Sunday, March 29, 2009

Authenticating Wordpress with multiple domains in Active Directory

Recently I've been working on a project involving authenticating Wordpress to Active Directory. There's a great plugin on wordpress.org for doing AD authentication, but I needed it to do a bit more than the author intended. The main thing I needed was support for authenticating users from many different domains.

In the original plugin, there is a single, universal "account suffix", stored in the Wordpress settings database. I'm guessing the intent here is to have a user simply enter their username, like "kdreyer", and have the suffix automatically appended to it ("kdreyer" + "@example.com"). Since we're using multiple domains, this won't work. I could have a "kdreyer@example.com", or a "jsmith@xyz.com", and I need to authenticate both.

So here is my hacked version of the Active Directory Authentication plugin. It pulls out the domain from the user's account using split('@', $username), and uses the user-supplied suffix instead of the universal suffix. This means I can get rid of the global Account Suffix and Default Email Domain settings altogether.

There are one or two other modifications here as well. I'm using SSL in my adLDAP instantiation... and so should you ;-) I've also added a bit to update the user's display_name to be "John Smith", instead of jsmith@xyz.com... the info's already there in AD, so, why not help our user out and put it in there for him :-)

I'm using Wordpress 1.7.1, and the patch is against Active Directory Authentication plugin 1.0.5.

7 comments:

Rachel said...

dear Ken, you need to post wedding details on your blog, it would make it much more interesting. thank you :) ~cousin-in-law Rachel

Ken Dreyer said...

woah I think I just got told. Well, there actually is an entirely new website coming up soon and I'll be sure to post about it!

Fred said...

Hey Ken... How do you apply this patch?

Ken Dreyer said...

Fred: did you figure it out? http://www.google.com/search?q=howto+apply+patches

Xander Burchartz said...

Hi Ken,

I've a question about how the plugin works. Is it possible to host a wordpress site with the AD plugin on www.sitename.com, having multiple companies (customers of mine), login with their domain/credentials? (I'd like to have a customized company page for every customer.

Ken Dreyer said...

Xander, I'm not sure from your comment if you're attempting to use this on an intranet or not. This plugin is really only useful if you are hosting the Wordpress site on the company's intranet. The web server is going to have to connect back to AD via LDAP, and network administrators do not like to expose AD's LDAP connections to the world.

Also, I'm not sure from your comment if these are disparate companies, or if they are all part of the same organization. As long as all of your various companies are centralized, and all of their users can authenticate to the same central domain controller, it will work.

Xander Burchartz said...

Ken, thank you for your quick response. I'm new to this, so I don't know much about AD and security yet. The idea was to do this via the internet. In my database, I will store data of my clients (several other companys) and I thought that I could give them easy and secure access to their data this way. I now think that I have to think about other options.