Latest package with LDAP add-on
-
@d19dotca said in Latest package with LDAP add-on:
Is there perhaps a way to make it so that when a Cloudron user logs into WordPress that their email is not-configurable and therefore must match what is in Cloudron LDAP?
The WP LDAP plugin we use does not allow users to lock the email address. It doesn't support syncing either. I do note that there is another plugin which supports syncing - https://wordpress.org/plugins/ldap-login-for-intranet-sites/ which wasn't around before.
Also, correct, I recently removed the email login to make it consistent with non-WP apps.
@girish Thank you for confirming. Glad to know I wasn't going completely crazy, haha. I'd love to be able to login with username and email, not limited to just one. I'd love to see that decision to only allow usernames be reconsidered, if possible.
--
Dustin Dauncey
www.d19.ca -
@girish Thank you for confirming. Glad to know I wasn't going completely crazy, haha. I'd love to be able to login with username and email, not limited to just one. I'd love to see that decision to only allow usernames be reconsidered, if possible.
@d19dotca said in Latest package with LDAP add-on:
@girish Thank you for confirming. Glad to know I wasn't going completely crazy, haha. I'd love to be able to login with username and email, not limited to just one. I'd love to see that decision to only allow usernames be reconsidered, if possible.
I'm of the same mind, if only because I'm such a heavy Wordpress user and we all were so excited for email logins. So, if you're willing to switch stances, I'll cover whatever you need to happen on the Wordpress side (such as writing the code to sync user emails).
-
Another way of looking at it too (maybe I'm overthinking this though)... if the application itself states it can be "username or email" as WordPress login page does, then theoretically I should be able to login with both (either of them) as that is what the app allows. And if I can only use one, then I would view this new restriction to username-only as an artificial Cloudron limitation which wouldn't be made clear to people using the app from the app's login page. This could easily cause confusion with users who are expecting to login with their email because that's what it says they can do, but then we'd have to explain to them as admins that they can't actually do what the login page says.
In other words... if the app states I can use username or email, then I should not be restricted to only one, IMO.
--
Dustin Dauncey
www.d19.ca -
Another way of looking at it too (maybe I'm overthinking this though)... if the application itself states it can be "username or email" as WordPress login page does, then theoretically I should be able to login with both (either of them) as that is what the app allows. And if I can only use one, then I would view this new restriction to username-only as an artificial Cloudron limitation which wouldn't be made clear to people using the app from the app's login page. This could easily cause confusion with users who are expecting to login with their email because that's what it says they can do, but then we'd have to explain to them as admins that they can't actually do what the login page says.
In other words... if the app states I can use username or email, then I should not be restricted to only one, IMO.
@d19dotca bain of a Sys Admins life logins eh!
Would love to see a Cloudron oAuth-type solution. I need some sponsored apps alive in the App Store first @Lonk
, then maybe we can assist with that. -
The "username or email" text is present in login screen of many apps - wekan, rocket.chat. gitlab, etc. The issue is that many of the apps do not sync the "email" field when they are changed on the cloudron side. Which means suddenly login won't work. The email login comes from the past where we didn't pay attention to these issues (just like we didn't pay attention to how many apps support OAuth and blindly implemented it).
I am not disagreeing with you guys here
I see both sides of it and one has to compromise somewhere. Maybe we can to spend time to go through all the apps and make email login work. Just having it work with 1 or 2 apps is causing confusion (how do you say it works in app x,y,z but not in others?). -
The "username or email" text is present in login screen of many apps - wekan, rocket.chat. gitlab, etc. The issue is that many of the apps do not sync the "email" field when they are changed on the cloudron side. Which means suddenly login won't work. The email login comes from the past where we didn't pay attention to these issues (just like we didn't pay attention to how many apps support OAuth and blindly implemented it).
I am not disagreeing with you guys here
I see both sides of it and one has to compromise somewhere. Maybe we can to spend time to go through all the apps and make email login work. Just having it work with 1 or 2 apps is causing confusion (how do you say it works in app x,y,z but not in others?).@girish said in Latest package with LDAP add-on:
Just having it work with 1 or 2 apps is causing confusion
Totally agreed. We should be consistent, for sure. I tried recently as a result of this to deploy Matomo for a test instance, and could login fine with the email still, so even at the "username-only" mantra it isn't consistent either.
-
The "username or email" text is present in login screen of many apps - wekan, rocket.chat. gitlab, etc. The issue is that many of the apps do not sync the "email" field when they are changed on the cloudron side. Which means suddenly login won't work. The email login comes from the past where we didn't pay attention to these issues (just like we didn't pay attention to how many apps support OAuth and blindly implemented it).
