«
»

  1. #1 by Merlyn at October 29th, 2008

    Hi!

    It would be nice to see the plugin in action before installing in my blog.

    Have a nice day,

    .: Merlyn :.

    Reply Quote

  2. #2 by clifgriffin at October 29th, 2008

    Unfortunately I have no way to demonstrate it. To do so would require an active directory server and blog visible to the world. I don’t have such a setup.

    However, I can assure you that the logic is dead simple. The worst possible scenario is that logins continue to function as they currently do now. The function I use tries wordpress first and only adLDAP if it fails on this first step.

    I hate authentication plugins that risk locking you out of your own blog so I did not implement it in that way.

    Please let me know if there is anything I can do to assist you.

    Reply Quote

  3. #3 by TutorialVine at December 7th, 2008

    Hi and thanks. I did not use your script as it was not directly what I needed, but it did point me in the right direction, and I just wanted to say thanks :-)

    It helped me realize how I could integrate the WP user system into my own system, especially also how I could use it to automatically transfer the old users to the new system!

    Reply Quote

  4. #4 by clifgriffin at December 9th, 2008

    As noted above, Darren and I resolved this issue via e-mail. His WordPress user accounts were not using the same usernames as his LDAP accounts.

    I did not properly document this and have added clarifying information to the readme/documentation.

    Reply Quote

  5. #5 by David at December 17th, 2008

    Hi there, I enabled the plugin and now I can’t login even with my admin account. Do you know how to disable the plugin without logging in?

    Reply Quote

  6. #6 by clifgriffin at December 17th, 2008

    @David,
    That’s very strange. I’ve never heard of that happening. The code is written in such a way that it should never even attempt to look at LDAP if your wordpress credentials are able to log you in.

    To disable the plugin, temporarily rename the folder the plugin is in (simple-ldap-login) to something else (like simple-ldap-login2) and then try to login again. It should disable the plugin.

    Let me know if you have any issues.

    Reply Quote

  7. #7 by babul at December 20th, 2008

    Clif -

    Brilliant! Works like a champ on my two recently updated Wordpress 2.7 sites. I was up in a running in less than 2 minutes.

    Your (simple) login logic is what was sorely missing in the previous plugin I was using.

    Is it possible to specify more than one domain controller? The ability to specify 2 or 3 would really help ensure that LDAP is given every opportunity to authenticate before going to the built-in WP credentials.

    Thank you for your efforts on this plugin!!

    Reply Quote

    • #8 by clifgriffin at December 20th, 2008

      Babul,
      Thank you for the kind feedback. My goal in the plugin design was that I wanted it to be as effortless as possible.

      The multiple domain controller question is a good one. It’s been on my to-do list. adLDAP supports this natively, I just didn’t implement it in the settings interface. I wanted to make sure it worked as it was first before adding additional layers of complication.

      That said, I have a very simple way to implement this which I will work on this afternoon and hopefully push out an update by the end of the day.

      In the meantime, if anyone can tell me why my comments are out of order on this page, I’d love them forever. :)

      Clif

      Reply Quote

      • #9 by simo at July 8th, 2009

        having problems with multiple domain name controllers

        Reply Quote

    • #10 by clifgriffin at December 20th, 2008

      As promised, I have updated the plugin with the requested feature. Thanks for the suggestion.

      Reply Quote

  8. #11 by Hazman Aziz at December 23rd, 2008

    Hi Clif,

    Do i still need to install adLDAP into my server?

    I also could not locate if my php is LDAP enable under this url: http://127.0.0.1/home/phpinfo.php. Possible for you to print screen for me.

    I am trying to use your plugin for my university library.

    Regards,
    Hazman Aziz

    Reply Quote

    • #12 by clifgriffin at December 24th, 2008

      Simple LDAP Login includes a copy of adLDAP, so there is nothing to install.

      It is important to make sure PHP was compiled with LDAP. If you do not see a section called “LDAP” on your phpinfo() page, that may be indication it is not installed.

      Installing it will vary depending on your OS. I recommend using an RPM or update manager to ensure you’ve done it correctly.

      Let me know if you have any issues.

      Reply Quote

  9. #13 by Bramus! at January 7th, 2009

    Hi Cliff,

    very nice work. Works like a charm!

