XMLRPC authentication bypasses plugins?

[kojix]

I'm using the plugin Simple LDAP Authentication to authenticate to my blog network. The plugin is runing ok on the web authentication, but when trying the Android App, it fails with the User/password wrong message.

I've set a password for my user into the wp_users table (by default the plugin sets it as a random value), and using this pwd i can authenticate, so I think that xmlrpc bypasses the plugin authentication (I've checked it putting error messages on log on the plugin process, and nothing appears when accessing via xmlrpc).

In the xmlrpc.php doc, there is the wp_xmlrpc_server::login function, which performs this call:

$user = wp_authenticate($username, $password);

And on the plugin class definition we have:

function LdapAuthenticationPlugin() {

...

add_action('wp_authenticate', array(&$this, 'authenticate'), 10, 2);
add_filter('check_password', array(&$this, 'override_password_check'), 10, 4);

...

So, I think all should be ok, what makes me think that there could be an error on xmlrpc

[dd32]

It looks like the plugin isn't hooking into enough places. It'll probably have to hook into 'check_password' or 'authenticate' filters.

Try using wp_authenticate($username, $password); directly in code, you'll probably find it fail there too.

Report it to the plugin author, Please feel free to direct the plugin author to this ticket to re-open it if they have a reason to believe that there's a bug in core.

[dd32]

See also, This: ​http://core.trac.wordpress.org/browser/trunk/wp-includes/user.php#L40

40	        // TODO do we deprecate the wp_authentication action?
41	        do_action_ref_array('wp_authenticate', array(&$credentials['user_login'], &$credentials['user_password']));

It seems that that filter is not the ideal one, 'authenticate' is the better filter for this.

[tianon]

It's not pretty, but the following minimal patch should do the trick (working fine here -- obviously YMMV):

simple-ldap-authentication.php

@@ -35 +35 @@
                        if ( isset($_GET['activate']) && $_GET['activate'] == 'true' )
                                add_action('init', array(&$this, 'initialize_options'));
                        add_action('network_admin_menu', array(&$this, 'add_options_page'));
-                       add_action('wp_authenticate', array(&$this, 'authenticate'), 10, 2);
+                       add_filter('authenticate', array(&$this, 'authenticate'), 10, 3);
                        add_filter('check_password', array(&$this, 'override_password_check'), 10, 4);
                        add_action('lost_password', array(&$this, 'disable_function'));
                        add_action('retrieve_password', array(&$this, 'disable_function'));
@@ -84 +84 @@
                        }
                }
 
-               function authenticate( $username, $password ) {
+               function authenticate( $user, $username, $password ) {
+                       if (is_a($user, 'WP_User')) {
+                               return $user;
+                       }
+                       
                        $this->authenticated = false;
                        $use_ssl = (bool) get_site_option('LDAP_authentication_use_ssl');
                        $ldap_server = get_site_option('LDAP_authentication_server');
@@ -205 +209 @@
                        }
                        
                        @ldap_unbind($ldap);
+                       
+                       if ($this->authenticated && ($userdata = get_user_by('login', $username))) {
+                               return new WP_User($userdata->ID);
+                       }
+                       
+                       return false;
                }
 
                /*