Wordpress AD 集成错误检索组
Wordpress AD Intergration Error retrieving group
出于某种奇怪的原因,我无法从域用户或该击球手的任何组中检索组成员。
Base DN 设置为 dc=domain,dc=com 我在这里点击块。当我使用测试工具时,我无法验证 [注意] "rpimentel@domain.com"
的验证成功
有些东西不见了。一些简单的东西,我在看。会是什么呢?
// Extend the ADIntegrationPlugin class
class BulkImportADIntegrationPlugin extends ADIntegrationPlugin {
/**
* Output formatted debug informations
*
* @param integer level
* @param string $notice
*/
protected function _log($level = 0, $info = '') {
if ($level <= $this->_loglevel) {
switch ($level) {
case ADI_LOG_DEBUG:
$class = 'debug';
$type = '[DEBUG] ';
break;
case ADI_LOG_INFO:
$class = 'info';
$type = '[INFO] ';
break;
case ADI_LOG_NOTICE:
$class = 'notice';
$type = '[NOTICE] ';
break;
case ADI_LOG_WARN:
$class = 'warn';
$type = '[WARN] ';
break;
case ADI_LOG_ERROR:
$class = 'error';
$type = '[ERROR] ';
break;
case ADI_LOG_FATAL:
$class = 'fatal';
$type = '[FATAL] ';
break;
default:
$class = '';
$type = '';
}
$output = '<span class="'.$class.'">'.$type;
$output .= str_replace("\n","<br /> ",$info).'</span><br />';
echo $output;
if (WP_DEBUG) {
if ($fh = @fopen($this->_logfile,'a+')) {
fwrite($fh,$type . str_replace("\n","\n ",$info) . "\n");
fclose($fh);
}
}
}
}
/**
* Do Bulk Import
*
* @param string $authcode
* @return bool true on success, false on error
*/
public function bulkimport($authcode)
{
global $wp_version;
global $wpdb;
$this->setLogFile(dirname(__FILE__).'/import.log');
$this->_log(ADI_LOG_INFO,"-------------------------------------\n".
"START OF BULK IMPORT\n".
date('Y-m-d / H:i:s')."\n".
"-------------------------------------\n");
$time = time();
$all_users = array();
// Is bulk import enabled?
if (!$this->_bulkimport_enabled) {
$this->_log(ADI_LOG_INFO,'Bulk Import is disabled.');
return false;
}
// DO we have the correct Auth Code?
if ($this->_bulkimport_authcode !== $authcode) {
$this->_log(ADI_LOG_ERROR,'Wrong Auth Code.');
return false;
}
$ad_password = $this->_decrypt($this->_bulkimport_pwd);
// Log informations
$this->_log(ADI_LOG_INFO,"Options for adLDAP connection:\n".
"- base_dn: $this->_base_dn\n".
"- domain_controllers: $this->_domain_controllers\n".
"- ad_username: $this->_bulkimport_user\n".
"- ad_password: **not shown**\n".
"- ad_port: $this->_port\n".
"- use_tls: ".(int) $this->_use_tls."\n".
"- network timeout: ". $this->_network_timeout);
// Connect to Active Directory
try {
$this->_adldap = @new adLDAP(array(
"base_dn" => $this->_base_dn,
"domain_controllers" => explode(';', $this->_domain_controllers),
"ad_username" => $this->_bulkimport_user, // Bulk Import User
"ad_password" => $ad_password, // password
"ad_port" => $this->_port, // AD port
"use_tls" => $this->_use_tls, // secure?
"network_timeout" => $this->_network_timeout // network timeout
));
} catch (Exception $e) {
$this->_log(ADI_LOG_ERROR,'adLDAP exception: ' . $e->getMessage());
return false;
}
$this->_log(ADI_LOG_NOTICE,'adLDAP object created.');
$this->_log(ADI_LOG_INFO,'Domain Controller: ' . $this->_adldap->get_last_used_dc());
// Let's give us some more time (60 minutes)
$max_execution_time = ini_get('max_execution_time');
if ($max_execution_time < 3600) {
ini_set('max_execution_time', 3600);
}
if (ini_get('max_execution_time') < 3600) {
$this->_log(ADI_LOG_ERROR,'Can not increase PHP configuration option "max_execution_time".');
return false;
}
// get all users of the chosen security groups from
$groups = explode(";",$this->_bulkimport_security_groups);
if (count($groups) < 1) {
$this->_log(ADI_LOG_WARN,'No security group.');
return false;
}
foreach ($groups AS $group) {
// get all members of group
$group = trim($group);
if ($group != '') {
// do we have a groupid?
