www.Deadpan110.com

I have been working on my first ever WordPress plugin.

Its primarily intended for people running their own hosting solutions and although it wont allow system users to log into WordPress, it does allow LDAP users to access certain WordPress posts or pages that are hidden for the rest of the world.

Current Features

• Ability to stay in SSL mode if apache is configured with UseCanonicalName On and is set up correctly with the use of server certificates
• Allows the writing of protected posts and pages by using a simple <!-- ldap_secure --> tag
• Logged in users can be automatically logged out after a set amount of idle time
• The users back button within their browser cannot be used to re-login after they have been logged out
• Using custom templates allows site administrators to create different content for different users

Currently, I use this plugin to display users quota and bandwidth usage for their accounts with the use of:

<?php if ( $LDAP_ACCESS == "Authenticated" ) { ?>
<h3>Your Account Details</h3>
<?php // My custom code
} ?>

Planned Features

• Count failed log in attempts and block by host IP for a set period of time
• Logged in users will be able to change their own passwords for their account
• Full administration menu within WordPress
• For system administrators that use OpenSSH-chroot for their users, plans for setting a list of chroots and allowing the user to select one from a drop down list (more below)

OpenSSH Chroot Selection

This planned feature could allow users to change part of the path to their home directory from a preset list and would ultimately allow users to switch to other distros within a chroot environment.

# Example using Debian and Gentoo chroot jails
# List of mounts
mount --bind /home /chroot/debian/home
mount --bind /home /chroot/gentoo/home

# Presets are defined within LDAPauth
# Debian = /chroot/debian
# Gentoo = /chroot/gentoo

# Current home directory for user
/chroot/debian/./home/user

# User logs into LDAPauth and has the option to change chroot
# (Only allows the 1st part of the path to be changed to presets)

# New home directory for user
/chroot/gentoo/./home/user

As LDAP users are usually set up with the ability to change their own passwords, the option to change the home directory path will ultimately require the use of rootbinddn and the LDAP password.

Security Limitations

This plugin is being written with security in mind but will ultimately depend on how the web service is configured:

If a standard user can use apache to access another users files, the LDAP password for rootbinddn can become viewable (and if this is the case, users will already know other users WordPress configurations for MySQL within wp-config.php. For this, I would recommend apache is configured to use suPHP for any cgi-bin usage as well as PHP execution.

Also, if a standard user installs this plugin for use on their own WordPress install, they are able to alter the code and record other users login details. It is safe for users to install this plugin for their own use but it is important that all LDAP users know they should only login using a designated URL on your domain and definitely not share their information with anyone else.

Securing apache for hosting purposes is beyond the scope of this post, maybe I will include a HOWTO at a later date - until that time - Google is your friend!

Summary

A lot of the code within this plugin is readily available on the net and I have still got some work to do before I decide its ready for public release under the GPL2.

Depending on peoples interest, I will probably set up a dedicated WordPress blog for the plugin and may also enable SVN access for people that want to get involved in its development.

Leave me a comment and check back soon for any other developments.