- Backup current app. Download the backup config
- Make a new install of WordPress (Developer), you can keep the existing app running.
- Then import the backup config into this new app. App -> Backups -> Import. Upload the config from step 1.
- Login to WP of the new app and install authLdap plugin. After doing so, Restart WordPress. Cloudron will configure the LDAP plugin on restart.
- If all looks good, you can switch the location
-
@girish said in Changes to WordPress apps:
In the case of LDAP addon, there is a so called "bind" password which allows apps to make LDAP queries. We generate a bind password per app.
Where might I be able to find this bind password? I made up my own tiny PHP library for LDAP in the VPN Client and I did not use a bind password even though it's not required "for now". So, I would def like to fix that preemptively.
But later when we fix the plugin to use LDAP credentials, it will stop working.
Did you write this pugin yourself or do you need to make the fix upstream with another team?
@Lonk said in Changes to WordPress apps:
Did you write this pugin yourself or do you need to make the fix upstream with another team?
It's authLdap. We have contributed patches in the past like this one. So, have to invest more time into adding bind password support.
-
@imc67 said in Changes to WordPress apps:
@girish that's sad, as the expectations with "upgrading" the app to 'developer' suggested all the long awaited new functionality.
Yeah. For LDAP, we don't have a mechanism to easily to turn it on/off dynamically ie after an app installed. Let me discuss this with @nebulon to see if this is something we should do for Cloudron 6 because it's easy to do on Cloudron side (but we have to test with all the apps to check how well they cope).
If it's urgent, the easiest way is to just:
- Backup current app. Download the backup config
- Make a new install of WordPress (Developer), you can keep the existing app running.
- Then import the backup config into this new app. App -> Backups -> Import. Upload the config from step 1.
- Login to WP of the new app and install authLdap plugin. After doing so, Restart WordPress. Cloudron will configure the LDAP plugin on restart.
- If all looks good, you can switch the location
@girish said in Changes to WordPress apps:
If it's urgent, the easiest way is to just:
Backup current app. Download the backup config
Make a new install of WordPress (Developer), you can keep the bet existing app running.
Then import the backup config into this new app. App -> Backups -> Import. Upload the config from step 1.
If all looks good, you can switch the locationThat answered my question, this won't support multisite yet, but I can make some manual DB changes to still make this work and understand Cloudron better, win-win.
๏ธ -
@imc67 said in Changes to WordPress apps:
@girish that's sad, as the expectations with "upgrading" the app to 'developer' suggested all the long awaited new functionality.
Yeah. For LDAP, we don't have a mechanism to easily to turn it on/off dynamically ie after an app installed. Let me discuss this with @nebulon to see if this is something we should do for Cloudron 6 because it's easy to do on Cloudron side (but we have to test with all the apps to check how well they cope).
If it's urgent, the easiest way is to just:
- Backup current app. Download the backup config
- Make a new install of WordPress (Developer), you can keep the existing app running.
- Then import the backup config into this new app. App -> Backups -> Import. Upload the config from step 1.
- Login to WP of the new app and install authLdap plugin. After doing so, Restart WordPress. Cloudron will configure the LDAP plugin on restart.
- If all looks good, you can switch the location
@girish said in Changes to WordPress apps:
Backup current app. Download the backup config
Make a new install of WordPress (Developer), you can keep the existing app running.
Then import the backup config into this new app. App -> Backups -> Import. Upload the config from step 1.
If all looks good, you can switch the locationJust did that. Worked a treat!
-
@imc67 said in Changes to WordPress apps:
@girish that's sad, as the expectations with "upgrading" the app to 'developer' suggested all the long awaited new functionality.
Yeah. For LDAP, we don't have a mechanism to easily to turn it on/off dynamically ie after an app installed. Let me discuss this with @nebulon to see if this is something we should do for Cloudron 6 because it's easy to do on Cloudron side (but we have to test with all the apps to check how well they cope).
If it's urgent, the easiest way is to just:
- Backup current app. Download the backup config
- Make a new install of WordPress (Developer), you can keep the existing app running.
- Then import the backup config into this new app. App -> Backups -> Import. Upload the config from step 1.
- Login to WP of the new app and install authLdap plugin. After doing so, Restart WordPress. Cloudron will configure the LDAP plugin on restart.
- If all looks good, you can switch the location
@girish said in Changes to WordPress apps:
Backup current app. Download the backup config
Make a new install of WordPress (Developer), you can keep the existing app running.