if (($pos = stripos($group,'id:')) !== false) {
$pgid = substr($group,$pos+3);
$members = $this->_adldap->group_members_by_primarygroupid($pgid, true);
} else {
$members = $this->_adldap->group_members($group, true);
}
if ($members) {
$this->_log(ADI_LOG_INFO,count($members).' Members of group "'.$group.'".');
$this->_log(ADI_LOG_DEBUG,'Members of group "'.$group.'": ' . implode(', ',$members));
foreach ($members AS $user) {
$all_users[strtolower($user)] = $user;
}
} else {
$this->_log(ADI_LOG_ERROR,'Error retrieving group members for group "'.$group.'".');
}
} else {
$this->_log(ADI_LOG_WARN,'No group. Nothing to do.');
}
}
// Adding all local users with non empty entry adi_samaccountname in usermeta
$blogusers=$wpdb->get_results(
'
SELECT
users.user_login
FROM
'. $wpdb->users . ' users
INNER JOIN
' . $wpdb->usermeta ." meta ON meta.user_id = users.ID
where
meta.meta_key = 'adi_samaccountname'
AND
meta.meta_value IS NOT NULL
AND
meta.meta_value <> ''
AND
users.ID <> 1
"
);
if (is_array($blogusers)) {
foreach ($blogusers AS $user) {
$all_users[strtolower($user->user_login)] = $user->user_login;
}
}
$elapsed_time = time() - $time;
$this->_log(ADI_LOG_INFO,'Number of users to import/update: '.count($all_users).' (list generated in '. $elapsed_time .' seconds)');
if (version_compare($wp_version, '3.1', '<')) {
require_once(ABSPATH . WPINC . DIRECTORY_SEPARATOR . 'registration.php');
}
// import all relevant users
$added_users = 0;
$updated_users = 0;
foreach ($all_users AS $username) {
$ad_username = $username;
// getting user data
//$user = get_userdatabylogin($username); // deprecated
$user = get_user_by('login', $username);
// role
$user_role = $this->_get_user_role_equiv($ad_username); // important: use $ad_username not $username
// userinfo from AD
$this->_log(ADI_LOG_DEBUG, 'ATTRIBUTES TO LOAD: '.print_r($this->_all_user_attributes, true));
$userinfo = $this->_adldap->user_info($ad_username, $this->_all_user_attributes);
$userinfo = $userinfo[0];
$this->_log(ADI_LOG_DEBUG,"USERINFO[0]: \n".print_r($userinfo,true));
if (empty($userinfo)) {
$this->_log(ADI_LOG_INFO,'User "' . $ad_username . '" not found in Active Directory.');
if (isset($user->ID) && ($this->_disable_users)) {
$this->_log(ADI_LOG_WARN,'User "' . $username . '" disabled.');
$this->_disable_user($user->ID, sprintf(__('User "%s" not found in Active Directory.', 'ad-integration'), $username));
}
} else {
// Only user accounts (UF_NORMAL_ACCOUNT is set and other account flags are unset)
if (($userinfo["useraccountcontrol"][0] & (UF_NORMAL_ACCOUNT | ADI_NO_UF_NORMAL_ACOUNT)) == UF_NORMAL_ACCOUNT) {
//&& (($userinfo["useraccountcontrol"][0] & ADI_NO_UF_NORMAL_ACOUNT) == 0)) {
// users with flag UF_SMARTCARD_REQUIRED have no password so they can not logon with ADI
if (($userinfo["useraccountcontrol"][0] & UF_SMARTCARD_REQUIRED) == 0) {
// get display name
$display_name = $this->_get_display_name_from_AD($username, $userinfo);
// create new users or update them
if (!$user OR (strtolower($user->user_login) != strtolower($username))) { // use strtolower!!!
