This post is also available in: Deutsch (German)
This page describes the WordPress-Plugin Active Directory Integration.
I needed a WordPress blog with Active Directory integration. Shouldn’t be too hard, I thought. Surely there must be a plugin out there that allows me to authenticate and preferrably also authorize users against an Active Directory. I can do just that with drupal after all. An existing plugin was soon found: Active Directory Authenticationby Jonathan Marc Bearak. It’s a great plugin and – after a bit of tweaking – it worked just fine. Unfortunately, I soon noticed that it lacked something vital: security! It was time for me to put some work in.
Jonathan’s plugin did not facilitate encrypted communication between WordPress and the AD server. The adLDAP-Libraryused in the plugin does support LDAPS, but it’s very fiddly. To add insult to injury, the usage of LDAPS has been deprecated. START-TLS would have been a much better choice, but unfortunately the library didn’t support it. Damn! So in the end I had to go and modify adLDAP aswell. Now, if we start using AD for authentication in a public WordPress blog, it would usually be wide open to brute force attacks, but I managed to implement some functionality to avoid this. That just leaves us to use HTTPS for either the whole blog or just the login, so we can be sure that nothing will go wrong.
Active Directory Integration enables the authentication and authorisation of WordPress users against an Active Directory, aswell as automatic registration and updating of users in WordPress. It is easy to install and configure: Just activate the plugin, add your domain controller and you’re done! But it can do a lot more.
- Authenticate users against one or more AD server(s),
- authorise users via group membership,
- users that authenticate in the AD are registered and updated in WordPress,
- assignment of WordPress roles based on AD groups,
- secure communication with the AD server via TLS (recommended),
- usage of non-standard ports for communication with AD servers,
- protection against brute force attacks,
- sends e-mails to users and/or administrators when a user account is blocked due to Brute-Force-Protection,
- multilanguage backend (english and german already included),
- “residue-free” uninstall,
- determine WP display name from AD attributes (sAMAccountName, displayName, description, SN, CN, givenName or mail).
- WordPress version 2.7.1 or above (only tested with 2.7.1 and 2.8.x, but it might work with 2.5.x or above)
- PHP 5 (for utilization of the adLDAP-Library)
- LDAP support (must be enabled on the server)
- OpenSSL support (must be enabled on the server for TLS to work)
- Login to WP with administrative rights, for example as “admin”.
- Upload the active-directory-integration folder to the plugins directory, normally “wp-content/plugins”.
- Activate the plugin on the plugins page.
- Configure the plugin under “Settings > Active Directory Integration” and activate TLS if possible.
- Activate Admin-SSL-Mode by adding the following line
to the wp-config.php file, so passwords aren’t transmitted as plain-text.