    However, I’ve edited the line where you add the option to the wp-admin (line #20 of Simple-LDAP-Login.php): Instead of allowing user level 1, I’ve bumped it up to 10.

    By this only admins can change the LDAP settings, which adds an extra level of protection (By this contributors and editors can’t edit the settings, as they have no business with this plugin nor its settings).

    I think this is worth of pushing back into your code, as it’s an added security imo.

    Regards,
    Bramus!

    Reply Quote

    • #14 by clifgriffin at January 7th, 2009

      Excellent observation.

      Most of my installations have multiple admins so I never noticed this issue. I will include this change in a micro-version update shortly.

      Reply Quote

    • #17 by clifgriffin at May 6th, 2009

      Fixed! Thanks for your feedback.

      Reply Quote

  10. #18 by David at January 9th, 2009

    Hi clifgriffin, you say the wordpress usernames have to match the LDAP usernames. Does this mean I have to create usernames for these people. The reason I ask is we have 3000 employees here and I dont really want to maintain this list. With other plugins you dont have to pre create usernames.

    Thanks for any response.

    Reply Quote

    • #19 by clifgriffin at January 9th, 2009

      Hi David,
      I chose to emphasize simplicity in this plugin design. I wanted something that would “just work” unlike many of the bloated, non-functioning LDAP plugins available.

      The fact that you’re commenting on my plugin is probably because you have tried one of these unsuccessfully like I did.

      That said, I will investigate whether or not I can reliably create users based on group membership and consider adding it in an “advanced features” section.

      My primary goal will be not breaking existing users installations though. :)

      Thanks for weighing in!
      Clif

      Reply Quote

    • #20 by Jairus Khan at January 27th, 2009

      My situation is similar; this plugin would be perfect if it could create use LDAP users without matching wordpress users (or create new wordpress users upon first login and populate the data from LDAP).

      Reply Quote

  11. #21 by Lars at February 10th, 2009

    works like a charm. Had to install php-ldap on RedHat 5.3 Enterprise, so if you get an error about a missing function, check that you have ldap support in PHP.

    Reply Quote

  12. #22 by Lars at February 10th, 2009

    I have a question, can I use some visible login plugin with this? I prefer to have a user/password field directly in the sidebar over having to use the meta-plugin. I tried sidebar-login, but it uses the old wordpress login…

    Reply Quote

  13. #23 by Lars at February 10th, 2009

    got another problem here… I installed the “gear” Theme, now LDAP auth doesn’t work anymore… switched back to default, works again. I have no idea what happens here, since I guess the login procedure is the same for every theme?

    Reply Quote

    • #24 by clifgriffin at February 10th, 2009

      That’s strange. Can you link me to the gears theme?

      Reply Quote

      • #25 by Lars at February 11th, 2009

        Reply Quote

      • #26 by Lars at February 23rd, 2009

        did you have a chance to check that problem yet?

        Reply Quote

        • #27 by clifgriffin at February 23rd, 2009

          Hi Lars,
          I’m not sure why it would fail with that theme. My plugin’s primary action is redefining the wp_login function.

          I have searched through the gear theme’s files and can’t find any place it is redefining that function.

          As someone using the theme, can you think of anything it does differently as pertains to logins? Does the theme have a custom login page I’m not seeing?

          I suspect that this is ultimately a problem with the theme as this is the only theme related complaint I’ve had about this plugin.

          Reply Quote

  14. #28 by Justin at February 11th, 2009

    Many thanks for the simple plugin that just works. I’ve wasted a lot of time trying to get Wordpress, Pebble, and Blojsom to work with Kerberos or Active Directory using various plugins.

    While authentication with Active Directory is now working great, I’m still interested in omitting the login prompt for users who have already authenticated with the secured Apache web server via Kerberos. Are you able to pull the user’s name from the existing session to automatically log the user in or is there another solution?

    Reply Quote

    • #29 by Justin at February 11th, 2009

      Okay, I answered my own question. :-)

      The plugin “http-authentication” logs users in who have already authenticated with the web server. “http-authentication” will also create new Wordpress accounts. To avoid making users click “Log in”, just start them on the page “/wordpress/wp-login.php” instead of “/wordpress”.

      Reply Quote

      • #30 by Whittet at April 17th, 2009

        Thank you Justin!!!!!!!!!!!

