In the last few months, I worked a lot on connecting different services to OpenLDAP. My general impression is that, in many cases, there could be a more detailed documentation about it. So here is a little collection – no long articles, just the configuration part. This is part 4: How to integrate WordPress with OpenLDAP?
WordPress is one of the examples where I found it hard to figure out what to do: WordPress – this software with lots of third party plugins none of which really does what you expect. Asking around, I couldn’t find an organization that has a WordPress installation integrated with OpenLDAP. So I went through all the plugins that are actively maintained and have ratings of four or fives stars.
- Simple LDAP Login: My setup requires a bind account. With this plugin, you can’t enter any bind credentials.
- Active Directory Integration: Same here, no bind account.
- wpDirAuth: Authentication works, but the management of WordPress roles is broken.
- authLDAP: The plugin doesn’t support TLS connections to the OpenLDAP server.
- LDAP LPRM: Strike – this one works. Sort of. For role management, this plugin requires its own user attribute in LDAP but it has some problem with the camel case way of spelling LDAP uses (e.g. displayName). So the user attribute you choose has to be an all lower case one, no matter if you add your own attribute to the schema or use an existing attribute. Using the displayName attribute for login didn’t work for me either – use the uid attribute instead. Once you know this, filling in the config form is straight forward. (Still I wish I could just fix it…)
Given that the WordPress I worked with is hosted with a webspace hoster and I was an unprivileged user on that thing I also learned how to make WordPress aware of my LDAP server’s SSL certificate. Upload your certificate file to the web space and edit wp-config.php like so:
putenv('LDAPTLS_CACERT=/path/to/my-certfile.pem');
Here is what you enter on the config page of LDAP LPRM:
# LDAP Login Attribute: uid # LDAP Firstname Attribute: givenname # LDAP Lastname Attribute: sn # LDAP Email Attribute: mail # Base DN: dc=example,dc=org # Domain Controller(s):e.g. ldap.example.org # Bind DN: (optional) cn=binduser,dc=example,dc=org # Bind Password: (optional) secret # Use TLS encryption: yes # LDAP Password Expire Attribute: (optional) # LDAP Role Manager Attribute: (optional) lowercaseuserattribute # URL for New User Redirection: (optional) # LDAP Member ID Map: (optional)