There are a few good LDAP plug-ins for WordPress prior to version 1.5, however I could not make any of them work in version 2, so I wrote my own. Please note though this plugin does not yet work in WordPress 2.5. Some people have made it work a little, but the tweaks have not yet made the development tree due to workload here.

We have a slightly unusual tree, and require some more definition and mapping of parameters, so this plug-in is very customisable with the defaults already populated. This plug-in also works against an active directory source and its integration is seamless.

This plug-in is designed as an additional source of user authentication and so is initially configured not to replace the existing authentication engine. If you are migrating over to LDAP or Active Directory, you have the option of when to use LDAP and this would be useful if you have local users with logins that mirror LDAP logins.

Finally, the password change option built into WordPress will not change an LDAP or Active Directory password. It will change the password on the local account, but not on the LDAP source.

Limitations

As this plug-in is in the early stages of development there are some limitations. Some may be addressed in time, some may not.

Single LDAP source
At the moment only a single LDAP source can be used. There is quite a bit of work to define multiple sources and the parameter per source, not to mention the user’s login name would have to somehow supplement this.

Anonymous searching
At the moment you must provide a DN that has search capabilities on the LDAP source. I do not have a source that allows anonymous lookups but I may build one for testing.

Admin account not LDAP’d
Although not a limitation, I thought it should go here. The admin account is the core WordPress user and as such should not be authenticated through LDAP. Chances are you probably have an LDAP ‘admin’ account and this would clash. If you want an admin account that is LDAP’d, you should create yourself an LDAP account and give it the admin role within WordPress. (Thanks Mukund)

Code comments
Its work in progress. Mail me if you have any issues.

Supporting configuration

The following section outlines some steps that may be useful, but are not essential to the operation of the plug-in.

Allowing users to register
This option should generally be disabled if you are using an LDAP source, but if it is not, any new users that register will become internal users: if internal authentication is disabled, this will have undesirable effects.

Caching
You should disable caching in your wp-config.php file.

define('DISABLE_CACHE', true);

If you leave the caching on, then data that changes in your LDAP source will make it to the local database, but the user may not see the benefit of it for a while. Caching is really only useful if your WordPress database is on a different server with a slow connection, or you have a lot of visitors to static content.

Default user level
The level under your WordPress General Options will be used to set up new LDAP users. There is currently no way to override this.

Password changing
Password changing does not take place for an LDAP user, if you can, I would recommend you disable this ability.

Plug-in installation and activation

First, you should review the supporting configuration section above.

Unzip the plug-in into your wp-content/plugins directory. In your plug-ins admin panel you should enable the plug-in. Once enabled, there should be an LDAP tab on your options panel.

Parameter explanation

The following section outlines the parameters used in the plug-in.

Enable LDAP authentication
Defines whether the LDAP is used or not. If LDAP is disabled, none of the following options are of any use.

Enable domain root search
enables searcvhing from the domain root of your LDAP source. This is not recommended because the LDAP structure usually has a defined section for users. The LDAP structure can also store things that are not user related, for example server configurations that you would only waste time searching for users - this is certainly the case for Microsoft Active Directory. This option is only really useful if your LDAP source is used by a large organisation that does not segregate its structure, or for testing.

Disable internal authentication
Defines whether the LDAP is the sole authentication method or whether the internal authentication can be used as well. The admin account is never checked in the LDAP source and remains a local account at all times.

NOTE: You may have an undesirable side-effect if a user leaves your corporation and you are supplementing your local user base. If the user is removed from your LDAP source, then they may still authenticate as local users, and this may conflict with your corporate policy. The recommendation here is to migrate all your users over to LDAP.

Update details on validation
When the LDAP server validates the user (and they already exist as a local user), their details can be updated in the local database. The user’s password is always copied locally because this is required throughout the site but you also have the option of updating the Surname, Given name and email address.

Auto-Create local users
If a user authenticates with LDAP, but does not exist locally, they can be set up to have access. This is particularly useful if you have a large corporate base and don’t want to manage all the users - since this is already being performed by your LDAP administrator.

Creation display format
When creating a user for the first time, you need to populate the “nice name” field within the users account in WordPress. This is the name that appears next to posts in your blog, and it is semi-configurable. Generally, the best option is to allow the use of the LDAP display name field, but in some organisations this can have spurious things at the end, or uses a convention that is not that nice, for example, surname first. You now the control of this display variable. - you muststill change things for each existing user.

Enable LDAP logging
Logging can be enabled and it will produce a log file of all login attempts, a link to which will appear in the text for this section once enabled.

Enable extreme LDAP logging
Extreme debug can be enabled as well. This will log all calls into the LDAP classes and is not for faint hearted.

Server and Port
The server and the port are pretty standard. The server can take any form that is recognised by the server hosting your WordPress installation.

NOTE: Secure LDAP is supported. You still need to update the port parameter, but you can specify ldaps://server.name as your server and this will work seamlessly.

Search DN and password
The Fully qualified Distinguished Name of the user that has search capabilities on the LDAP source should be specified along with their password.

Root DN
The branch of the LDAP source that a user may exist in should be specified. Multiple branches should be separated by a semi-colon.

UID token
This field is used as the search parameter in the LDAP record for the username passed in via the login page.

Email, given and surname tokens
These tokens denote the fields on the users LDAP record that store the required information for inserting or updating the users details.

Release history

Version 1.0 (May 1, 2006)
Initial release.

Version 1.1 (May 5, 2006)
Clashes on plugin activation (wp_login already defined) fixed.
Renamed some files to get round a bug in WordPress options.

Version 1.2 (May 15, 2006)
Recoded common files
Sorted logging functionality.

Version 1.3 (September 22, 2006)
Interim emailed release

Version 1.3.1 (September 24, 2006)
Commented and set logging in various areas.
Addressed the following tickets
#4 - Searching from the root does not work properly
#19 - Choose displayname option
#21 - Section headers all group together
#22 - Warnings on control panel

Version 1.4 (February 04, 2007)
Bug fix
Addressed the following tickets
#31 - Details update on first login
#32 - plugin options visibility to all

Version 1.5 (March 19, 2008)
Feature request (Craig Andrews)
Split out the data gather on login to a separate function so as to allow its use from other SSO authentication methods.

Download

Latest version (.zip)
Latest version (.tgz)