Latest package with LDAP add-on
-
I spun up a fresh WordPress Developer package this afternoon and chose the LDAP integration (rather than app-managed), set my admin group for it, and when I went to login I could not login, it fails and I can only log in with the automatically created admin user. Is this working for anyone else when setting a group for access with LDAP?
-
I'll probably test this over the next couple days; I'll let ya know if it works for me.
️ -
I just saw a new version was pushed for "Managed" and all LDAP users are "Editors" by default. Wonder if that's what you're running into, also wonder if that's configurable, cause I went them to be Admins by default in my Developer installation.
-
For me, I just deployed a fresh Developer WordPress package, and set it to use LDAP for a particular Cloudron group, then it finished deploying and I went to login with my Cloudron credentials (I am in the group I chose for it earlier), but it rejects my credentials on the wp-login.php page. So it's not an "Editors" role thing, it's just not letting me in outright.
-
@d19dotca strange, I migrated a unmanaged WP to a developer WP, (had to install manually the LDAP plugin) but after that it all worked immediately perfect!
Only thing is that the default setting of the plugin is that every LDAP user is author (you can change that), so you need to use the build in admin to change user rights of the LDAP users.
ps: the user name is without the @domain.tld (sounds stupid but all our users make the mistake between username and email address to login to ie. Roundcube)
-
@imc67 You had to install the plug-in? That doesn’t make sense though... LDAP option has to install that automatically. Maybe that’s the issue here then.
-
@imc67 Ah, you're right, it's the username. I was using my email on my Cloudron user account, not the Cloudron username itself. This is unfortunate though, I prefer to login with my email address whenever possible. Oddly enough, this has worked before (this is how I currently login to all of my Managed Cloudron app instances), so I wonder why this behaviour has changed recently.
-
@d19dotca said in Latest package with LDAP add-on:
@imc67 You had to install the plug-in? That doesn’t make sense though... LDAP option has to install that automatically. Maybe that’s the issue here then.
It was because I migrated a unmanaged WP to a developer WP
-
@d19dotca I checked in 2 separate cloudrons and I can login immediately with my cloudron credentials. Cloudron uses get editor role, by default. You can change this as an admin though in the WP Admin Panel -> Settings -> authLdap -> Default Role.
Also, to double check what @imc67 said, are you logging in by username or email? Logging in by email is not supported.
-
@girish said in Latest package with LDAP add-on:
Logging in by email is not supported.
Is this a Cloudron LDAP limitation or just a Wordpress LDAP integration limitation? Because some web apps only have email and password for login
-
@Lonk said in Latest package with LDAP add-on:
Is this a Cloudron LDAP limitation or just a Wordpress LDAP integration limitation? Because some web apps only have email and password for login
This is just for consistency across all apps (not just WP). The general flow we are going for is:
- You have an admin user. Admin user is important to exist in the case the LDAP is not working (for whatever reason like networking issue).
- Cloudron users can login with username into apps (not email). Only exception is webmail apps, that require email to login.
- The admin user can make a cloudron user an administrator inside the app. We want to delegate all role/permission management to the app itself. Cloudron will only do authentication and not authorization.
Note that we arrived at this flow from experience and trial/error. So, it's just being pragmatic.
-
@girish said in Latest package with LDAP add-on:
@Lonk said in Latest package with LDAP add-on:
Is this a Cloudron LDAP limitation or just a Wordpress LDAP integration limitation? Because some web apps only have email and password for login
This is just for consistency across all apps (not just WP). The general flow we are going for is:
- You have an admin user. Admin user is important to exist in the case the LDAP is not working (for whatever reason like networking issue).
- Cloudron users can login with username into apps (not email). Only exception is webmail apps, that require email to login.
- The admin user can make a cloudron user an administrator inside the app. We want to delegate all role/permission management to the app itself. Cloudron will only do authentication and not authorization.
Note that we arrived at this flow from experience and trial/error. So, it's just being pragmatic.
Thanks for such a detailed explanation of your thought pattern and flow. But it does make me wonder why email wouldn’t be included in making a user have the ability to login. Wordpress only user usernames for years but so many people installed a “login via email” that they gave in. So I was wondering why wouldn’t Cloudron’s LDAP consider both email or username as a valid “username” for LDAP purposes. Or is that a limitation of the LDAP protocol?
