LDAP Authentication in WordPress

June 16th, 2008 By Vaibhav | 14 Comments » Tags: , , ,

LDAPI have been setting up an internal technology blog which will have a group of members contributing to it. The best way (I thought) of managing this was to enable LDAP authentication on the blog so that all those who are contributing can authenticate with our corporate Active Directory.

As it turns out there is only one WordPress plugin for this out there and it’s called wpDirAuth. When I found it I very happily downloaded and installed the plugin, thinking that I am done. Boy, was I wrong. I had to jump through a couple of 100 hoops to get it running, but in the end it was worth it. Here are the problems I faced and the solutions to resolve them.

Enabling LDAP for PHP – after installing the plugin, it turns out that I didn’t have the LDAP module installed for PHP. I got the following error screen:

wpDirAuth

There are 3 things I did to resolve this:

  • Opened my php.ini and uncommented the line extension=php_ldap.dll.
  • Made sure that I had the file php_ldap.dll in my PHP\ext directory.
  • Made sure that I had the files ssleay32.dll and libeay32.dll in my Windows\System32 directory.

Note that the steps above are for a Windows XP installation. If you have a different system, you may need to Google for how to get LDAP enabled for your PHP installation.

Plugin Version – this is fairly straight forward. I went and setup the values but for some reason I kept getting an “Invalid User” error when trying to login. A little bit of digging in the groups revealed that this was a problem with the plugin version which was incompatible with WordPress 2.5.1 (or 2.5 onwards).

Someone was gracious enough to post a patch. Great. But when I tried to download it the location of the patch was no longer accessible. There was no where on the Internet where I was able to find this patch. I tried to access the plugin directories of those who had installed it, and after a long search found one which had the patched plugin installed. I downloaded this version (1.3) and then installed it.

So that it becomes more widely available, here is a download link to wpDirAuth 1.3.

Finally, the filter problem – after I was done with all this, I thought that I am done. Boy was I wrong. Every time I would try and install this, I would get this error:

Directory Login Error: Directory authentication initially succeeded,
but no valid profile was found (search procedure).

Clearly, my authentication was working, but something else had gone wrong. As it turned out (after trying zillions of combinations),  the problem was with the Account Filter setting for the plugin. The way I resolved it was by trying various LDAP attributes for that setting till one worked. Here is a list of most common attributes (this is the list I used).

image

And  the setting that worked for me (as you can see above) was userPrincipalName.

Now I enjoy the benefits – once all that was done, it started to work like magic. And I was pleasantly surprised to note that this authentication worked even through LiveWriter which is great.

If you found this content helpful, then please help by linking to me. You can also help me by sharing the content using any of these nifty buttons above. Thank you.

Similar posts from my blog (hopefully):



You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

14 Responses to “LDAP Authentication in WordPress”

  1.   Ennis McCaffrey Says:
      July 20th, 2008 at 5:01 am

    Thank you for posting this wpDirAuth.php_1.3 patch!

    I can now successfully authenticate my wordpress 2.5 users off of my ldap directory.

    I sat here for the better part of my Saturday trying to get this to work and it wasn’t until I found your blog that I was able to succeed!

    Sincerely,

    Ennis McCaffrey

    Reply
  2.   Vaibhav Says:
      July 20th, 2008 at 12:57 pm

    @Ennis – You are welcome. I am glad that I was able to help.

    Reply
  3.   Micahel Says:
      August 26th, 2008 at 11:45 pm

    Thanks so much for this – Installed the patch and it worked like a charm. Perfect cure for a terrible headache.

    Reply
  4.   Vaibhav Says:
      August 27th, 2008 at 1:35 am

    @Michael

    I am glad it worked out for you. :)

    Reply
  5.   HM Says:
      November 26th, 2008 at 6:34 pm

    Wow, that did it. Thanks for sharing!

    Reply
  6.   Brock Says:
      January 16th, 2009 at 9:52 pm

    Thanks a million for this. I had all but given up on this. Turns out I didn’t have the ldap module enabled in apache, and I had never seen that list of most common attributes used. Turns out, our Novell LDAP was using “name” as the filter.

    Thanks again.

    Reply
  7.   Vaibhav Says:
      January 17th, 2009 at 1:04 am

    You are of course most welcome :)

    Reply
  8.   Scott Johnson Says:
      September 23rd, 2009 at 11:24 am

    Thanks for this.
    It did solve quite a few issues.
    I am now able to get my students and staff to log in.
    I used WordPressMU 2.8 and the 1.3 patch didn’t work.
    I searched and found a 1.4 patch here:
    http://weblogs.valsania.it/andreav/wp-content/uploads/2008/07/wpdirauth14.zip

    Hope this helps.
    I am in a vanilla windows envoronment and have not had to use LDAP before. Next on my hitlist: Moodle.

    I still do not usderstand a few of the settings on the WPDIRAUTH config page if anyone can help:

    Account Filter: samAccountName
    Using this setting it works but I have no idea what it is for or what I could use it for either.

    Accoutn Suffix:
    what is this for?

    Regards
    Scott Johnson

    Reply
    •   Vaibhav Says:
        September 23rd, 2009 at 6:50 pm

      Thanks Scott for pointing to the 1.4 patch. Regarding your Account Filter setting, this is basically where you specify the field on your LDAP element against which you are trying to authenticate the login name. Different configurations of LDAP might require you to use different values here.

      If yours works with samAccountName, then good. Don’t worry about it anymore.

      The suffix again may or may not be required. It is usually the domain name for your LDAP setup.

      Reply
  9.   Sudheer Says:
      September 16th, 2010 at 6:57 pm

    I was searching LDAP options for WordPress(2.9). Luckly seen your blog. I am still stuck in the first place.
    There are 3 things I did to resolve this:

    As mentioned by you, did the following :

    . •Opened my php.ini and uncommented the line extension=php_ldap.dll.

    2. •Made sure that I had the file php_ldap.dll in my PHP\ext directory.
    3 •Made sure that I had the files ssleay32.dll and libeay32.dll in my Windows\System32 directory.

    For 2 &3, havent seen any dll in system32 folder. so copied it by downloading from internet.

    But still no way !!
    Something else to be done in php admin side ???

    Awaitig ur reply!
    Thanks
    Sudheer

    Reply
    •   Vaibhav Says:
        September 16th, 2010 at 7:29 pm

      hi Sudheer,

      Well, one of the first things to do is to ensure that LDAP works for your PHP installation. Have you tested that?

      Unfortunately, I can’t walk you through that. You should search online to see how to verify and install LDAP for PHP for your Operating System. One test of whether you were able to successfully install and configure the LDAP module for PHP would be the plugin administrative page itself.

      After you install the plugin, does it give any errors on the admin page (such as the screen shot in the post). If it is, then your PHP-LDAP connection is just not working, so you need to figure out how to get it going.

      Cheers.

      Reply
  10.   andi Says:
      March 15th, 2011 at 9:31 am

    why it’s don’t work on OpenLDAP?

    Reply




Leave a Reply

«
»