This is a plugin that allows you use your LDAP to authenticate and authorise users to access your wordpress web-log.
Installation should be as simple as instalaltion of every wordpress-plugin. Simply unzip the downloaded file, put it into your wordpress-installations plugins-folder and activate it.
After activation you can configure the plugin via the options-panel.
How does the plugin work?
Well, as a matter of fact it is rather simple. The plugin verifies, that the user seeking authentification can bind to the LDAP using the provided password.
If that is so, the user is either created or updated in the wordpress-user-database. This update includes the provided password (so the wordpress can authenticate users even without the LDAP), the users name according to the authLDAP-preferences and the status of the user depending on the groups-settings of the authLDAP-preferences
Writing this plugin would not have been as easy as it has been, without the wounderfull plugin of Alistair Young from http://www.weblogs.uhi.ac.uk/sm00ay/?p=45
Configuration
Usage Settings
- Enable Authentication via LDAP
- Whether you want to enable authLdap for login or not
- debug authLdap
- When you have problems with authentication via LDAP you can enable a debugging mode here.
Server Settings
- LDAP Uri
- This is the URI where your ldap-backend can be reached. More information are actually on the Configuration page
- Filter
- This is the real McCoy! The filter you define here specifies how a user will be found. Before applying the filter a %s will be replaced with the given username. This means, when a user logs in using ‘foobar’ as username the following happens:
- uid=%s
- check for any LDAP-Entry that has an attribute ‘uid’ with value ‘foobar’
- (&(objectclass=posixAccount)((!(uid=%s)(mail=%s)))
- check for any LDAP-Entry that has an attribute ‘objectclass’ with value ‘posixAccout’ and either a UID- or a mail-attribute with value ‘foobar’
This filter is rather powerfull if used wisely.
Creating Users
- Name-Attribute
- Which Attribute from the LDAP contains the Full or the First name of the user trying to log in. This defaults to name
- Second Name Attribute
-
If the above Name-Attribute only contains the First Name of the user you can here specify an Attribute that contains the second name.
This field is empty by default - User-ID Attribute
-
This field will be used as login-name for wordpress. Please give the Attribute, that is used to identify the user. This should be the same as you used in the above Filter-Option.
This field defaults to uid - Mail Attribute
-
Which Attribute holds the eMail-Address of the user?
If more than one eMail-Address are stored in the LDAP, only the first given is used
This field defaults to mail - Web-Attribute
-
If your users have a personal page (URI) stored in the LDAP, it can be provided here.
This field is empty by default
User-Groups for Roles
- Group-Attribute
-
This is the attribute that defines the Group-ID that can be matched against the Groups defined further down
This field defaults to gidNumber. - Group-Filter
-
Here you can add the filter for selecting groups for the currentlly logged in user
The Filter should contain the string %s which will be replaced by the login-name of the currently logged in
architectural daughtsman, brother, developer, father, husband, master of forestry sciences, scout
I installed your plugin in WordPress 3.0.1. I get an error in the option page about an invalid argument supplied for Foreach() in authLDAP.php line 217. I’m not too good with PHP, could you take a look at it?
I’ll dig into this and give you an update later.
Later:
Sadly I could not reproduce this issue with a clean and empty install of wordpress 3.0.1. I got an error concerning a Case-sensitivity-issue, but that was not the error you reported. Could you give me some more information about the settings you use?
It seems like it might an issue with the pathnames, specifically the uppercase/lowercase letters, between authLDAP in your code and authLdap in the file names in the archive, authldap.zip.
I’m new to LDAP so please bear with me. I have the base dn for the LDAP directory containing the uid attribute. All other attributes are stored in a different branch. What’s the proper syntax for specifying which branch of the LDAP directory tree contain the attributes?
I’ve already fixed that in the new version that you can download at wordpress.org. Thanks for mentioning. Did you get it to work then?
Just wondering, does authLDAP work with OpenLDAP?
It actually does. But due to a broken API I had to fix it. The current version 1.0.1 authenticates perfectly with OpenLDAP.
I just checked it with a clean WordPress 3.0.1, authLdap 1.0.1 and my OpenLDAP
I am having issues trying to limit access to only one group in my OS X Open Directory. Has anyone had success using this plugin against Open Directory? If so, can you post the field values you used? I am running WordPress 3.0.1 and Snow Leopard Server Open Directory. Thanks!
This plugin looks nice but on a clean fresh install of the latest WordPress on Linux I get this error when activating:
Warning: require_once(/var/www/aquila/wp/wp-content/plugins/authLdap/ldap.php) [function.require-once]: failed to open stream: No such file or directory in /var/www/aquila/wp/wp-content/plugins/authldap/authLdap.php on line 11
The server has got a working php/ldap because some other software on it is using LDAP with no problems, with an ActiveDirectory server.
This seems to be case-sensitivity-issue.
I have fixed that already in the plugin-directory, so downloading the plugin again should resolve the issue.