$user_id = $this->_create_user($ad_username, $userinfo, $display_name, $user_role, '', true);
$added_users++;
} else {
$user_id = $this->_update_user($ad_username, $userinfo, $display_name, $user_role, '', true);
$updated_users++;
}
// load user object (this shouldn't be necessary)
if (!$user_id) {
$user_id = username_exists($username);
$this->_log(ADI_LOG_NOTICE,'user_id: '.$user_id);
}
// if the user is disabled
if (($userinfo["useraccountcontrol"][0] & UF_ACCOUNT_DISABLE) == UF_ACCOUNT_DISABLE)
{
$this->_log(ADI_LOG_INFO,'The user "' . $username .'" is disabled in Active Directory.');
if ($this->_disable_users) {
$this->_log(ADI_LOG_WARN,'Disabling user "' . $username .'".');
$this->_disable_user($user_id, sprintf(__('User "%s" is disabled in Active Directory.', 'ad-integration'), $username));
}
} else {
// Enable user / turn off user_disabled
$this->_log(ADI_LOG_INFO,'Enabling user "' . $username .'".');
$this->_enable_user($user_id);
}
} else {
// Flag UF_SMARTCARD_REQUIRED is set
$this->_log(ADI_LOG_INFO,'The user "' . $username .'" requires a SmartCard to logon.');
if (isset($user->ID) && ($this->_disable_users)) {
$this->_log(ADI_LOG_WARN,'Disabling user "' . $username .'".');
$this->_disable_user($user->ID, sprintf(__('User "%s" requires a SmartCard to logon.', 'ad-integration'), $username));
}
}
} else {
// not a normal user account
$this->_log(ADI_LOG_INFO,'The user "' . $username .'" has no normal user account.');
if (isset($user->ID) && ($this->_disable_users)) {
$this->_log(ADI_LOG_WARN,'Disabling user "' . $username .'".');
$this->_disable_user($user->ID, sprintf(__('User "%s" has no normal user account.', 'ad-integration'), $username));
}
}
}
}
// Logging
$elapsed_time = time() - $time;
$this->_log(ADI_LOG_INFO,$added_users . ' Users added.');
$this->_log(ADI_LOG_INFO,$updated_users . ' Users updated.');
$this->_log(ADI_LOG_INFO,'In '. $elapsed_time . ' seconds.');
$this->_log(ADI_LOG_INFO,"-------------------------------------\n".
"END OF BULK IMPORT\n".
date('Y-m-d / H:i:s')."\n".
"-------------------------------------\n");
return true;
}
看来这是我失败的地方。但是为什么不能得到组呢?
foreach ($groups AS $group) {
// get all members of group
$group = trim($group);
if ($group != '') {
// do we have a groupid?
if (($pos = stripos($group,'id:')) !== false) {
$pgid = substr($group,$pos+3);
$members = $this->_adldap->group_members_by_primarygroupid($pgid, true);
} else {
$members = $this->_adldap->group_members($group, true);
}
if ($members) {
$this->_log(ADI_LOG_INFO,count($members).' Members of group "'.$group.'".');
$this->_log(ADI_LOG_DEBUG,'Members of group "'.$group.'": ' . implode(', ',$members));
foreach ($members AS $user) {
$all_users[strtolower($user)] = $user;
}
} else {
$this->_log(ADI_LOG_ERROR,'Error retrieving group members for group "'.$group.'".');
}
我删除了
$ad_password = $this->_decrypt($this->_bulkimport_pwd);
并添加
$ad_password = 'my_password_here';
成功了
看来这个解密密码被破解了。
[信息] 组 "id:513" 的 1000 名成员。
[INFO] import/update 的用户数:3439
我在填写两次字段时遇到了同样的问题"Bulk Import User Password"。我启动了批量导入,但失败了(所有用户都被禁用了!)。我的 Apache 日志如下:
PHP Warning: mcrypt_decrypt(): Key of size 27 not supported by this
algorithm.Only keys of sizes 16, 24 or 32 supported in
/var/www/html/wordpress/wp-content/plugins/active-directory-integration/ad-integration.php
问题似乎来自用于加密密码的函数mcrypt。我们可以在文件 ad-integration.php 中看到该函数使用了 Wordpress 常量 AUTH_SALT,默认定义为 "put your unique phrase here",因此有 27 个字符。所以我用一个32个字符的字符串定义了这个常量(你可以在wp-config.php中定义这个)。我重新填写了批量导入用户密码,它起作用了。
出于某种奇怪的原因,我无法从域用户或该击球手的任何组中检索组成员。
Base DN 设置为 dc=domain,dc=com 我在这里点击块。当我使用测试工具时,我无法验证 [注意] "rpimentel@domain.com"
的验证成功有些东西不见了。一些简单的东西,我在看。会是什么呢?