I am not disagreeing with you guys here
I see both sides of it and one has to compromise somewhere. Maybe we can to spend time to go through all the apps and make email login work. Just having it work with 1 or 2 apps is causing confusion (how do you say it works in app x,y,z but not in others?).@girish said in Latest package with LDAP add-on:
Maybe we can to spend time to go through all the apps and make email login work.
That works for me. We can revisit this in 2021 when we believe we can dedicate time to all apps to add the email field. LDAP is a simple enough protocol so it shouldn't be too hard but def a 2021 kinda thing.
Thanks for the insight, as always girish!
-
@d19dotca bain of a Sys Admins life logins eh!
Would love to see a Cloudron oAuth-type solution. I need some sponsored apps alive in the App Store first @Lonk
, then maybe we can assist with that.@marcusquinn said in Latest package with LDAP add-on:
. I need some sponsored apps alive in the App Store first @Lonk , then maybe we can assist with that.
I had to finish my full app following all of Cloudron practices. So I underestimated how much time that was going to take. I made the last update to it today and it's ready for the store. So, now, I feel ready packing more now that I've finished mine completely.
-
Yeah, I want to prioritize making the LDAP addon "dynamic" before spending time on this email login. i.e you can choose at whatever you want at install time. But later, you can always turn LDAP on/off dynamically.
@girish said in Latest package with LDAP add-on:
Yeah, I want to prioritize making the LDAP addon "dynamic" before spending time on this email login. i.e you can choose at whatever you want at install time. But later, you can always turn LDAP on/off dynamically.
Yes, definitely really like that idea, gonna have to dive into the DB for that, but it's doable and sounds like more current users would LDAP if they could turn it on after it gets supported (the situation Wodpress Developer is in rn).
-
Yeah, I want to prioritize making the LDAP addon "dynamic" before spending time on this email login. i.e you can choose at whatever you want at install time. But later, you can always turn LDAP on/off dynamically.
@girish Quick question (hopefully), slightly related but I can file a new one if you'd like: Now that the package has LDAP support, I'm starting migrating my sites (once again haha) from Managed to the updated Developer package of WordPress, and while it's mostly been super easy so far, I'm running into a strange issue I noticed tonight where I'm still able to login with the email despite it not being set in the AuthLDAP plugin. I even double-checked and the configuration of the AuthLDAP plugin and see only username is listed, not mail.
One caveat here though is this source site I'm migrating is actually from an older Unmanaged one, not Managed. So maybe that's part of it? I don't know why that'd make a difference though. But I'm really struggling to get it to behave the way it should if I was starting this from scratch with the new Developer packaged one. Any ideas? Or maybe @Lonk will know this one? Maybe some sort of AuthLDAP / LDAP cache? Restarting the app doesn't seem to clear it though.
--
Dustin Dauncey
www.d19.ca -
@girish Quick question (hopefully), slightly related but I can file a new one if you'd like: Now that the package has LDAP support, I'm starting migrating my sites (once again haha) from Managed to the updated Developer package of WordPress, and while it's mostly been super easy so far, I'm running into a strange issue I noticed tonight where I'm still able to login with the email despite it not being set in the AuthLDAP plugin. I even double-checked and the configuration of the AuthLDAP plugin and see only username is listed, not mail.
One caveat here though is this source site I'm migrating is actually from an older Unmanaged one, not Managed. So maybe that's part of it? I don't know why that'd make a difference though. But I'm really struggling to get it to behave the way it should if I was starting this from scratch with the new Developer packaged one. Any ideas? Or maybe @Lonk will know this one? Maybe some sort of AuthLDAP / LDAP cache? Restarting the app doesn't seem to clear it though.
-
@girish Quick question (hopefully), slightly related but I can file a new one if you'd like: Now that the package has LDAP support, I'm starting migrating my sites (once again haha) from Managed to the updated Developer package of WordPress, and while it's mostly been super easy so far, I'm running into a strange issue I noticed tonight where I'm still able to login with the email despite it not being set in the AuthLDAP plugin. I even double-checked and the configuration of the AuthLDAP plugin and see only username is listed, not mail.
One caveat here though is this source site I'm migrating is actually from an older Unmanaged one, not Managed. So maybe that's part of it? I don't know why that'd make a difference though. But I'm really struggling to get it to behave the way it should if I was starting this from scratch with the new Developer packaged one. Any ideas? Or maybe @Lonk will know this one? Maybe some sort of AuthLDAP / LDAP cache? Restarting the app doesn't seem to clear it though.