Then import the backup config into this new app. App -> Backups -> Import. Upload the config from step 1.
If all looks good, you can switch the locationjust did that but the authLdap plugin is not installed after restoring the backup (a backup from before I manually added it).
-
@girish said in Changes to WordPress apps:
Backup current app. Download the backup config
Make a new install of WordPress (Developer), you can keep the existing app running.
Then import the backup config into this new app. App -> Backups -> Import. Upload the config from step 1.
If all looks good, you can switch the locationjust did that but the authLdap plugin is not installed after restoring the backup (a backup from before I manually added it).
@imc67 said in Changes to WordPress apps:
just did that but the authLdap plugin is not installed after restoring the backup (a backup from before I manually added it).
You can just install it from WP Admin and restart WordPress (Cloudron will configure the plugin on restart). I will edit the instructions.
-
@imc67 said in Changes to WordPress apps:
just did that but the authLdap plugin is not installed after restoring the backup (a backup from before I manually added it).
You can just install it from WP Admin and restart WordPress (Cloudron will configure the plugin on restart). I will edit the instructions.
@girish that worked, I even saw already the settings in the ldap plugin but still restarted the app to be sure.
one thing: I expected a ldap logged in cloudron admin also should become admin in WP (in my previous but wrong setup this was the case)?
-
@girish that worked, I even saw already the settings in the ldap plugin but still restarted the app to be sure.
one thing: I expected a ldap logged in cloudron admin also should become admin in WP (in my previous but wrong setup this was the case)?
@imc67 said in Changes to WordPress apps:
@girish that worked, I even saw already the settings in the ldap plugin but still restarted the app to be sure.
one thing: I expected a ldap logged in cloudron admin also should become admin in WP (in my previous but wrong setup this was the case)?
So the LDAP plugin "syncs" the WP user database with Cloudron's then? I wonder if it sync both ways.
And also, what did all of your Cloudron users import as in Wordpress with the "official" non-hack-ed way of enabling LDAP?
-
@girish that worked, I even saw already the settings in the ldap plugin but still restarted the app to be sure.
one thing: I expected a ldap logged in cloudron admin also should become admin in WP (in my previous but wrong setup this was the case)?
@imc67 said in Changes to WordPress apps:
one thing: I expected a ldap logged in cloudron admin also should become admin in WP (in my previous but wrong setup this was the case)?
For consistency, this behaves similar to other apps. There is a default admin user. And then the admin user has to decide who else becomes admin or not. You can go to WP users and make specific users admin. The LDAP plugin actually has a DefaultRole field in it's settings but I noticed now that the setting is not preserved across restarts. I will get this fixed shortly.
I will be fixing the managed WP to behave the same way (it doesn't even have an admin user at this point...).
-
@imc67 said in Changes to WordPress apps:
one thing: I expected a ldap logged in cloudron admin also should become admin in WP (in my previous but wrong setup this was the case)?
For consistency, this behaves similar to other apps. There is a default admin user. And then the admin user has to decide who else becomes admin or not. You can go to WP users and make specific users admin. The LDAP plugin actually has a DefaultRole field in it's settings but I noticed now that the setting is not preserved across restarts. I will get this fixed shortly.
I will be fixing the managed WP to behave the same way (it doesn't even have an admin user at this point...).
-
@imc67 said in Changes to WordPress apps:
one thing: I expected a ldap logged in cloudron admin also should become admin in WP (in my previous but wrong setup this was the case)?
For consistency, this behaves similar to other apps. There is a default admin user. And then the admin user has to decide who else becomes admin or not. You can go to WP users and make specific users admin. The LDAP plugin actually has a DefaultRole field in it's settings but I noticed now that the setting is not preserved across restarts. I will get this fixed shortly.
I will be fixing the managed WP to behave the same way (it doesn't even have an admin user at this point...).
-
@girish Does the LDAP plugin used sync users one way from the Cloudron User DB to the Wordpress one? Does this sync happen at intervals or as soon as a user gets created on Cloudron?
@Lonk said in Changes to WordPress apps:
@girish Does the LDAP plugin used sync users one way from the Cloudron User DB to the Wordpress one? Does this sync happen at intervals or as soon as a user gets created on Cloudron?
@Lonk It doesn't sync users, no. Users have to login first to be known to WordPress.
