Charles and I have been emailing back and forth about the security of LDAP and my incorporation of LDAP authentication into WordPress makes this issue even more important.
My question is this:
Could a hacker sniffing UA network packets intercept the traffic between, say, the TCF Web server and the LDAP server? And could he/she thereby discover userIDs and passwords?
What I worry about is that in LDAP authentication it appears to me that the userID and password are traveling across the network in plaintext — not hashed or encrypted. Is that right?
Perhaps I just don’t understand how the authetication works!
Thanks for any enlightenment.
I was about to leave another comment on Charles’ useful post about his LDAP script, but then I figured that this is a different enough topic to warrant its own post — even though inspired by Charles’ LDAP enthusiasm.
I’ve just been experimenting with using LDAP to authenticate users on my WordPress sites and, I tell you, it is a beautiful thing. With the addition of one plug-in and a few simple configuration settings, I can now let UA’s LDAP server handle all the authentication chores for my sites! This includes the creation of new site users!
This is a huge step for my department as it allows faculty and students to log into our WordPress Website with their Bama userID and password! So much more convenient for the users!
And it makes my job easier as an administrator because I don’t have to manually create accounts and I can pass off password management to the Bama system.
With so many WordPress installations on campus, I thought the details of my installation might be of interest. Before you experiment with this, make sure that your installation of PHP includes LDAP support, which is not compiled into PHP by default!
When I first tried this out, I came close to disabling login for my site because PHP was not ready to do LDAP authentication!
So, of course, you must back-up your system before trying this and I would recommend against trying it on a production system before you experiment on a less critical machine.
Here’s what I did:
- Installed/activated the Simple LDAP Login WordPress plugin (version 184.108.40.206).
- Under Settings -> Simple LDAP Login, I did the following configuration:
- LDAP Directory: this defaults to “Active Directory” and must be changed to “OpenLDAP (BETA, may support other LDAP directories)”.
- Account suffix: @ua.edu
- Base DN: ou=people,dc=ua,dc=edu
- Domain Controller(s): ldap.ua.edu
- Be sure to click the “Update Options” button to set this configuration when you’re done.
Additionally, you’ll need to decide how Simple LDAP Login will or will not create new WordPress users on your system. The choices are:
- Authenticate WordPress users against LDAP. I will create the accounts in wordpress myself. (default)
- Create WordPress account for anyone who successfully authenticates against LDAP.
- Create WordPress account for users in specified AD group.
For now, I’m sticking with the default and manually creating accounts, but I’m going to experiment with automatic account creation soon.
I’ll be interested to hear what others think of using LDAP authentication with WordPress. Add a comment to this post if you use it!