// Extend the ADIntegrationPlugin class
class BulkImportADIntegrationPlugin extends ADIntegrationPlugin {
/**
* Output formatted debug informations
*
* @param integer level
* @param string $notice
*/
protected function _log($level = 0, $info = '') {
if ($level <= $this->_loglevel) {
switch ($level) {
case ADI_LOG_DEBUG:
$class = 'debug';
$type = '[DEBUG] ';
break;
case ADI_LOG_INFO:
$class = 'info';
$type = '[INFO] ';
break;
case ADI_LOG_NOTICE:
$class = 'notice';
$type = '[NOTICE] ';
break;
case ADI_LOG_WARN:
$class = 'warn';
$type = '[WARN] ';
break;
case ADI_LOG_ERROR:
$class = 'error';
$type = '[ERROR] ';
break;
case ADI_LOG_FATAL:
$class = 'fatal';
$type = '[FATAL] ';
break;
default:
$class = '';
$type = '';
}
$output = '<span class="'.$class.'">'.$type;
$output .= str_replace("\n","<br /> ",$info).'</span><br />';
echo $output;
if (WP_DEBUG) {
if ($fh = @fopen($this->_logfile,'a+')) {
fwrite($fh,$type . str_replace("\n","\n ",$info) . "\n");
fclose($fh);
}
}
}
}
/**
* Do Bulk Import
*
* @param string $authcode
* @return bool true on success, false on error
*/
public function bulkimport($authcode)
{
global $wp_version;
global $wpdb;
$this->setLogFile(dirname(__FILE__).'/import.log');
$this->_log(ADI_LOG_INFO,"-------------------------------------\n".
"START OF BULK IMPORT\n".
date('Y-m-d / H:i:s')."\n".
"-------------------------------------\n");
$time = time();
$all_users = array();
// Is bulk import enabled?
if (!$this->_bulkimport_enabled) {
$this->_log(ADI_LOG_INFO,'Bulk Import is disabled.');
return false;
}
// DO we have the correct Auth Code?
if ($this->_bulkimport_authcode !== $authcode) {
$this->_log(ADI_LOG_ERROR,'Wrong Auth Code.');
return false;
}
$ad_password = $this->_decrypt($this->_bulkimport_pwd);
// Log informations
$this->_log(ADI_LOG_INFO,"Options for adLDAP connection:\n".
"- base_dn: $this->_base_dn\n".
"- domain_controllers: $this->_domain_controllers\n".
"- ad_username: $this->_bulkimport_user\n".
"- ad_password: **not shown**\n".
"- ad_port: $this->_port\n".
"- use_tls: ".(int) $this->_use_tls."\n".
"- network timeout: ". $this->_network_timeout);
// Connect to Active Directory
try {
$this->_adldap = @new adLDAP(array(
"base_dn" => $this->_base_dn,
"domain_controllers" => explode(';', $this->_domain_controllers),
"ad_username" => $this->_bulkimport_user, // Bulk Import User
"ad_password" => $ad_password, // password
"ad_port" => $this->_port, // AD port
"use_tls" => $this->_use_tls, // secure?
"network_timeout" => $this->_network_timeout // network timeout
));
} catch (Exception $e) {
$this->_log(ADI_LOG_ERROR,'adLDAP exception: ' . $e->getMessage());
return false;
}
$this->_log(ADI_LOG_NOTICE,'adLDAP object created.');
$this->_log(ADI_LOG_INFO,'Domain Controller: ' . $this->_adldap->get_last_used_dc());
// Let's give us some more time (60 minutes)
$max_execution_time = ini_get('max_execution_time');
if ($max_execution_time < 3600) {
ini_set('max_execution_time', 3600);
}
if (ini_get('max_execution_time') < 3600) {
$this->_log(ADI_LOG_ERROR,'Can not increase PHP configuration option "max_execution_time".');
return false;
}
// get all users of the chosen security groups from
$groups = explode(";",$this->_bulkimport_security_groups);
if (count($groups) < 1) {
$this->_log(ADI_LOG_WARN,'No security group.');
return false;
}
foreach ($groups AS $group) {
// get all members of group
$group = trim($group);
if ($group != '') {
// do we have a groupid?
