LDAP-Authentication for WordPress
PHP HTML Shell CSS
Latest commit c935020 Apr 17, 2017 @heiglandreas committed on GitHub Merge pull request #118 from heiglandreas/issue/115
Adds a test to check for mapping-issue
Permalink
Failed to load latest commit information.
.ci
src
tests
view Adds configuration for separator Jul 12, 2016
.gitignore
.rsyncIgnore Bumps version to 1.4.11 Nov 13, 2015
.svnAccess.dist
.travis.after.sh Adds a decent test-suite Aug 16, 2015
.travis.install.sh Fixes autoloading Apr 17, 2017
.travis.yml Changes build infos Apr 17, 2017
README.md
VERSION Removes Support for PHP 5.4 Apr 17, 2017
Vagrantfile Adds tests Jun 7, 2016
authLdap.css Cleaned up some code Dec 22, 2014
authLdap.php Adds a test to check for mapping-issue Nov 1, 2016
build.xml
composer.json Fixes autoloading Apr 17, 2017
ldap.php Fixes issue #116 Nov 1, 2016
phpunit.travis.xml
phpunit.xml.dist Adds tests Jun 7, 2016
readme.txt Removes Support for PHP 5.4 Apr 17, 2017

README.md

authLDAP

Join the chat at https://gitter.im/heiglandreas/authLdap

Use your existing LDAP as authentication-backend for your wordpress!

Build Status WordPress Stats WordPress Version WordPress testet Code Climate Test Coverage

So what are the differences to other Wordpress-LDAP-Authentication-Plugins?

  • Flexible: You are totaly free in which LDAP-backend to use. Due to the extensive configuration you can freely decide how to do the authentication of your users. It simply depends on your filters
  • Independent: As soon as a user logs in, it is added/updated to the Wordpress' user-database to allow wordpress to always use the correct data. You only have to administer your users once.
  • Failsafe: Due to the users being created in Wordpress' User-database they can also log in when the LDAP-backend currently is gone.
  • Role-Aware: You can map Wordpress' roles to values of an existing LDAP-attribute.

How does the plugin work?

Well, as a matter of fact it is rather simple. The plugin verifies, that the user seeking authentification can bind to the LDAP using the provided password.

If that is so, the user is either created or updated in the wordpress-user-database. This update includes the provided password (so the wordpress can authenticate users even without the LDAP), the users name according to the authLDAP-preferences and the status of the user depending on the groups-settings of the authLDAP-preferences

Writing this plugin would not have been as easy as it has been, without the wonderfull plugin of Alistair Young from http://www.weblogs.uhi.ac.uk/sm00ay/?p=45

Configuration

Usage Settings

  • Enable Authentication via LDAP Whether you want to enable authLdap for login or not
  • debug authLdap When you have problems with authentication via LDAP you can enable a debugging mode here.
  • Save entered Password Decide whether passwords will be cached in your wordpress-installation. Attention: Without the cache your users will not be able to log into your site when your LDAP is down!

Server Settings

  • LDAP Uri This is the URI where your ldap-backend can be reached. More information are actually on the Configuration page

  • Filter This is the real McCoy! The filter you define here specifies how a user will be found. Before applying the filter a %s will be replaced with the given username. This means, when a user logs in using ‘foobar’ as username the following happens:

    • uid=%s check for any LDAP-Entry that has an attribute ‘uid’ with value ‘foobar’
    • (&(objectclass=posixAccount)((!(uid=%s)(mail=%s))) check for any LDAP-Entry that has an attribute ‘objectclass’ with value ‘posixAccout’ and either a UID- or a mail-attribute with value ‘foobar’

    This filter is rather powerfull if used wisely.

Creating Users

  • Name-Attribute Which Attribute from the LDAP contains the Full or the First name of the user trying to log in. This defaults to name
  • Second Name Attribute If the above Name-Attribute only contains the First Name of the user you can here specify an Attribute that contains the second name. This field is empty by default
  • User-ID Attribute This field will be used as login-name for wordpress. Please give the Attribute, that is used to identify the user. This should be the same as you used in the above Filter-Option. This field defaults to uid
  • Mail Attribute Which Attribute holds the eMail-Address of the user? If more than one eMail-Address are stored in the LDAP, only the first given is used. This field defaults to mail
  • Web-Attribute If your users have a personal page (URI) stored in the LDAP, it can be provided here. This field is empty by default

User-Groups for Roles

  • Group-Attribute This is the attribute that defines the Group-ID that can be matched against the Groups defined further down This field defaults to gidNumber.
  • Group-Filter Here you can add the filter for selecting groups for the currentlly logged in user The Filter should contain the string %s which will be replaced by the login-name of the currently logged in

FAQ

Can I change a users password with this plugin?
Short Answer: No!
Long Answer: As the users credentials are not only used for a wordpress-site when you authenticate against an LDAP but for many other services also chances are great that there is a centralized place where password-changes shall be made. We'll later allow inclusion of a link to such a place but currently it's not available. And as password-hashing and where to store it requires deeper insight into the LDAP-Server then most users have and admins are willing to give, password changes are out of scope of this plugin. If you know exactyl what you do, you might want to have a look at issue 54 wherer a way of adding it is described!
Can I add a user to the LDAP when she creates a user-account on wordpress?
Short Answer: No!
Long Answer: Even though that is technically possible it's not in the scope of this plugin. As creating a user in an LDAP often involves an administrative process that has already been implemented in your departments administration it doesn't make sense to rebuild that - in most cases highly individual - process in this plugin. If you know exactly what you do, have a look at issue 65 where wtfiwtz shows how to implement that feature.