LDAP Authentication in WordPress
I have been setting up an internal technology blog which will have a group of members contributing to it. The best way (I thought) of managing this was to enable LDAP authentication on the blog so that all those who are contributing can authenticate with our corporate Active Directory.
As it turns out there is only one WordPress plugin for this out there and it’s called wpDirAuth. When I found it I very happily downloaded and installed the plugin, thinking that I am done. Boy, was I wrong. I had to jump through a couple of 100 hoops to get it running, but in the end it was worth it. Here are the problems I faced and the solutions to resolve them.
Enabling LDAP for PHP – after installing the plugin, it turns out that I didn’t have the LDAP module installed for PHP. I got the following error screen:
There are 3 things I did to resolve this:
- Opened my php.ini and uncommented the line extension=php_ldap.dll.
- Made sure that I had the file php_ldap.dll in my PHP\ext directory.
- Made sure that I had the files ssleay32.dll and libeay32.dll in my Windows\System32 directory.
Note that the steps above are for a Windows XP installation. If you have a different system, you may need to Google for how to get LDAP enabled for your PHP installation.
Plugin Version – this is fairly straight forward. I went and setup the values but for some reason I kept getting an “Invalid User” error when trying to login. A little bit of digging in the groups revealed that this was a problem with the plugin version which was incompatible with WordPress 2.5.1 (or 2.5 onwards).
Someone was gracious enough to post a patch. Great. But when I tried to download it the location of the patch was no longer accessible. There was no where on the Internet where I was able to find this patch. I tried to access the plugin directories of those who had installed it, and after a long search found one which had the patched plugin installed. I downloaded this version (1.3) and then installed it.
So that it becomes more widely available, here is a download link to wpDirAuth 1.3.
Finally, the filter problem – after I was done with all this, I thought that I am done. Boy was I wrong. Every time I would try and install this, I would get this error:
Directory Login Error: Directory authentication initially succeeded,
but no valid profile was found (search procedure).
Clearly, my authentication was working, but something else had gone wrong. As it turned out (after trying zillions of combinations), the problem was with the Account Filter setting for the plugin. The way I resolved it was by trying various LDAP attributes for that setting till one worked. Here is a list of most common attributes (this is the list I used).
And the setting that worked for me (as you can see above) was userPrincipalName.
Now I enjoy the benefits – once all that was done, it started to work like magic. And I was pleasantly surprised to note that this authentication worked even through LiveWriter which is great.
If you enjoyed reading this blog, consider subscribing to the RSS feed. You can also subscribe to it by email. You can also follow me on Twitter. Thank you!
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
July 20th, 2008 at 5:01 am
Thank you for posting this wpDirAuth.php_1.3 patch!
I can now successfully authenticate my wordpress 2.5 users off of my ldap directory.
I sat here for the better part of my Saturday trying to get this to work and it wasn’t until I found your blog that I was able to succeed!
Sincerely,
Ennis McCaffrey
July 20th, 2008 at 12:57 pm
@Ennis – You are welcome. I am glad that I was able to help.
August 26th, 2008 at 11:45 pm
Thanks so much for this – Installed the patch and it worked like a charm. Perfect cure for a terrible headache.
August 27th, 2008 at 1:35 am
@Michael
I am glad it worked out for you.
November 26th, 2008 at 6:34 pm
Wow, that did it. Thanks for sharing!
January 16th, 2009 at 9:52 pm
Thanks a million for this. I had all but given up on this. Turns out I didn’t have the ldap module enabled in apache, and I had never seen that list of most common attributes used. Turns out, our Novell LDAP was using “name” as the filter.
Thanks again.
January 17th, 2009 at 1:04 am
You are of course most welcome
September 23rd, 2009 at 11:24 am
Thanks for this.
It did solve quite a few issues.
I am now able to get my students and staff to log in.
I used WordpressMU 2.8 and the 1.3 patch didn’t work.
I searched and found a 1.4 patch here:
http://weblogs.valsania.it/andreav/wp-content/uploads/2008/07/wpdirauth14.zip
Hope this helps.
I am in a vanilla windows envoronment and have not had to use LDAP before. Next on my hitlist: Moodle.
I still do not usderstand a few of the settings on the WPDIRAUTH config page if anyone can help:
Account Filter: samAccountName
Using this setting it works but I have no idea what it is for or what I could use it for either.
Accoutn Suffix:
what is this for?
Regards
Scott Johnson
September 23rd, 2009 at 6:50 pm
Thanks Scott for pointing to the 1.4 patch. Regarding your Account Filter setting, this is basically where you specify the field on your LDAP element against which you are trying to authenticate the login name. Different configurations of LDAP might require you to use different values here.
If yours works with samAccountName, then good. Don’t worry about it anymore.
The suffix again may or may not be required. It is usually the domain name for your LDAP setup.