@d19dotca There's no cache, it's pretty straightforward. Hmm, what happens if you disable the LDAP plugin and try to login with the same credentials (email) to see if it lets you in? I wanna check if this is
LDAP related or something within Wordpress and that'll let me know it's the plugin. -
@d19dotca There's no cache, it's pretty straightforward. Hmm, what happens if you disable the LDAP plugin and try to login with the same credentials (email) to see if it lets you in? I wanna check if this is
LDAP related or something within Wordpress and that'll let me know it's the plugin.@Lonk I'll test this out again and let ya know soon.
UPDATE: I just tried and see that it works fine now. Initially it didn't after migration even during this latest test, however I updated the field again to be just username and not mail, and suddenly now it worked as expected where it'll only accept the username and not email address. No idea why that didn't work when I did it yesterday, but I either overlooked something before or maybe it didn't save properly, I dunno. Seems to be okay now though.
--
Dustin Dauncey
www.d19.ca -
@Lonk I'll test this out again and let ya know soon.
UPDATE: I just tried and see that it works fine now. Initially it didn't after migration even during this latest test, however I updated the field again to be just username and not mail, and suddenly now it worked as expected where it'll only accept the username and not email address. No idea why that didn't work when I did it yesterday, but I either overlooked something before or maybe it didn't save properly, I dunno. Seems to be okay now though.
@d19dotca Glad you got it working as expected. I still want to appeal to the devs to allow email in LDAP, but we certainly don't want that to work when it shouldn't be working. Hopefully we'll get to add real LDAP email support to Wordpress (Developer) one day.
οΈ -
@d19dotca Glad you got it working as expected. I still want to appeal to the devs to allow email in LDAP, but we certainly don't want that to work when it shouldn't be working. Hopefully we'll get to add real LDAP email support to Wordpress (Developer) one day.
οΈ@Lonk Actually now I'm super confused. lol. I thought it was fine, but now I'm seeing it letting me login again with the old password, so I went to remove it, and I found out I can actually still sign in with both the old password (since it was in the database from the old managed wordpress) and even the email address. No idea why this suddenly changed again. Maybe my brain is fried, lol. I'm going to try again now and disable the AuthLDAP plugin entirely and see what's up.
-
@d19dotca Glad you got it working as expected. I still want to appeal to the devs to allow email in LDAP, but we certainly don't want that to work when it shouldn't be working. Hopefully we'll get to add real LDAP email support to Wordpress (Developer) one day.
οΈ@Lonk Okay yes, I can confirm that it works even with the AuthLDAP plugin disabled, when I use my old credentials (i.e email address + password). This kind of makes sense too since it was a Managed WordPress instance so everything was local anyways and not using LDAP. But what makes no sense to me is if I've removed the password from the wp_users table for my user, why it still lets me in.
Any ideas?--
Dustin Dauncey
www.d19.ca -
@Lonk Okay yes, I can confirm that it works even with the AuthLDAP plugin disabled, when I use my old credentials (i.e email address + password). This kind of makes sense too since it was a Managed WordPress instance so everything was local anyways and not using LDAP. But what makes no sense to me is if I've removed the password from the wp_users table for my user, why it still lets me in.
Any ideas?@d19dotca That's really odd, you literally removed the password hash from the DB in your personal user and you still can login with the LDAP plugin disabled?
The only thing I can say for now is to make sure the password hash you deleted matches your actual
user_id. Like, just a little double check there. Because that is super bizarre. -
@d19dotca That's really odd, you literally removed the password hash from the DB in your personal user and you still can login with the LDAP plugin disabled?
The only thing I can say for now is to make sure the password hash you deleted matches your actual
user_id. Like, just a little double check there. Because that is super bizarre.@Lonk said in Latest package with LDAP add-on:
you literally removed the password hash from the DB in your personal user and you still can login with the LDAP plugin disabled?
Yeah, super strange right? Never seen this behaviour before. It shouldn't be possible.
There's nothing in the user_pass box, and I'm the only user account in this particular website so I couldn't have messed up which user account, haha. There's only one row in that table.
--
Dustin Dauncey
www.d19.ca -
@Lonk said in Latest package with LDAP add-on:
you literally removed the password hash from the DB in your personal user and you still can login with the LDAP plugin disabled?
Yeah, super strange right? Never seen this behaviour before. It shouldn't be possible.
There's nothing in the user_pass box, and I'm the only user account in this particular website so I couldn't have messed up which user account, haha. There's only one row in that table.
@d19dotca How about this - delete the plugin. Very rarely (but totally is a thing) there are plug-in...remnants. And also, you tried incorrect passwords and incorrect usernames right? Hmm, maybe try another user on the Cloudron LDAP that isnβt you before you fully delete the plug-in to see if itβs actually still using LDAP somehow.
