In the last years WordPress has become the major player in the content management system market. Many middle and larger sized companies have already migrated or are planning to migrate their website from „traditional“ CMS solutions like Joomla or Typo3 to WordPress but are facing some challenges. One common requirement for companies is to connect their applications to their central user directory and authentication solution. In on-premise Windows-based environments this task is in almost all cases handled by an installation of Active Directory. And this is where WordPress‘ Active Directory Integration (ADI) plug-in comes into place: ADI connects WordPress instances to your company’s Active Directory for user management, authentication and authorization.
Some words before we’ll dive into the functionality of ADI: A few years ago our colleague Christoph searched for a solution to connect a WordPress instance to our internal Active Directory. The existing solution at this time had a lack of features and so he started working on Active Directory Integration. In the past years ADI has been evolving into a plug-in which supports almost every Active Directory configuration. With more than 9.000 active installations Active Directory Integration has a large user base.
Features of Active Directory Integration
During the early stages of developing ADI the core functionality was clear: ADI authenticates, authorizes and synchronizes WordPress users with an Active Directory domain. That being said, ADI does explicitly neither support LDAP solutions like OpenLDAP, ApacheDS nor SSO/identity management frameworks like Atlassian Crowd or Azure Active Directory.
Let me give you a quick overview of the mentioned functionality and their basic configuration.
Authentication is the process of proving your identity to a third party. In Active Directory Integration this refers to the combination of the username you entered and your Active Directory password.
When trying to login to your WordPress account ADI tries to authenticate you against every domain controller you have configured in the configuration screen. At the moment you can configure multiple domain controllers but only one target port. After ADI has established a valid connection to the Active Directory, the AD validates the username against multiple attributes as described by Microsoft.
The configuration property Base DN sets the base distinguished name of your Active Directory where your users are located. If your users are not located below this DN they can not be authenticated by Active Directory Intgration!
After the users have been successfully authenticated against the Active Directory, ADI checks their role membership. This process is called authorization. Authorization means checking whether a resource (a user) has the permission to access a given resource. ADI has two options to customize the authorization process:
- Authorize by group membership: If you check this box the authenticated users must belong to the Active Directory security group. If they do not belong to any of these groups they are not able to login. This option extends the authentication process with an authorization check for the resource „WordPress“.
- Role Equivalent Group: For performance and administration reasons the security group assignments of users are not stored in your WordPress tables and will be resolved during login. The Role Equivalent Group maps one or multiple Active Directory security groups to their equivalent WordPress group.
Depending upon your configuration you can have ADI create user accounts in WordPress if the user logs in for the first time. ADI also allows you to prevent the change of the users e-mail addresses or enforce local password policies.
One major feature of ADI is the bi-directional synchronization of WordPress and Active Directory accounts.
- Active Directory to WordPress: Below the configuration tab Bulk Import you can enter the group members to be imported. To automate this you need a Cron task which must be executed periodically. Every user in the defined Active Directory security groups is synced to your WordPress instance.
- WordPress to Active Directory: This feature is currently called Sync Back, you can find it inside the User Meta tab. Sync Back allows you to synchronize custom attributes of your WordPress users back to your Active Directory. The synchronization occurs every time a user saves his profile. Depending upon the configuration either the user has to enter his password on profile changes or a central LDAP account is used for this task.
Below the User Meta tab additional LDAP attributes can be defined which shall be synced during the login process. You could for example synchronize the user’s phone number or profile picture which are then both stored in your Active Directory with your WordPress instance.
After giving you a quick overview of Active Directory Integration it is our job to sensitize you for security considerations. Every software connecting to central user management and authentication services, even more with write back, must be considered as harmful. You must ensure that you keep possible risks at their minimum.
You must provide a secure and encrypted connection between your WordPress instance and your Active Directory. Depending upon your environment you have at least the following options:
- VPN between web server and local network. If you have access to the web server you can establish an IPSec or SSL-secured VPN connection between both endpoints.
- Enable TLS for your LDAP connection. Even if you use a VPN between both endpoints the LDAP connection should be encrypted using TLS. For this to work you need access to your web server to put the TLS certificate on it. In most cases your php.ini has to be changed.
Only provide enough permission to fulfill the job – not more.
- Restrict the base DN to your organizational unit containing the users.
- Create a dedicated read-only user for bulk import.
- Renounce the usage of a Sync Back user and let the WordPress users enter their password themself. The Sync Back account requires write access to the backend so it must be seen as a high potential target. A user however can only access its own account: The compromising of the user account has a lower impact.
- Enable ADI’s Brute Force Protection
- Enforce a secure password policy in your Active Directory
- If using a Sync Back or Bulk Import user, choose a highly random and complex password
- Passwords of the Sync Back and Bulk Import user are stored in plain text in WordPress‘ database. Ensure that the passwords for your web and database server are complex enough
The future of Active Directory Integration
In the last month we have been actively working on a complete rewrite of the Active Directory Integration plug-in. The new version contains all features and compatibility of the latest public release plus support for WordPress Multisite installations. Support for Multisite has been a long outstanding feature request. Due to its complexity it required the complete rewrite. Accompanied to that the code quality improved massively. We will release more details and plans in an upcoming blog post in the next few weeks.