Otherwise go to the mentioned line 11 of authldap.php and change the line to
require_once ABSPATH . 'wp-content/plugins/authldap/ldap.php';Important is the lower-case ‘L’ in authldap
Thanks, I fixed the folder and include CaSe and it works now.
Do you have an example setup using MS ActiveDirectory, your example seems more like OpenLDAP and the groups are a bit different in AD?
Thanks for the reply.
I’m sorry, but I don’t have access to an AD-Server, so I can’t give you any first-hand examples.
I always use an LDAP-Browser like jXplore to get an insight into the directory structure.
As Filter I would use somthing like SAMAccountName=%s and as User-ID-Attribute I then would also use SAMAccountName
As Name-Attribute I would use cn
Sadly I can not give you any advice on the group-settings in authLdap at the moment. I will try to setup that later the day and give you an update on that.
Sorry for answering so late. The comment got stuck in my spam folder.
As filter use uid=%s.
As Group attribute you can either use cn which is the Shortname of the group from WorkgroupManager or apple-group-realname (Full name of the group) or gidNumber Which is the group number.
As Group filter you should then use (&(objectclass=apple-group)(memberUid=%s)).
Depending on the setting of the group-attribute you then have to give the appropriate values for the group-memberships which are the shortname for cn, the full name for apple-group-realname or the group-number for gidNumber
When you want to authenticate only one group from your OpenDirectory you have to decide which role the users from that group shall have and simply fill the appropriate group attribute only for that role. Everyone from that OpenDirectory group will then be loged in with that role. Other roles then have to be assigned locally.
authLdap searches an LDAP-Tree recursively. You have to find the common base for the branch your users are stored in and your groups are stored in. So if users have a Distinguished Name of uid=doej,cn=users,dc=example,c=org and groups are stored in cn=myGroup,cn=groups,dc=example,c=org then the common base is dc=example,c=org.
Then you would set LDAP-URI to ldap://ldapserver.example.com/dc=example,c=org.
Every other option then only specifies the attributes of user- or group-nodes.
For more information on that topic have a look http://en.wikipedia.org/wiki/LDAP
Hi,
I installed the latest version and the REGEX expression un ldap.php don’t seems to work
When I print_r() the content of $result, I get this: Array ( [0] => ldap://uid=adminuser,dc=example,c=com:secret@ldap.example.com/dc=basePath,dc=example,c=com [1] => ldap [2] => [3] => [4] => [5] => [6] => uid=adminuser,dc=example,c=com:secret@ldap.example.com [7] => /dc=basePath,dc=example,c=com [8] => /dc=basePath,dc=example,c=com )
Can anybody help?
Hi again,
after some searching on the web, I found a wonderful PHP function named parse_url(). You should update your code to use it. Here is the output of print_r():
Array
(
[scheme] => ldap
[host] => ldap.example.com
[user] => uid=adminuser,dc=example,c=com
[pass] => secret
[path] => /dc=basePath,dc=example,c=com
)
Also, how should I contact you about the little bugs I find?
Regards
Thanks for mentioning parse_url().
The updated code is available for download at the plugin-page.
Alternatively you can check out the code at github.
For issues you can use the issue-tracker at github
Thanks for your feedback.
Thanks for the wonderful plugin, Andreas. I am trying to use it with WordPress 3.0.1 on Mac OS X 10.6 server. I have got the same problems as Mark: users are able to login, but are always assigned to Subscriber group no matter what are the settings in authLDAP configuration. Going through the code I have noticed that there is an error in lines 380 and 387. When updating the user role with update_user_meta, you use the meta tag wp301_capabilities. When I changed the tag to wp_capabilities everything started working as designed. As far as I understand there is no such field in metadata as wp301_capabilities, but there is wp_capabilities. Hopefully it will help Mark and other users. I suppose this issue is not platform-dependent.
Best regards
Hi Alex.
Thanks for your Comment.
This actualy is a bug I will fix in the next days.
Regards
hey,
plugin works fine… but I had to patch authLdap.php for setting capabilities to work correctly.
wp-3, openldap
Groups are correctly retrieved, but your plugin tries to set the attribute “capabilities”, which should actually be “wp_capabilities”…else it doesn’t work, at least for me.
Seems like I have to add support for table-prefixes…..
Hello Andreas,
You excellent plugin seems to have one logical problem, which I have recently stumbled upon. I want to restrict the ability to use blogs to a certain group of server users and it seems impossible to do it in the current version of the plugin. The user account is created and user is logged in even if he does not belong to any role defined in authLDAP. I looked at the code and believe that your plugin was designed that way. Don’t you think it would be better to deny login to the users who are not members of any group defined in authLDAP?
Originaly the purpose of the plugin was to grant usage of the blog only to members of certain LDAP-Groups. Therefore only those members should be created upon login as wordpress-users.
But after looking through the code again I have to admit, that you are right and users are created event though they are not member of an allowed group. That seems to be a design flaw I have to eliminate, as it does not make any sense to create dozens of users that have no rights at all.
