Find a bug?
If you believe you have found a bug, please open a ticket here. This will allow me to track the issue as a single issue and others to comment and give feedback.
I’m finding it difficult to discern user error from bug from configuration differences among different installations. All of this will lead to a quicker turn around for reported issues. Isn’t that cool?
This article only deals with version 1.3 and later. To view and discuss issues pertaining to version 1.2 and prior, click here.
Integrating WordPress with LDAP shouldn’t be difficult. Now it isn’t.
Simple LDAP Login provides the features you need with the simple configuration you want. It has everything you need to get started today.
Features
- Supports Active Directory and OpenLDAP (and other directory systems which comply to the LDAP standard, such as OpenDS)
- Includes three login modes:
- Normal Mode: Authenticates existing wordpress usernames against LDAP. This requires you to create all WordPress accounts manually using the same usersnames as those in your LDAP directory.
- Account Creation Mode 1: Creates WordPress accounts automatically for any LDAP user.
- Account Creation Mode 2: Creates WordPress accounts automatically for LDAP users in a specific Group you specify.
- Intuitive control panel.
Architecture
Simple LDAP Login redefines the main function WordPress uses to authenticate users. In doing so, it makes several decisions.
- Is the provided username a valid WordPress user?
- If not, are we allowed to create a wordpress user?
- If we are, are we able to authenticate the username and password provided against LDAP?
- If we are, does the user belong to the right (if any) group?
- If the user does, create the wordpress user and log the user in.
- If we are, does the user belong to the right (if any) group?
- If we are, are we able to authenticate the username and password provided against LDAP?
- If the username is a valid wordpress user, is the password provided the same as the one in the WordPress database?
- Is the security mode set to low or the username admin?
- If so, log the user in.
- If not, do the provided credentials successfully authenticate against LDAP?
- If so, is the user in the required groups? (if any)
- If so, log the user in.
- If so, is the user in the required groups? (if any)
- Is the security mode set to low or the username admin?
- If not, are we allowed to create a wordpress user?
This is simply a high level overview. The actual logic the plugin employs is more complex, but hopefully this gives you an idea, philosophically, about how the plugin accomplishes what it does.
Installation
- Upload the directory “simple-ldap-login” to the `/wp-content/plugins/` directory
- Activate the plugin through the ‘Plugins’ menu in WordPress
- Immediately update the settings to those that best match your environment by going to Settings -> Simple LDAP Login
- If you don’t get the settings right the first time…don’t fret! Just use your wordpress credentials…they will always work! (See security section)
The control panel.
Frequently Asked Questions
Other than WordPress, what does my system require?
If you are using Active Directory, you will probably need PHP 5. This is because I’m using adLDAP 3.0 to do my Active Directory integration. As far as I know, the rest of the code should work with PHP 4. It is also possible that the functionality I’m using with adLDAP 3.0 does not depend directly on PHP 5. Your mileage may vary.
Other than that, it is imperative that your installation of PHP be compiled with LDAP. Without it you may see errors referencing undefined functions like “ldap_connect”. You can view more information about PHP and LDAP here.
How do I know what the correct settings are?
I have tried to make the settings as self-explanatory as possible. If you are struggling figuring them out, you may need to speak with your LDAP administrator. I realize this is an obnoxious response, but there is no good, fail proof way to help you discover these settings. A good place to start, if you’re feeling daring, might be to use ADSIEdit for Windows and Active Directory, or GQ for Linux and OpenLDAP.
It’s still not working, what other things can I try?
If you are confident your settings are correct and it still does not work, it may be time to check for port or firewall issues. If your LDAP server is running on a non-standard port or an obsolete version of the LDAP protocol you are going to have issues. Port 389 is the port this plugin, and nearly every other LDAP enabled software expects. They are also expecting protocol version 3. If you are using an old version of LDAP or running a non-standard port you may need to modify the code that the plugin runs or update your LDAP installation.
Unfortunately I can’t be relied upon to assist with these types of requests. I chose not to support these scenarios because they are infrequent and because they confuse everyone else.
I took all of your advice, it’s still not working!
Post your question in the comments below, or e-mail me: me[at]clifgriffin.com
I’ll do my best to get you up and running!
How can I donate?
If you would like to donate to this project, please visit the donations page.
Roadmap/Security Issues
The following features and concerns will be addressed in coming versions.
- Potentially allow the provision of an admin password for binding to domains with tighter security.
- Potentially Support TLS
- Look into supporting non-standard LDAP installations
- Code cleanup to improve readability, on-going maintenance.