        HTTP Authentication plugin solved it for me too. I have it working on WAMP. I just need to try setup for a LAMP now.

        Reply Quote

  15. #31 by Nazeer at March 2nd, 2009

    Hi Clif,

    I tried this plugin in our internal LDAP setup using WP 2.7.1. Unfortunately, it doesn’t work (I wonder even it is called from WP!). I have activated the plugin and put required settings. I didn’t add required suffix as we have no suffix.

    Any help.

    Regards
    Nazeer

    Reply Quote

    • #32 by clifgriffin at March 4th, 2009

      Hi Nazeer,
      I have no ideas that I haven’t already shared with other users in these comments.

      The underly functionality is completely in adLDAP. If the plugin isn’t working, there is something about your environment that is preventing adLDAP from working.

      What LDAP provider are you using?

      Clif

      Reply Quote

  16. #33 by Christopher Crisis at March 24th, 2009

    Excellent plug in. I was able to easily configure to allow users from our Active Directory. I did however, have to follow .2 from the old instructions:

    “2. Customize settings by modifying adLDAP.php in /plugins/simple-ldap-login/ ”

    Not sure why that is, but it was the only way I could get the configuration to work.

    Again, nice work….

    ~Chris

    Reply Quote

    • #34 by clifgriffin at March 24th, 2009

      That’s really weird!

      Glad you got it working. :)

      Reply Quote

      • #35 by Christopher Crisis at March 24th, 2009

        Why weird? should it have worked by simply configuring from the Plugin Admin screen????

        Reply Quote

        • #36 by clifgriffin at March 24th, 2009

          Yes sir, that’s how I use it and how everyone else (that is using the new version) has been using it.

          What version of PHP are you using?

          Reply Quote

          • #37 by Christopher Crisis at March 24th, 2009

            PHP Version 5.2.9-1

            Reply Quote

        • #38 by clifgriffin at May 7th, 2009

          Well there goes that theory. I thought that perhaps there was an issue with PHP 4 and the scope of Wordpress’s global variables. (Which wouldn’t make complete sense since Wordpress works fine on PHP 4 as far as I know.)

          Next question: Do your suffix, DN, or DC have any abnormal characters in the in them?

          Reply Quote

  17. #39 by spar at March 30th, 2009

    Hi,

    i installed the Simple LDAP Login 1.2 in my wordpress Version 2.7.1, now i want authenticated my user throw openldap.

    I have configured the simple ldap login in wordpress Admininterface.

    Details:
    BN:dc=openldap,dc=com
    Domain Controllers: localhost

    The login have no function and there are now connections in the ldap logs from the localhost.

    Any Ideas?

    Reply Quote

    • #40 by clifgriffin at March 31st, 2009

      Make sure you have wordpress accounts with the same usernames as your LDAP accounts. This plugin simply attempts to authenticate any wordpress user against LDAP.

      This plugin does not create users that do not exist. Because of this, it’s primarily intended to be used with

      Reply Quote

    • #41 by clifgriffin at March 31st, 2009

      Do you have wordpress accounts for the accounts you’re trying?

      Reply Quote

    • #42 by clifgriffin at May 12th, 2009

      Hi Spar,
      I have posted a new version that *may* work with OpenLDAP. Unfortunately, I haven’t been able to test this functionality yet.

      You can access it here:
      http://downloads.wordpress.org/plugin/simple-ldap-login.1.3.zip

      Reply Quote

  18. #43 by Andre at March 31st, 2009

    I have installed WP 2.7 and the plugin does not work for me!

    I think I have setup the plugin correctly but when I try to login is shows me an “Invalid username”.

    LINE 50: $user = get_userdatabylogin($username);

    Some Code I tested:
    ADD LINE 51: echo $user; (RESULT -> NULL)

    So, the next comparison will be always false.

    LINE 52:
    if ( !$user || ($user->user_login != $username) ) {
    do_action( ‘wp_login_failed’, $username );
    return new WP_Error(‘invalid_username’, __(‘ERROR: Invalid username.’));
    }

    Please help me to figure it out the problem!

    Reply Quote

    • #44 by clifgriffin at March 31st, 2009

      I use this plugin in an environment with over 20,000 Active Directory accounts. (Only a handful have access to our blog)

      I just verified that my version of the plugin is the same as yours.

