LDAP Authentication

How to allow only users of particular AD groups to authenticate?

This can be done using search filter in Ldap Configuration tab. Add memberOf attribute to your search filter in LDAP configuration tab to allow members of only specific groups to sign in.
For example,
If you have to allow users of only one group use:(&(objectClass=*)(mail=?)(memberof=<distinguished name of the group here>))If you have to allow users of multiple groups use:

(&(objectClass=*)(mail=?)(|(memberof=<distinguished name of the first group>)(memberof=<distinguished name of the second group>)))

I am getting an error while trying test connection. Can you help?

Check if the ldap server url is accessible from your hosted site and port 389 is open. To check this, run this command on your WordPress server:
>telnet < ldap server url or IP >:389

I can connect to LDAP server through the command line(using ping/telnet) but get an error when I test connection from the plugin.

This issue usually occurs for users whose wordpress is hosted on CentOs server. this error because SELinux Boolean httpd_can_network_connect is not set.
Follow these steps to resolve the issue:
1. Run command: setsebool -P httpd_can_network_connect on
2. Restart apache server.
3. Run command: getsebool | grep httpd and make sure that httpd_can_network_connect is on
4. Try Ldap connect from the plugin again.

Is there anything special we need to do to allow LDAPs?

Steps:

1) Open ldap.conf located at C:\openldap\sysconf\ldap.conf (Windows. For Linux, it is typically /etc/openldap/ldap.conf) and make sure the following directive line is in this file:

TLS_REQCERT never

2) Enable SSL Over LDAP

Install an Enterprise Certificate Authority on the Windows server that has Active Directory enabled.

  • Choose Start->Settings->Add/Remove Software
  • Select the Add or Remove Windows Components icon
  • Check the box marked “Windows Certification Authority”
  • Click “OK”
  • Follow instructions and answer the questions to complete the setup

Once this is complete Active Directory begins to listen for LDAP connections over SSL port 636.

3) Obtain AD Certificate

  • Open the CA application (an MMC snap-in: Programs->Administrative Tools->Certification Authority)
  • Right click on the CA and choose “Properties” from the context pane.
  • Click “View Certificate” to bring up the Certificate page.
  • Click on the “Details” tab and then the “Copy to File…” button.
  • Click “Next”.
  • Select the “Base-64 Encoded X.509(.cer) format” and click “Next”.
  • Select a name for the certificate (the name of the server with the “.cer” extension is a good choice)
  • Click the “Browse” button to save the certificate to a location of your choosing.
  • Click “Next” and then “Finish” to complete the export process.

4) Convert Certificate Format

To convert the certificate from .cer to .pem format I used OpenSSL. (You can obtain this software from here: http://gnuwin32.sourceforge.net/packages/openssl.htm if you don’t already have it.)

Copy the certificate file you generated in the previous step to the machine on which PHP is running. Run the following command:

\openssl x509 -in -out

For example:

C:\openssl\openssl x509 -in myserver.cer -out myserver.pem

This creates the certificate file in a form that OpenLDAP can use.

5) Install the Certificate

Place the .pem file generated in the previous step in a directory of your choosing (C:\openldap\sysconf may be a good choice since that directory already exists.)

Add the following line to your ldap.conf file:

e.g. TLS_CACERT C:\openldap\sysconf\myserver.pem

This directive tells OpenLDAP where the certificate is so it can access it when needed.

Click here to go through the configuration steps to connect with LDAP server over LDAPS (LDAP over SSL:636)

.

I want to use LDAP/AD credentials to login to office 365. Is this possible?

It is possible to login into WordPress using your Active Directory/Office 365 credentials. We would leverage the Active Directory where the Office 365 identities are present and configure the LDAP Plugin with the Active Directory.

In case you are looking for auto-login into WordPress through AD credentials (in case access is within the domain), we have options to support that requirement as well.

Does your plugin support multiple LDAP servers?

We do support that in a variant of our premium plugin (not the one that you can buy automatically from wordpress). Your wordpress instance will be able to authenticate users from all four LDAP servers using either

1. The email address which will be mapped to the right LDAP server using domain names.  OR

2. Any ldap attribute. In this case , all LDAP servers will be searched for authentication.

Are multiple domains in the same AD forest supported?

You will need to enter the URL for the global catalogue! If you can do that, then users from both domains will be able to login.

I lost admin access when I enabled LDAP Login due to misconfiguration. How do I get back administrator access?

You could create an administrative user in your LDAP or you can FTP to your site and find the plugin under plugins folder and rename it. That will disable the plugin.

Does the LDAP plugin support mapping multiple LDAP Groups to multiple Roles?

The LDAP plugin will map active directory group to all roles of the user in WordPress. You just have to define the names of active directory groups in role mapping tab like shown in the below screenshot.

Here user of AD group wpadmins will be assigned both Administrator and Subscriber roles.

How do I configure Attribute Mapping in the LDAP plugin?

To configure attribute mapping in LDAP plugin you can follow below steps to fix that:

1) Go to Attribute Mapping tab in plugin

2) Configure LDAP attributes for first name() and last name

First Name : givenName

Last Name : sn

3) Save configuration.