WordPress LDAP auth on Ubuntu

I support too many servers and applications to manage separate user databases for each. LDAP is a must. If an application can’t hook up to LDAP, I don’t want it. WordPress can be configured to use LDAP, and has several different LDAP plugins. I’ve had mixed results with PHP LDAP plugins. I usually find that having the application trust Apache’s authentication, and attaching Apache to LDAP, gives better results in my environment.

Note that my WordPress installations usually have only one or two registered users. They are administrators. Most people cannot register. If you want to hook hundreds of LDAP users into WordPress, and manage them completely through LDAP, you’ll need to find an LDAP-specific plugin that meets your needs. In this environment, where I’m just looking for administrator password synchronization, it’s good enough.

This particular Web server runs Ubuntu 10.04 with Apache and WordPress 3.1. To enable LDAP auth in Apache, run:

# a2enmod authnz_ldap
# /etc/init.d/apache2 restart

On the WordPress side, install for the HTTP Authentication plugin. This tells WordPress to trust the Web server’s authentication.

WordPress won’t read a list of usernames from basic auth. You’ll need to create your users. (Again, this is for a couple of admin accounts, not for massive user databases.)

WordPress protects its administrative directory, /wp-admin/, automatically redirecting requests to the page wp-login.php. For this plugin to work, we must require LDAP auth to the one file wp-login.php. Here’s the Apache configuration for the WordPress directory.

Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all

AuthType Basic
AuthName "Web Admins Only"
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldapserver1.domain.com/dc=domain,dc=com" STARTTLS
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
require ldap-group cn=wordpressadmins,ou=groups,dc=domain,dc=com

Note that my LDAP servers do not require a LDAP login to validate a user. If yours do, you’ll need to add the username and password to this configuration.

Restart Apache, open a new browser, go to the site, and hit the Login button. You should get an Apache login window. Enter your username and password, and you’ll reach the WordPress control panel.

You’re now handing your LDAP username and password to WordPress. You do have WordPress available over SSL, don’t you? Configure Apache so that http://wordpress.domain.com is also available as https://wordpress.domain.com, and add the following near the top of wp-config.php.

//we like SSL
define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

WordPress will now pass user credentials and cookies over SSL.

One Reply to “WordPress LDAP auth on Ubuntu”

  1. Hi,

    I looked for an email address but couldn’t find one. My name is Amy Spitzfaden-Both and I’m working with PortalGuard. We’re in the field of internet security, and we’re beginning to develop relationships with respected content creators. Our focuses include self service password reset education, two factor authentication education, and single sign-on education. Would you be interested in having us post a guest blog and perhaps featuring a guest blog from you as well? You can out more about us and what we’re trying to do on our site: http://www.portalguard.com/student-portal-login.html. I look forward to hearing from you.


Comments are closed.