      The lines you reference avoid two scenarios:
      1. Someone clicks login without putting a username.
      2. Someone inputs a username that does not exist in the Wordpress system.

      Make sure you have wordpress accounts with the same usernames as your LDAP accounts. This plugin simply attempts to authenticate any wordpress user against LDAP.

      This plugin does not create users that do not exist. Because of this, it’s primarily intended to be used with smaller systems.

      Regards,
      Clifton

      Reply Quote

      • #45 by Andre at March 31st, 2009

        Hello,

        I dont have WP accounts! Is it possible to create them with the first LDAP Login?

        According to the scenarios:

        1. I don’t leave any empty field.
        2. the username definitely exists in the LDAP (I’m 100% sure because I’m the system administrator).

        Reply Quote

        • #46 by Andre at March 31st, 2009

          I expect the account to be created within the first LDAP succeeded login, or it doesn’t work this way?

          Reply Quote

          • #47 by clifgriffin at March 31st, 2009

            No, it doesn’t work that way.

            I eventually would like to add that option but I can’t warrant spending the time at this point. (It’s a fairly complicated feature)

            Reply Quote

      • #48 by Andre at March 31st, 2009

        Anyway, I created a new user with the same username but differents passwd as in LDAP directory.

        Although, it logins successfully only with the WP internal password. It seems that the LDAP fails or it doesn’t connect to the ldap at all.

        Reply Quote

  19. #49 by Aaron at April 6th, 2009

    Similar to ealier comment, I have come across another theme which apparently “break” ldap login. This is the “Ahimsa” theme. The ldap plugin works like magic with all the other themes that I’ve tried. When I apply the Ahimsa theme, I get an “invalid password” error. Doesn’t appear to be using any customized login screen. Looks like the standard login screen.

    Reply Quote

    • #50 by clifgriffin at April 7th, 2009

      I really do want to figure out what the issue is on this, but my schedule does not permit it at the moment.

      If a theme breaks it, I have to think the theme is doing something incorrectly. That sounds like an excuse, but I think it’s a pretty reasonable assumption. My plugin works with the vast majority of themes…including the ones written by Wordpress.

      Does anyone else know of reason why a theme can break a plugin like this?

      Reply Quote

  20. #51 by Roberto at April 30th, 2009

    Hi,
    I am trying to implement a Wordpress 2.7.1 with simple LDAP Login, but It’s doesnt work for me. My DN is “ou=Users, ou=OxObjects, dc=pyaing, dc=cl”. We dont have a suffix, and our ldap server is using OpenLdap. I get all the time a incorrect password error. In this same wordpress server I have a PHP Intranet that is using LDAP authentification correctly, so communication between the two machines is ok, and I know PHP-LDAP is working.
    what could be wrong?

    Thanks

    Reply Quote

  21. #53 by Roberto at April 30th, 2009

    Hi,
    I have Wordpress 2.7.1 with the simple LDAP plugin, but I can make it work. My DN is ou=Users, ou=OxObjects, dc=pyaing, dc=cl, and the server is using OpenLDAP. I have created a user with the same name that in LDAP, but I keep getting a password error message. In this same wordpress server I have a Intranet written in PHP and that authenticates with LDAP, so i know that PHP-LDAP is working.
    What else could be wrong?

    Thanks

    Reply Quote

    • #54 by clifgriffin at April 30th, 2009

      Hi Roberto,
      My first instinct is that your DN shouldn’t have OU’s in it. I would check that first.

      Clif

      Reply Quote

      • #55 by Roberto at April 30th, 2009

        It worked finnaly, but with a implemmentaion of your plugin by Olivier Fontes, the MXC LDAP plugin. I dont know what was the difference between the two plugins, only that he made it to work with OpenLDAP.

        Thanks for a great plugin, and keep the good work!!!

        Reply Quote

        • #56 by clifgriffin at April 30th, 2009

          Interesting. I was unaware of that plugin’s existence. :)

          I will do some research into adLDAP and if it is imcompatible with OpenLDAP (and others) I will consider changing it out for something more universal.

          Thanks of your feedback!

