LDAP integration in Wordpress for new web site

[robe]

We have LDAP queries to OSGeo allowed on staging.www.osgeo.org, but it's not configured in wordpress to allow authentication via LDAP.

I think we will need to install a wordpress plugin such as one of these to make it happen

​https://wordpress.org/plugins/search/openldap/

None seemed to be installed at the moment.

I'm willing to do the leg work for this unless it is already stipulated in GetInteractive contract that they should be doing this.

[cvvergara]

The WP version that is being used is 4.9 and this one has being tested on that version:

​https://wordpress.org/plugins/ldap-login-for-intranet-sites/

[robe]

Yah that one looks like it has all features we need like segmenting permssions by ldap group.

I'll install that one and see how it goes. We can always uninstall and install a different one if we decide against that one.

[robe]

Alex also thought we should look at:

​https://wordpress.org/plugins/next-active-directory-integration/

[robe]

Okay as mentioned on list, I ended up going with ​https://wordpress.org/plugins/wpdirauth/

It was the only one of the 3 I tried I could get to work and didn't frustrate me with having to register.

I couldn't find a way in wordpress interface to rename logins or flag an account as an LDAP one, but luckily the database was an openbook. So I was able to with the power of SQL update accounts and flag them as LDAP. SQL always to the rescue :).

I've done this for Vicky Vergara, strk (Sandro Santilli), Jody Garnett (jive, his and mine were the only ones I had to rename the login so far), and Paul Ramsey.

Looks like after I do that, you can no longer login with your local password Get Interactive set you up with, but can log in with your LDAP password. In theory if the LDAP server is down, then it's supposed to fall back on your local password.

As I said the system will also automatically create accounts on first login if the email address and login name is not already in use and also allows you to preenter LDAP accounts.

I'll let Jody give final okay that I didn't screw up his account, and then I'll go ahead and match up the rest of the users with LDAP and convert over the ones that match (by name or login or email).

[strk]

As I said the system will also automatically create accounts on first login if the email address and login name is not already in use and also allows you to preenter LDAP accounts.

You mean local accounts corresponding to LDAP accounts ? How could login name be already in use ?

Email address I guess could be in use because we do have duplicated email addresses in LDAP...

[robe]

Replying to strk:

As I said the system will also automatically create accounts on first login if the email address and login name is not already in use and also allows you to preenter LDAP accounts.

You mean local accounts corresponding to LDAP accounts ? How could login name be already in use ?

A good chunk of the accounts already existing - e.g. my favorite folks

strk, pramsey, evenr were already set up in system as local accounts.

So if you tried logging in before with your ldap, it wouldn't let you and wouldn't be able to create a new one. To avoid destroying data, you know your cute picture and stuff, I have add an entery to the wordpress usermeta to flag these local accounts to go via ldap authentication.

I documented the process I did for adhoc here - ​https://wiki.osgeo.org/wiki/SAC:betawebsite#Enabling_LDAP_Login_for_Wordpress

I'm going to generate a script to do it for the remainder that match and then close this ticket out when I am done.

[robe]

I was able to auto match a total of 63 wordpress local accounts to an ldap account and converted them to be authenticated via LDAP.

Where the email matched but the ldap login id (uid) was different, I updated the wordpress user_login to match the LDAP one.

There were 29 I couldn't match up by uid or email. These I left as local accounts. If they try to login via LDAP, it will autocreate a new wordpress account and flag as authenticated as LDAP. We can merge accounts after if this happens.