Active Directory Authentication in WordPress

Watch out! This tutorial is over 5 years old. Please keep this in mind as some code snippets provided may no longer work or need modification to work on current systems.
Tutorial Difficulty Level    

There are many reasons you would want your WordPress website within DkIT to authenticate off AD (Microsoft Active Directory) rather than off the local database.

  • One password to rule them all. Who can be bothered remembering all these different passwords anyway?
  • Security. Because the password is not local it is so much harder for an attacker to acquire.
  • It allows guest users on your website, but they are still verified as being DkIT staff and/or students.  This is ideal for projects that require user interaction.
  • If you forget your login then you likely have no access to any services on campus. A simple password reset by Computer Services will also get you back into your WordPress website.
  • You no longer need to manually create users. Users just login and, if it is there first login, the local user object is automatically create by WordPress.

By far the best plugin to enable Active Directory Integration is this one:

Next Active Directory Integration

Simply install this and proceed to configuration. If you are on a Virtual Machine in XOA or anywhere else, you may need to also install LDAP Utilities for PHP.

sudo apt-get install php-ldap

If you are on any of the department MySQL servers, you may get also get a warning about the PHP version.

We’ve tested and can ensure that the plugin will still work, despite this warning. These servers are scheduled for upgrade in Summer 2020.

When ready to go, you need to first add your Environment. The domain controller is at ldap.dkit.ie on port 389. The Base DN is OU=DKIT Users,DC=ad,DC=dkit,DC=ie

Once these details are entered, you need to verify them. for the moment, until we configure to use just username, enter your full student email address and password.

Once verified, you can proceed to the User Settings.

By default, the user you created at WordPress setup is excluded from Active Directory authentication. This makes sense.

You want to add possible domain suffixes also, name @dkit.ie and @student.dkit.ie. This means both staff and students can login to your website, with the need to append these suffixes to their username eg. D002222 rather than D0022222@student.dkit.ie as the username.

You should also switch on…

  • Use sAMAccountName for newly created users
  • Automatic user creation
  • Automatic user synchronization

The default email domain is student.dkit.ie and we do want to “prevent email changes”. Everything else can be left as is.

Be sure to save your changes.

On the Password screen switch on the following:

  • Set local password on first successful login
  • Fallback to local password
  • Automatic password update

Again, be sure to save. At this point, you can actually log out and then back in but this time using your DkIT credentials. If it works, great! But you will notice you have very little permission. This is because new users are given the role of subscriber, who can do very little to start with, maybe comment on posts (this is a good thing, you don’t want new users being able to edit your website, do you?).

Log out and back in as your original user. Head to the Users section in WordPress and edit your DkIT student user. You want to upgrade them to Administrator level.

Now when you login with your DkIT credentials, you can do whatever you like. You could also delete your original user, but consider keeping them for backup purposes should the plugin ever stop working.

If you wanted any future users to have a different WordPress role when they first login (eg. editor, if you were running a public wiki type website) then this is done under Settings > General in the Dashboard.

Do not be tempted to switch on “Anyone can register”. This is not required for AD Authentication to work and will create a very big security concern for your website (especially if new users now have a higher default role).

You can now invite other DkIT users to interact with your website! Examples of websites that user this type of authentication already on campus include the PJ Carrolls Room Booking System, the ACM website  (completely student managed), the Inventory System in P1155 (when you borrow stuff from the technicians) and this very website (which allows staff to contribute tutorials for students.. hint, hint). There are actually quite a few others.