if (($pos = stripos($group,'id:')) !== false) {
$pgid = substr($group,$pos+3);
$members = $this->_adldap->group_members_by_primarygroupid($pgid, true);
} else {
$members = $this->_adldap->group_members($group, true);
}
if ($members) {
$this->_log(ADI_LOG_INFO,count($members).' Members of group "'.$group.'".');
$this->_log(ADI_LOG_DEBUG,'Members of group "'.$group.'": ' . implode(', ',$members));
foreach ($members AS $user) {
$all_users[strtolower($user)] = $user;
}
} else {
$this->_log(ADI_LOG_ERROR,'Error retrieving group members for group "'.$group.'".');
}
} else {
$this->_log(ADI_LOG_WARN,'No group. Nothing to do.');
}
}
// Adding all local users with non empty entry adi_samaccountname in usermeta
$blogusers=$wpdb->get_results(
'
SELECT
users.user_login
FROM
'. $wpdb->users . ' users
INNER JOIN
' . $wpdb->usermeta ." meta ON meta.user_id = users.ID
where
meta.meta_key = 'adi_samaccountname'
AND
meta.meta_value IS NOT NULL
AND
meta.meta_value <> ''
AND
users.ID <> 1
"
);
if (is_array($blogusers)) {
foreach ($blogusers AS $user) {
$all_users[strtolower($user->user_login)] = $user->user_login;
}
}
$elapsed_time = time() - $time;
$this->_log(ADI_LOG_INFO,'Number of users to import/update: '.count($all_users).' (list generated in '. $elapsed_time .' seconds)');
if (version_compare($wp_version, '3.1', '<')) {
require_once(ABSPATH . WPINC . DIRECTORY_SEPARATOR . 'registration.php');
}
// import all relevant users
$added_users = 0;
$updated_users = 0;
foreach ($all_users AS $username) {
$ad_username = $username;
// getting user data
//$user = get_userdatabylogin($username); // deprecated
$user = get_user_by('login', $username);
// role
$user_role = $this->_get_user_role_equiv($ad_username); // important: use $ad_username not $username
// userinfo from AD
$this->_log(ADI_LOG_DEBUG, 'ATTRIBUTES TO LOAD: '.print_r($this->_all_user_attributes, true));
$userinfo = $this->_adldap->user_info($ad_username, $this->_all_user_attributes);
$userinfo = $userinfo[0];
$this->_log(ADI_LOG_DEBUG,"USERINFO[0]: \n".print_r($userinfo,true));
if (empty($userinfo)) {
$this->_log(ADI_LOG_INFO,'User "' . $ad_username . '" not found in Active Directory.');
if (isset($user->ID) && ($this->_disable_users)) {
$this->_log(ADI_LOG_WARN,'User "' . $username . '" disabled.');
$this->_disable_user($user->ID, sprintf(__('User "%s" not found in Active Directory.', 'ad-integration'), $username));
}
} else {
// Only user accounts (UF_NORMAL_ACCOUNT is set and other account flags are unset)
if (($userinfo["useraccountcontrol"][0] & (UF_NORMAL_ACCOUNT | ADI_NO_UF_NORMAL_ACOUNT)) == UF_NORMAL_ACCOUNT) {
//&& (($userinfo["useraccountcontrol"][0] & ADI_NO_UF_NORMAL_ACOUNT) == 0)) {
// users with flag UF_SMARTCARD_REQUIRED have no password so they can not logon with ADI
if (($userinfo["useraccountcontrol"][0] & UF_SMARTCARD_REQUIRED) == 0) {
// get display name
$display_name = $this->_get_display_name_from_AD($username, $userinfo);
// create new users or update them
if (!$user OR (strtolower($user->user_login) != strtolower($username))) { // use strtolower!!!