#1 by Tony Power at April 19th, 2010
Hi Clifton, Using the plugin with OpenLDAP, its working fine, WordPress is authenticating against our directory. I have a question about adding some extra functionality to the plugin though, maybe you’ve taken a look at this already. We’re setting up single sign on for a number of things, but initial registration of a user will happen in WordPress. I’d like for WordPress to add an entry to the LDAP directory when a new user is created rather than the other way around. Any ideas? Cheers
#2 by Clifton Griffin at April 19th, 2010
Hi Tony,
Unfortunately, creating LDAP object is a different ballgame and not something I intend to include.
If you are familiar with PHP, I encourage you to take a swing at it yourself. The WordPress plugin model is very simple and I think you could make a lot of progress quickly.
If you have any questions, I’ll do my best to answer them.
Clif
#3 by Tony Power at April 20th, 2010
Cheers Clif, I’ll give that a go, took a brief look and it should be do-able
#4 by Daniel at April 23rd, 2010
Great plugin! I get an error each time I (or user) tries to get into the dashboard even though they are logged in. “ERROR: The username field is empty.” Any help would be much appreciated. Cheers, Dan
#5 by Daniel at May 11th, 2010
Still get this error and I have raised a ticket but get an error when I try to view that too! Any help on this would be great as its causing some fuss with our users. Cheers, Dan
#6 by James at July 12th, 2010
I am getting this same error. I can not even get to my dashboard. Can anyone help?
#7 by Clifton Griffin at July 12th, 2010
James, Daniel…sorry I missed these comments.
I’ll send you guys an e-mail shortly requesting more information.
#8 by Ben Wheeler at April 30th, 2010
Hi Clif,
Looks like you’ve been getting a few spams lately. If you’re not already using it I recommend WP-HashCash – this is completely invisible to anyone using a normal browser to add a comment as long as they have javascript enabled, but prevents bots (which generally don’t have js) from adding comments. You can configure it to just put failures in the Moderation queue in case of false positives – I don’t know what the false pos rate is because I don’t get many genuine comments on my sites *sniff* but it has successfully stopped every single spam attempt.
#9 by Rods at May 12th, 2010
Hi clif,
The users created by ldap plugin doesn´t sync with buddypress. How can I do this?
At this moment all my users doesn´t have an entry in the wp_bp_xprofile_data table.
#10 by Rods at May 24th, 2010
Hi Clifton, I´m using Simple LDAP with BuddyPress. The authentication goes fine, but the new user created by the plugin doesn´t get an entry in the xprofile’s tables. How can I managed that, since without this, the activity replies doesn´t show properly?
Thank´s in advance.
#11 by Benjamin at May 27th, 2010
I’ve made additions to plugin which allow for connecting through an LDAP proxy with an intermediate user name (required in some environments). Is there a way to get this code to you for possible inclusion in the next version of Simple LDAP?
#12 by Clifton Griffin at May 27th, 2010
Hi Benjamin,
Thanks for your contribution.
At this point I’m not spending any development time on this plugin. I have too many other profitable projects I’m managing.
I do plan to eventually make changes to this plugin, but I think that will mostly be a setup where users can contribute their own various versions of the plugin for others to use.
Feel free to e-mail me a copy of your changes and I’ll attempt to include them when I make these changes. (Hopefully in the next month or two)
Clif
#13 by Benjamin at May 27th, 2010
Will do. Can you pull the email address from my post and send me your address?
#14 by James at June 9th, 2010
Hi Clifton,
Does the plugin work on WP 3.0? For the account suffix, if i dunt have suffix, would the plugin still work? Thank you!
james
#15 by clifgriffin at June 14th, 2010
I’m not sure on either of those. I haven’t had a chance to test it.
#16 by Devang Patel at July 4th, 2010
Hi
I have just installed word press 3 on Windows server 2008 32 bit Machine with My Sql ,IIS and PHP 5 with ldap and mysql.
I have done the procedure described by you for installing simple ldap login by placing it in wp-content and under settings i also done.
i have several queries,
does this work for windows server 2008 32 bit Active Directory
i need to enter domain details in adldap.php and simple-ldap-login.php.
once i successful the ldap users can post comment only if they login using their username and password.
I’m very helpful if u reply on my email id
#17 by Bertrand at July 5th, 2010
Is there a possibility to bind non anonymously to the ldap server in simpleldap?
It is common with Active Directory to deny anonymous bind if security is an issue.
Thanks. B.
#18 by Chuck Thompson at July 6th, 2010
Do you have time to look this over and tell me if you think Simple LDAP Login for WordPress will accomplish my goals? I am a complete amateur and not at all skilled in this sort of thing, but if I use your product I will donate. After reviewing what follows please tell me whether you think Simple LDAP will do the trick and also give me an opinion on whether you think a complete amateur will be able to administer it.
