I am going to discuss LDAP / Active Directory authentication in PHP and WordPress using custom directory schemas. If you want to integrate your PHP application or WordPress login with LDAP but aren’t using a typical LDAP setup (with organizational units and such, or requiring the domain prefix: ‘domainusername’), then read on.
First, some technical terms:
LDAP is a protocol for storing directory information, like a guideline for a phonebook.
Microsoft’s implementation of the LDAP protocol is called Active Directory.
Existing plugins
There are many plugins for WordPress that can utilize LDAP/AD for authentication. Here’s a few of them:
- WordPress LDAP Authentication
- Simple LDAP Login
- Active Directory Integration
- LDAP Authenticator
- wpDirAuth
Most of these plugins are using the adLDAP class, which facilitates using the native PHP functions. The native PHP functions are very easy to use, though, which you can see in the wpDirAuth plugin’s code.
Customizing wpDirAuth
Authentication in LDAP is a two step process:
- Connect to the LDAP server.
- Bind to the directory using a username and password.
The ldap_bind() function returns a boolean, which succeeds if the username and password were found in the directory.
Here’s an example syntax:
<?php
$ldap = array();
$ldap['server'] = 'ad.company.domain.com';
$ldap['base_dn'] = 'CN=Users,DC=company,DC=domain,DC=com';
$ldap['ad_domain'] = 'company';
$ldap['username'] = 'david';
$ldap['password'] = 'p4ssw0rd';
// connect to LDAP server
$ldap['connection'] = ldap_connect('ldap://' . $ldap['server']);
// set some preferences to specify Active Directory protocol
ldap_set_option($ldap['connection'], LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap['connection'], LDAP_OPT_REFERRALS, 0);
// bind to LDAP directory
if ($ldap['connection']) {
$ldap['directory'] = @ldap_bind(
$ldap['connection']
, $ldap['ad_domain'] . '\' . $ldap['username']
, $ldap['password']);
}
$is_logged_in = $ldap['directory'];
?>
Note that the line reading: $ldap['ad_domain'] . '\' . $ldap['username'] is what prefixes your username with the Active Directory domain. So if you typically logon to your network with MicrosoftBillGates, the domain is Microsoft. The \ is the escaped backslash character. It is a special symbol, so don’t forget to escape it!
Using this information, we can modify the wpDirAuth plugin to work with our Active Directory. Pare it down to only use Active Directory (you don’t need the OpenLDAP stuff around line 300), and look for any instances of ldap_bind(). Make sure the username is prefixed with the domain and escaped backslash. You don’t need the prebound / prebinding stuff.
When you’re done with that, install and activate the plugin. Set the Directory Servers and Base DN in the Admin settings, the rest should be okay.
More information
Microsoft Active Directory Explorer
If you’re unsure of the structure or Base DN for your users, you can download Microsoft’s Active Directory Explorer to login to your Active Directory and find yourself. The DN will be everything up until the term that is specific to you in the Path bar.
PHP test code
If you want to see some sample PHP code for doing LDAP authentication and retrieving a user, I’ve uploaded an archive of my test page here.