Sunday, March 29, 2009

Authenticating Wordpress with multiple domains in Active Directory

Recently I've been working on a project involving authenticating Wordpress to Active Directory. There's a great plugin on wordpress.org for doing AD authentication, but I needed it to do a bit more than the author intended. The main thing I needed was support for authenticating users from many different domains.

In the original plugin, there is a single, universal "account suffix", stored in the Wordpress settings database. I'm guessing the intent here is to have a user simply enter their username, like "kdreyer", and have the suffix automatically appended to it ("kdreyer" + "@example.com"). Since we're using multiple domains, this won't work. I could have a "kdreyer@example.com", or a "jsmith@xyz.com", and I need to authenticate both.

So here is my hacked version of the Active Directory Authentication plugin. It pulls out the domain from the user's account using split('@', $username), and uses the user-supplied suffix instead of the universal suffix. This means I can get rid of the global Account Suffix and Default Email Domain settings altogether.

There are one or two other modifications here as well. I'm using SSL in my adLDAP instantiation... and so should you ;-) I've also added a bit to update the user's display_name to be "John Smith", instead of jsmith@xyz.com... the info's already there in AD, so, why not help our user out and put it in there for him :-)

I'm using Wordpress 1.7.1, and the patch is against Active Directory Authentication plugin 1.0.5.