          Reply Quote

  22. #57 by Vinod at May 7th, 2009

    First, Thanks many for your efforts. I am trying to set this up. I am not sure about the values to be fed in to the plugin settings page. Can you please provide a test login success/fail option in the settings page to easily validate?. Thanks again.

    Reply Quote

    • #58 by clifgriffin at May 7th, 2009

      Thanks for commenting. The values can be a bit tricky to figure out if you are not extremely familiar with LDAP.

      A test login page is a good idea…I will try to include that in the next version. Unfortunately I don’t have a time frame for when it will be available but intend to work on it some in the next couple of months.

      Two browsers might help you tweak the settings while testing them in real time.

      Reply Quote

  23. #59 by Eliot Lear at May 7th, 2009

    Evaluated plugin, and found it basically functional. Unfortunately we need something slightly more robust that carries other identity information.

    Thanks for the running code example.

    Reply Quote

    • #60 by clifgriffin at May 7th, 2009

      Thanks for the feedback. I’m not sure what you mean by more robust or the identity information.

      I’m planning on adding more features, including the ability to grant users access based on a group, including auto account creation for new users in that group. I’d also like to move to a method that works well with both Active Directory and OpenLDAP. (Reports seem to indicate it doesn’t work with OpenLDAP at all.)

      Could you give me more information on specifically what your needs were?

      Reply Quote

    • #61 by clifgriffin at May 12th, 2009

      Eliot,
      I have posted an updated version of the plugin that may fit your needs. You can download it here:

      http://downloads.wordpress.org/plugin/simple-ldap-login.1.3.zip

      Reply Quote

  24. #62 by Shane Schnell at May 7th, 2009

    Great plugin!
    I have been using it quite a bit, but I do have a question. I work at a large organization, and lots of people want blogs. I have setup a script that installs wordpress, extracts all themes and plugins, etc… I was wondering when you update the settings where is it stored? Is there a config I can open and edit?
    Thanks, and keep up the great work!

    Reply Quote

    • #63 by clifgriffin at May 7th, 2009

      Thanks for the kinds words. I use Wordpress’s internal setting routines. I’m not sure how they are stored, but the method I use is wp_options. It probably stores each of them in a common table.

      Hope that gives you a good starting place.

      Reply Quote

  25. #65 by LeRoy Lee at May 8th, 2009

    I have installed this on several blogs. It is working great. So much simpler and more functional than the beasts I had been using. I was surprised how quickly I had it set up because our AD config seems to be “complicated” for everything else we use.

    Reply Quote

    • #66 by clifgriffin at May 8th, 2009

      Thanks for letting me know. I developed it precisely because I couldn’t get any other offering to work. I needed it to be simple. :)

      Reply Quote

  26. #67 by Guest at May 9th, 2009

    Does not work, dont know what the issue is.
    All it accepts is the worpress username and password.

    Reply Quote

    • #68 by clifgriffin at May 10th, 2009

      Are you using Active Directory or some other LDAP installation?

      Do you have accounts in LDAP with the same usernames as Wordpress?

      Reply Quote

  27. #69 by simo at July 8th, 2009

    yo!! thanks for EXCELLENT plugin!!

    Reply Quote

  28. #70 by clifgriffin at November 25th, 2008

    Hi Darren,
    I mistyped. Thanks for calling my attention to this.

    The download includes a folder (/simple-ldap-login/) with two files (Simple-LDAP-Login.php and adLDAP.php).

    Simply modify adLDAP.php…as I have recommended…in place. You don’t have to move it. I’m not sure why I said to modify it in the backup folder. Creating a backup folder is not a bad idea though as this prevents adLDAP from being blown away by updates.

    Please let me know if you have any issues and I will help you get this to work.

    Cordially,
    Clifton

    Reply Quote

  29. #71 by clifgriffin at November 25th, 2008

    I have updated the readme in the official download. Thanks again for your feedback.

    Reply Quote

  30. #72 by Darren at December 1st, 2008

    Kicking my ars here over this. I’m running a homebrew PHP site that does LDAP via PHP. Beneath the root I’m running a Wordpress site and I’m trying to use your simple ldap to provide the auth.

    I don’t get it. It just won’t work…always says invalid username.

    Here’s the only things I’ve changed.