$user_id = $this->_create_user($ad_username, $userinfo, $display_name, $user_role, '', true);
$added_users++;
} else {
$user_id = $this->_update_user($ad_username, $userinfo, $display_name, $user_role, '', true);
$updated_users++;
}
// load user object (this shouldn't be necessary)
if (!$user_id) {
$user_id = username_exists($username);
$this->_log(ADI_LOG_NOTICE,'user_id: '.$user_id);
}
// if the user is disabled
if (($userinfo["useraccountcontrol"][0] & UF_ACCOUNT_DISABLE) == UF_ACCOUNT_DISABLE)
{
$this->_log(ADI_LOG_INFO,'The user "' . $username .'" is disabled in Active Directory.');
if ($this->_disable_users) {
$this->_log(ADI_LOG_WARN,'Disabling user "' . $username .'".');
$this->_disable_user($user_id, sprintf(__('User "%s" is disabled in Active Directory.', 'ad-integration'), $username));
}
} else {
// Enable user / turn off user_disabled
$this->_log(ADI_LOG_INFO,'Enabling user "' . $username .'".');
$this->_enable_user($user_id);
}
} else {
// Flag UF_SMARTCARD_REQUIRED is set
$this->_log(ADI_LOG_INFO,'The user "' . $username .'" requires a SmartCard to logon.');
if (isset($user->ID) && ($this->_disable_users)) {
$this->_log(ADI_LOG_WARN,'Disabling user "' . $username .'".');
$this->_disable_user($user->ID, sprintf(__('User "%s" requires a SmartCard to logon.', 'ad-integration'), $username));
}
}
} else {
// not a normal user account
$this->_log(ADI_LOG_INFO,'The user "' . $username .'" has no normal user account.');
if (isset($user->ID) && ($this->_disable_users)) {
$this->_log(ADI_LOG_WARN,'Disabling user "' . $username .'".');
$this->_disable_user($user->ID, sprintf(__('User "%s" has no normal user account.', 'ad-integration'), $username));
}
}
}
}
// Logging
$elapsed_time = time() - $time;
$this->_log(ADI_LOG_INFO,$added_users . ' Users added.');
$this->_log(ADI_LOG_INFO,$updated_users . ' Users updated.');
$this->_log(ADI_LOG_INFO,'In '. $elapsed_time . ' seconds.');
$this->_log(ADI_LOG_INFO,"-------------------------------------\n".
"END OF BULK IMPORT\n".
date('Y-m-d / H:i:s')."\n".
"-------------------------------------\n");
return true;
}
看来这是我失败的地方。但是为什么不能得到组呢?
foreach ($groups AS $group) {
// get all members of group
$group = trim($group);
if ($group != '') {
// do we have a groupid?
if (($pos = stripos($group,'id:')) !== false) {
$pgid = substr($group,$pos+3);
$members = $this->_adldap->group_members_by_primarygroupid($pgid, true);
} else {
$members = $this->_adldap->group_members($group, true);
}
if ($members) {
$this->_log(ADI_LOG_INFO,count($members).' Members of group "'.$group.'".');
$this->_log(ADI_LOG_DEBUG,'Members of group "'.$group.'": ' . implode(', ',$members));
foreach ($members AS $user) {
$all_users[strtolower($user)] = $user;
}
} else {
$this->_log(ADI_LOG_ERROR,'Error retrieving group members for group "'.$group.'".');
}
我删除了 $ad_password = $this->_decrypt($this->_bulkimport_pwd); 并添加 $ad_password = 'my_password_here';
成功了
看来这个解密密码被破解了。
[信息] 组 "id:513" 的 1000 名成员。 [INFO] import/update 的用户数:3439
我在填写两次字段时遇到了同样的问题"Bulk Import User Password"。我启动了批量导入,但失败了(所有用户都被禁用了!)。我的 Apache 日志如下:
PHP Warning: mcrypt_decrypt(): Key of size 27 not supported by this algorithm.Only keys of sizes 16, 24 or 32 supported in /var/www/html/wordpress/wp-content/plugins/active-directory-integration/ad-integration.php
问题似乎来自用于加密密码的函数mcrypt。我们可以在文件 ad-integration.php 中看到该函数使用了 Wordpress 常量 AUTH_SALT,默认定义为 "put your unique phrase here",因此有 27 个字符。所以我用一个32个字符的字符串定义了这个常量(你可以在wp-config.php中定义这个)。我重新填写了批量导入用户密码,它起作用了。