ldap enabled wordpress 15

Fri, Feb 25, 2005

Following on from adding LDAP to Wordpress 1.2.1, I’ve ported it to 1.5.

The basic mechanism is the same, i.e. after successful authentication, the cookie is modified to store a hash of the username and the LDAP marker, instead of the password. LDAP accounts are quite often used institution-wide for single sign on (SSO), so I think it’s a bad idea to store that password anywhere outside the LDAP server, even if it’s double hashed. On Novell NDS you can’t even get the password, you can only compare it.

The modified files for 1.5 are:

A change from 1.2.1 LDAP is the “admin” user is not authenticated via LDAP. So, if your LDAP server goes down, you can still get in to your blog.

One thing to note, is if you turn on LDAP authentication, all users of your instance of Wordpress must have local accounts as before but they also must have LDAP accounts or they won’t get in.

To address security concerns, I’ve trimmed the distributed files and changed all .h files to .php. I’ve also bundled a .htaccess in the /ldap directory to deny all access.

You can follow a discussion on LDAP authentication here

The link below includes all the modifications to improve security.

Download the LDAP modifications for Wordpress 1.5

comments powered by Disqus