-
@Lonk said in Latest package with LDAP add-on:
So I was wondering why wouldn’t Cloudron’s LDAP consider both email or username as a valid “username” for LDAP purposes.
On Cloudron, you can change the email (but not username). So, If you change the email, then try to login to the app, it may not work anymore because some apps store the email in their local database and to get them to change the email address, they have to "sync" with the cloudron directory correctly. This again depends on each app but for the end user it just causes confusion sometimes that they cannot login (especially since the browser remembered the email as their previous login...)
-
@girish Sorry I thought I already responded yesterday but apparently didn't save my comment. lol. So yeah, the issue was the format of the username, it was what @imc67 noted earlier.
What's strange to me though here is that this was never a restriction before, right? I currently log into all my Managed WordPress installs using my email for Cloudron LDAP. Was this restriction to username only recently added?
Any way to change back the behaviour to email too? I know you said this is from a lot of learning and experience with trial and error, but for WordPress the login page says "username or email address", so I would expect us to login with either, not just one, otherwise the login page isn't exactly accurate at that point.
-
@girish said in Latest package with LDAP add-on:
If you change the email, then try to login to the app, it may not work anymore because some apps store the email in their local database and to get them to change the email address, they have to "sync" with the cloudron directory correctly.
Is there perhaps a way to make it so that when a Cloudron user logs into WordPress that their email is not-configurable and therefore must match what is in Cloudron LDAP? I'm thinking similar to how the website URL and such in WP Settings is not configurable through the GUI because it's set in the lower level files.
-
@d19dotca said in Latest package with LDAP add-on:
Is there perhaps a way to make it so that when a Cloudron user logs into WordPress that their email is not-configurable and therefore must match what is in Cloudron LDAP?
The WP LDAP plugin we use does not allow users to lock the email address. It doesn't support syncing either. I do note that there is another plugin which supports syncing - https://wordpress.org/plugins/ldap-login-for-intranet-sites/ which wasn't around before.
Also, correct, I recently removed the email login to make it consistent with non-WP apps.
-
@girish said in Latest package with LDAP add-on:
@d19dotca said in Latest package with LDAP add-on:
Is there perhaps a way to make it so that when a Cloudron user logs into WordPress that their email is not-configurable and therefore must match what is in Cloudron LDAP?
The WP LDAP plugin we use does not allow users to lock the email address. It doesn't support syncing either. I do note that there is another plugin which supports syncing - https://wordpress.org/plugins/ldap-login-for-intranet-sites/ which wasn't around before.
Also, correct, I recently removed the email login to make it consistent with non-WP apps.
If I put in the work for this would you re-consider email attribute being considered in your Cloudron LDAP system, if only for Wordpress' sake?
Tbh, it was an uphill battle getting them to allow us to use our email addresses in the WP Core (almost everyone uses a plugin to do it previous to it being in core). Anyway, if syncing is your only issue, and if I was able to rectify that issue somehow, would this be a consideration for you to re-allow?
-
@girish Thank you for confirming. Glad to know I wasn't going completely crazy, haha. I'd love to be able to login with username and email, not limited to just one. I'd love to see that decision to only allow usernames be reconsidered, if possible.
-
@d19dotca said in Latest package with LDAP add-on:
@girish Thank you for confirming. Glad to know I wasn't going completely crazy, haha. I'd love to be able to login with username and email, not limited to just one. I'd love to see that decision to only allow usernames be reconsidered, if possible.
I'm of the same mind, if only because I'm such a heavy Wordpress user and we all were so excited for email logins. So, if you're willing to switch stances, I'll cover whatever you need to happen on the Wordpress side (such as writing the code to sync user emails).
-
Another way of looking at it too (maybe I'm overthinking this though)... if the application itself states it can be "username or email" as WordPress login page does, then theoretically I should be able to login with both (either of them) as that is what the app allows. And if I can only use one, then I would view this new restriction to username-only as an artificial Cloudron limitation which wouldn't be made clear to people using the app from the app's login page. This could easily cause confusion with users who are expecting to login with their email because that's what it says they can do, but then we'd have to explain to them as admins that they can't actually do what the login page says.
In other words... if the app states I can use username or email, then I should not be restricted to only one, IMO.