What I’m trying to accomplish is this:
There are a number of sites to consider – all on the same server.
The MAIN SITE and all the WordPress SUB-SITES will be WordPress 3.0.
All registered users will be members of the MAIN SITE.
Some users will be members of one or more of the WordPress SUB-SITES.
All registered users of the MAIN SITE will have access to a forum hosted on the PhpBB3 site. PhpBB3 uses MySQL.
All registered users of the MAIN SITE will have access to the eFront Learning site. eFront uses MySQL. http://www.efrontlearning.net/
Membership only on the MAIN SITE will give users access to the MAIN SITE, the eFront site and the PhpBB3 site only.
Membership in any of the SUB-SITES will give users access to that particular SUB-SITE and the MAIN SITE, the eFront Site and the PhpBB3 site.
I hope I’ve given you everything necessary to advise me, but if you have any questions please do not hesitate to ask and I will get back to you as soon as I can.
#19 by Clifton Griffin at July 7th, 2010
Hi Chuck,
Sorry for my belated response.
This plugin can only help you with logging users in. I’m not sure what the plugin schema is for subsites in WP3.0, but I think you can enable the plugin with a different set of settings. So, for instance, you could have it enabled for the main site with a different role and group requirement than for subsites.
As for providing access to all of the other things, the plugin can’t help there out of the box.
I’m available for hire if you need a developer to provide some of these changes, so feel free to e-mail me.
And, let me know if you have any questions.
Clif
#20 by Amir at July 14th, 2010
Hi Clif,
Why is it that the settings don’t ask for the ldap server? Is it assuming localhost? Is it guessing it based on the Base DN and/or Domain Controller?
Thanks,
Amir
#21 by Amir at July 14th, 2010
Nevermind – Controller=Server – I misunderstoond the Domain Contoller settings that someone had put in place earlier. Still, I can’t log in because my manager username is a different DN than the Base DN…
#22 by John at July 15th, 2010
Is it possible to authenticate and create WordPress accounts for users in several groups? For example, I have three groups: Students, Faculty, and Staff. I would like to give Faculty and Staff the ability to login, but not Students. I tried separating groups with commas, but it doesn’t seem to be working.
*starts looking through the code*
#23 by Clifton Griffin at July 15th, 2010
Not as configured, but I think you should be able to figure out how to make that happen. Especially in version 1.4…should be easy to loop through.
But, that being said, you still would need to come up with a way to make the permissions different which would be a whole different animal.
#24 by John at July 15th, 2010
Ok, I will probably be adding this feature. I’ll post it here when I’m done.
#25 by Ashish Upadhyay at July 17th, 2010
I have downloaded the Simple LDAP login 1.3 plug-in and uploaded into wordpress plug-in directory, then activate this plug in.
I have specified the host name of the LDAP server (i.e. IP addrees of the server)
After doing this when I test the settings, it will show me the following error.
Fatal error: Call to undefined function ldap_connect() in C:\xampp\htdocs\wordpress\wp-content\plugins\simple-ldap-login\adLDAP.php on line 157
Is any body can suggest? I have Domino directory and I want to authenticate user form the Domino directory using LDAP.
Are the settings specified above mandatory? because
I have tried it with and with out specifying setting, in both the cases I got the same error.
Please help.
Thank you
Ashish
#26 by John at July 17th, 2010
You need to have php_ldap installed. It is not installed by default. See here: http://www.php.net/manual/en/ldap.installation.php
#27 by Oliver Seeliger at July 28th, 2010
Hi Clif,
I’ve finally made it to set up all the options correctly. I’m using the Advanced Option ” Create WordPress account for anyone who successfully authenticates against LDAP. ” and when I try to log in an error comes up saying ” Catchable fatal error: Object of class WP_Error could not be converted to string in /var/www/sevencs-intranet-wordpress/wp-includes/formatting.php on line 2772 ”
When I set up the user name manually before I log in everything works as it should.
Any idea?
Thank you.
I’ am using WP3
#28 by Clifton Griffin at July 28th, 2010
I’ll investigate and get back with you. Thanks.
#29 by Oliver Seeliger at July 30th, 2010
Hi again,
I investigated a bit by myself and found out that the error occurred because *sigh* I had the email address already registered. But, anyway, in this the return value of sll_authenticate() is of type object WP_Error and this raises the fatal error.
The function wp_insert_user() returns an array containing a useful error message and I think you should pass this message to the frontend.
So, I got it working for me now and I must say it’s an awesome plugin. Great work.