This is a plugin that allows you use your LDAP to authenticate and authorise users to access your wordpress web-log.

Installation should be as simple as instalaltion of every wordpress-plugin. Simply unzip the downloaded file, put it into your wordpress-installations plugins-folder and activate it.

After activation you can configure the plugin via the options-panel.

How does the plugin work?

Well, as a matter of fact it is rather simple. The plugin verifies, that the user seeking authentification can bind to the LDAP using the provided password.

If that is so, the user is either created or updated in the wordpress-user-database. This update includes the provided password (so the wordpress can authenticate users even without the LDAP), the users name according to the authLDAP-preferences and the status of the user depending on the groups-settings of the authLDAP-preferences

 Writing this plugin would not have been as easy as it has been, without the wounderfull plugin of Alistair Young from


Usage Settings

Enable Authentication via LDAP
Whether you want to enable authLdap for login or not
debug authLdap
When you have problems with authentication via LDAP you can enable a debugging mode here.

Server Settings

This is the URI where your ldap-backend can be reached. More information are actually on the Configuration page
This is the real McCoy! The filter you define here specifies how a user will be found. Before applying the filter a %s will be replaced with the given username. This means, when a user logs in using ‘foobar’ as username the following happens:

check for any LDAP-Entry that has an attribute ‘uid’ with value ‘foobar’
check for any LDAP-Entry that has an attribute ‘objectclass’ with value ‘posixAccout’ and either a UID- or a mail-attribute with value ‘foobar’

This filter is rather powerfull if used wisely.

Creating Users

Which Attribute from the LDAP contains the Full or the First name of the user trying to log in. This defaults to name
Second Name Attribute
If the above Name-Attribute only contains the First Name of the user you can here specify an Attribute that contains the second name.
This field is empty by default
User-ID Attribute
This field will be used as login-name for wordpress. Please give the Attribute, that is used to identify the user. This should be the same as you used in the above Filter-Option.
This field defaults to uid
Mail Attribute
Which Attribute holds the eMail-Address of the user?
If more than one eMail-Address are stored in the LDAP, only the first given is used
This field defaults to mail
If your users have a personal page (URI) stored in the LDAP, it can be provided here.
This field is empty by default

User-Groups for Roles

This is the attribute that defines the Group-ID that can be matched against the Groups defined further down
This field defaults to gidNumber.
Here you can add the filter for selecting groups for the currentlly logged in user
The Filter should contain the string %s which will be replaced by the login-name of the currently logged in

65 thoughts on “authLDAP

  1. Hey Julien.

    Yes, the plugin works with AD as well. Can you send me more details on your config via Mail to andreas (AT) heigl (DOT) org? I’ll then try to find the issue!


  2. Hello Andreas,

    i woud like to ask you, wether your plugin is also suitable for the wordpress multisite setup? I only find the settings for authldap in the dedicated wordpress site, and not in the global network dashboard.
    Thanks, and regards,

  3. It currently isn’t out of the box. I never got round to implementing it and it wasn’t a requested feature. I might have a look at how to do that during this weekend so I might be able to give you a feedback how and when that might work…

  4. Hello,

    Your plugin is exactly what i am looking for but unfortunately i cannot get it to work. any help would be greatly appreciated.

    Error:(Time on logs are not accurate, not sure if that has anything to do with it)

    [13-Oct-2017 03:17:44 UTC] [AuthLDAP] User ‘userid’ logging in
    [13-Oct-2017 03:17:44 UTC] [AuthLDAP] about to do LDAP authentication
    [13-Oct-2017 03:17:44 UTC] [AuthLDAP] connect to LDAP server
    [13-Oct-2017 03:17:44 UTC] [AuthLDAP] LDAP authentication failed with exception: no result found

    LDAP URI:ldap://,password,DC=domain,DC=mycorp,DC=com

    Filter: (cn=%)
    Name: givenName
    Last: sn
    UserID Attribute: cn
    Mail: mail

    Group Attribute: distinguishedName

    Group Filter: (&(objectClass=group)(dn=%))

    Mapped group to Subscriber group: CN=groupname,OU=Groups,OU=common,DC=domain,DC=mycorp,DC=com

  5. Hi.

    I‘m pretty sure your LDAP-URI needs to look like this:


    Where „userid“ should be something like „cn=userid,DC=domain,DC=mycorp,DC=com“. When you are using ActiveDirectory as backend you might also able to just use „userid“

  6. Thanks for your reply!

    I am now getting this error: LDAP Authentication failed with exception: bind was not successful: Invalid Credentials

    i tried both cn and userid (lets say my user id is “test” and password is “pass123” here is how i am inputing the LDAP URI –


    also tried this, with same error –

  7. Try
    ldap://,DC=mycorp,DC=com or ldap://cn=test,DC=domain,DC=mycorp,,DC=mycorp,DC=com.

    The username needs to be either a complete Distinguished Name (DN) or – when you are using ActiveDirectory as backend – just the user-ID (that is stored in ActiveDirectory in the attribute sAMAccountName)

  8. Getting the same error with both, we are using forest schema version 47, is there maybe a unique way it needs to be for this schema version?

    User ‘test’ logging in
    about to do LDAP authentication
    connect to LDAP server
    LDAP authentication failed with exception: bind was not successfull: Invalid credentials

  9. Hi, we are getting this working with our AD with good success – great plug in!

    We have a number of custom roles to map. However, we’re seeing that even though the log shows the groups getting parsed OK, its not mapping the roles – it just seems to update the primary role with the last role in the list, rather then add the user to each role – VID beyond and vid leaders.

    Any ideas – feel like we’re really close!

    from the log…

    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] User ‘james’ logging in
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] about to do LDAP authentication
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] connect to LDAP server
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] LDAP authentication successfull
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] Existing user, uid = 6
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] Array
    [administrator] =>
    [editor] =>
    [author] =>
    [contributor] =>
    [subscriber] =>
    [employer] =>
    [newbie] =>
    [VID Leaders] => VID Leaders
    [VID Beyond] => VID Beyond

    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] Array
    [administrator] =>
    [editor] =>
    [author] =>
    [subscriber] =>
    [contributor] =>
    [newbie] =>
    [employer] =>
    [VID Beyond] => VID Beyond
    [VID Leaders] => VID Leaders

    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] Group Filter: “(&(objectCategory=group)(name=VID *)(member=CN=James,DC=not really,DC=co,DC=uk))”
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] LDAP groups: [“VID Leaders”,”VID Beyond”]
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] Role from LDAP group: VID Beyond
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] role from group mapping: VID Beyond
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] The LDAP user has an entry in the WP-Database
    [02-Nov-2017 19:11:44 UTC] [AuthLDAP] user id = 6

  10. Currently the plugin only adds a user to one group. And that’s the first matching group. There are ideas to change that but that’s not yet finished. Well, not even started…

  11. Hi,
    I am researching for a plugin to use with WP Multisite and LDAP at a college. I see that this question has been asked before but it wasn’t answered. Is that functionality available with this plugin?

    Thanks in advance!

  12. As of version 2.0.0 multisite is available. Though the main question is how you want this functionality to work. With the current implementation you can (or have to – depending on your use-case) use different configurations for each site. With a hack you can also enable one configuration to be shared over all sites.

    Or do you have a different use-case? Then feel free to add it as an issue to

  13. Hi,

    I’m trying your plugin (Version 2.0.3 ) using the latest WordPress version (4.9.4) and I can’t connect to my LDAPS server, I get the below error:

    [AuthLDAP] User ‘my_username’ logging in, referer: http://my_website/wp-login.php?loggedout=true
    [AuthLDAP] about to do LDAP authentication, referer: http://my_website/wp-login.php?loggedout=true
    [AuthLDAP] connect to LDAP server, referer: http://my_website/wp-login.php?loggedout=true
    [AuthLDAP] No bind successfull. Exception thrown in line 68, referer: http://my_website/wp-login.php?loggedout=true

    The URI used is:


    Any thoughts on how to handle it? Do you think it’s related to the ldapS? Does the plugin support ldapS?


  14. The plugin does support LDAPS though using it with self-signed certificates is nasty! So first question: Are you using self-signed certificates?

    Another issue might be the password. Do you have any special characters in it that should be URL encoded? Like f.e. ‘:’ or ‘@’ or ‘&’ or ‘?’. If so you should put them into the URL in a URL-Encoded way.

    For further questions feel free to contact me via email at andreas AT heigl DOT org

Comments are closed.