    // You will need to edit these variables to suit your installation
    var $_account_suffix=”@danisco.com”;
    var $_base_dn = “DC=ad1,DC=danisco,DC=com”;

    // An array of domain controllers. Specify multiple controllers if you
    // would like the class to balance the LDAP queries amongst multiple servers
    var $_domain_controllers = array (“server.ad1.danisco.com”);

    // optional account for searching
    var $_ad_username=”ad1\userid”;
    var $_ad_password=”password”;

    Reply Quote

  31. #73 by clifgriffin at December 1st, 2008

    The only thing that seems odd right off the bat is your $_ad_username=”ad1\userid”;

    You might not need the ad1\ part.

    Also, you need to make sure userid has access to read your active directory structure. (read pretty much everything) (Edit: It turns out that this part was completely unnecessary. I have removed it…please download the latest version.)

    I would test the account using something like ADSIEdit and make sure you can view the chosen accounts. (You can use runas from CMD to run mmc.exe as that user and then add ADSIEdit as a snap in.)

    I have only tested this using Active Directory so if you’re using another LDAP implementation, that could cause problems?

    Beyond that, if your domain is ad1.danisco.com and your domain controller is server.ad1.danisco.com…it should work. Make sure you ping the latter from the server in question. You might try running nmap against it to verify the proper ports are open.

    These ports were open on my server:
    88/tcp open kerberos-sec
    111/tcp open rpcbind
    135/tcp open msrpc
    139/tcp open netbios-ssn
    389/tcp open ldap
    445/tcp open microsoft-ds
    464/tcp open kpasswd5
    593/tcp open http-rpc-epmap
    636/tcp open ldapssl
    1026/tcp open LSA-or-nterm
    1027/tcp open IIS
    3268/tcp open globalcatLDAP
    3269/tcp open globalcatLDAPssl
    3389/tcp open ms-term-serv
    13722/tcp open VeritasNetbackup
    13782/tcp open VeritasNetbackup
    13783/tcp open VeritasNetbackup

    Obviously most of these have nothing to do with LDAP, but if you can’t telnet to any of the ldap related ports (including Kerberos), this could be a routing/firewall issue.

    Good luck and please let me know if you continue to have troubles.

    Reply Quote

  32. #74 by clifgriffin at December 1st, 2008

    One more note:
    We have our domain setup to allow all authenticated users to read. In ADUC (active directory users and computers), I can right click at the top node in tree and go to properties and the security tab. We have “Authenticated Users” there. If you are going to use one user account to accomplish this and not let others read all, you’ll need to add that user account there.

    Reply Quote

  33. #75 by clifgriffin at December 9th, 2008

    Darren and I resolved this issue via e-mail. His wordpress accounts were not using the same username as his LDAP accounts. I have clarified this aspect in the documentation.

    Reply Quote

  34. #76 by darren at December 2nd, 2008

    I’ll try it without the AD1\ and see what I get. The account I’m using is being used on this server already as an LDAP auth for the root PHP based web site. It ’should’ work with this one. I don’t know why it wouldn’t, it has the proper rights, etc. Do you know if there’s a way to ‘trace’ what’s happening during your auth session?

    We are using Active Directory and I’m trying to auth against the local domain controller, which is a Win2K3 Std server.

    I’ll run the port checks you indicated and see what I get. I’m headed to NYC for 3 days so I might be delayed a bit.

    Thanks for the help!!!

    Reply Quote

  35. #77 by clifgriffin at December 2nd, 2008

    I didn’t write any of the AD code. It’s using adLDAP.

    There might be a way to log what adLDAP does…I’m not sure. Let me know what happens after those changes and we’ll see what we can do if it continues to not work.

    Reply Quote

  36. #78 by darren at December 3rd, 2008

    didn’t work by removing the AD1\

    I downloaded the adLDAP but didn’t notice any logging ability. I’ll keep tinkering.

    Reply Quote

  37. #79 by clifgriffin at December 3rd, 2008

    Darren,
    I just released version 1.1.

    This version upgrades adLDAP to 2.1, moves the settings to the administration panel, and completely removes credentials as adLDAP does not need them to use the authenticate function.

    Please install this version, change the settings in the administration panel under Settings -> Simple LDAP Login, and let me know if this works.

    Thanks for helping me work on these issues.

    Clif

    Reply Quote
(will not be published)