Thanks for pointing out the flaw.
There will be a new version out soonish
And one more minor suggestion, if I may. WordPress requires the users to provide email address when creating an account with wp_create_user(). This account has to be unique. If no user email provided in the Open Directory, authLDAP still tries to create an account giving the user default email account of me@example.com. If another user with no email account tries to login, WordPress rejects account creation because email address me@example.com already exists. I believe that better default value for email would be something like
$mail=$username . ‘@example.com’; (line 341)
This will ensure that even the users who don’t have email in directory records will be able to login and enter an email in their profile afterwards.
Thank you again for your great plugin and support!
You might
That is an excellent suggestion and will be considered in the next release.
Thanks for the input.
Hi Andreas,
you have a typo in your example for the first filter “(&(objectclass=posixAccout)((!(uid=%s)(mail=%s)))”
It is posixAccount. (And perhaps objectClass)
Nice Greetings
Sven
Hi Andreas, thanks so much for creating this nicely flexible plug-in. I’m struggling a bit to get it to work and have enabled debugging. However, I’m not seeing any debugging information. Can you tell me where I can find the errors so I can tell where it’s failing?
Thanks.
As a matter of fact, the plugin did not provide any debugging information up to version 1.1.0. The debug-flag you can set has been legacy-code that was used in pre PHP5-times to get some sensible informations from the plugin. But during the refactoring for PHP5 I decided to use Exceptions and these are catched in the authLdap.php-file in line 303. As soon as an Exception is thrown, something went wrong and an authentication can not be granted.
So you could go to line 303 (Version 1.1.0) of the file authldap.php and insert a
trigger_Error($e->getMessage())(or something along that line) before the return false. That way you would be informed of everything that does not work correctly in the LDAP-Backend.In Version 1.1.1 the debug-flag now enables exactly that behaviour. So from now on you should be able to see LDAP-Problems as User-Notice in your error-log.
Fantastic plugin… Once I took care of mod_security, that is….
Quick question:
Does this support LDAPS? I can’t seem to get it to work with anything other than LDAP on port 389. Is there a way to patch the config, or am I missing something?
Let me know.
-Nate
Hi. Sorry for the late reply, You were stuck in the spam folder :-/
As far as I know, you have to provide a port-number to the LDAP-URI like
ldaps://ldap.example.com:636/. But I have not tested LDAPS yet.I will look into that in a short time and let you know the results.
– Andreas
[edit]
I just changed the way the LDAPS-Scheme is handled. So with the new version of the authLdap-plugin you should be able to connect to ldaps-Servers – but still not tested!!
Andreas,
I’m glad to see this plugin and thanks for writing it. I do have an issue, though, that I can’t seem to figure out :\ I’m authenticating against Apple Open Directory as Mark above is, and your comment was helpful, but I’m still unsuccessful.
As you know, the groups are like CN=groups,CN=groupname and users are in CN=users. I’ve created an OD group named “wp-admins”, for example, and added the users to WordPress accordingly.
There are my current settings. If you (or someone) could give a nudge in the right direction, I’d greatly appreciate it.
My LDAP URI is: ldap://tdxs1.dsdk12.schoollocal/dc=tdxs1,dc=dsdk12,dc=schoollocal
Name-Attribute: cn
Second Name Attribute: givenName
User-ID Attribute: uid
Group-Attribute: cn
Group-Filter: (&(objectclass=apple-group)(memberUid=%s))
Admin Group Membership: wp-admins
Hello Andreas, it is me again
. I wonder if it is possible to make authLDAP aware of WordPress network installation? Currently, even if authLDAP is network activated, new blogs get blank settings. It would be great if Network Admin could define/enforce default authentication settings for newly created blogs. If authLDAP could also set which group of users can create blogs, the blog network would become entirely self-service: if user wants a blog and is allowed to have one, he can create it himself and use server LDAP accounts for subscribers. I am a server admin and not very familiar with WordPress internals, so I do not know if any of this possible. If it is, it would greatly simplify my work and work of WordPress network administrator.
Thanks again for the your responsiveness, support and maintenance of the plugin.
Hi Alex.
Nice thought! I wasn’t aware of the network-abilities of wordpress until I dug into this
That definitely is a cool thing and I will try to get it up and running! But I can not promise you a date! But first tests are promising.
I’ll keep you informed.
Hi Josh.
What exactly is the problem? Are users able to log in but certain informations are not set? Or isn’t even a login possible? Have you enabled debugging? If so, what did the logfiles say?
The provided Information looks good to me, but what struck me was … and added the users to WordPress accordingly. as you would not need to add the users to wordpress manually – the plugin will add the users on their first login.
Feel free to send me logfiles via private mail
Hi Andreas Heigl ;
Today I installed your plugin integrated with wordpress , I like to configure the ldap but when I try login the page show a error message . I like to see the log debug, where I looking for this files.
Thank you
Hi.
What is the error-message that you get? By default the debug log is simply appended to PHPs error-log.
Regards.
Andreas