WordPress.org

Ready to get started?Download WordPress

Forums

HTTP Authentication
How to do mixed login (8 posts)

  1. Thomas Nielsen
    Member
    Posted 2 years ago #

    The HTTP-Authentication plugin works extremely well with our setup but one thing has me stumped; how on earth do I login as "admin"? I would prefer to have all domain users be relatively low privilege and log in specifically as an admin user to do, well, administration. Also it would be nice to be able manually to log in as someone else who are in fact member of the domain, e.g. if I am at another users computer and want to log into the WordPress site as myself without having to log out of the workstation. I have tried all sorts of gymnastics, even creating a new wp-login.php for manual overrides, but HTTP-Authentication is simply *too* robust - it will not fail :-). I suppose it is in every possible meaning of the word a compliment but in this particular situation it is driving me bonkers. Is this even possible?

    http://wordpress.org/extend/plugins/http-authentication/

    By the way, I am running IIS and authenticate via Windows Authentication challenge/response.

  2. Daniel Westermann-Clark
    Member
    Plugin Author

    Posted 2 years ago #

    A couple of ideas:

    1. Allow WordPress authentication via the HTTP Authentication plugin options, and use the standard wp-login.php form for admin logins. See "Can I configure the plugin to support standard WordPress logins?" on the FAQ page for more information.
    2. Set the default role for new users to an appropriately low level, and grant your domain user administrative access. When at another user's computer, use runas or similar to assume your identity. (Read this thread for more.)

    I'm not a Windows person, so the second idea is more theoretical.

  3. Thomas Nielsen
    Member
    Posted 2 years ago #

    2) Would work to assume identity of "authenticateable" user, so I suppose it would do the trick.

    As for 1) then that is what I have done without much luck. But I think I got an idea... get back to you...

  4. Thomas Nielsen
    Member
    Posted 2 years ago #

    Yeps, it worked. What I did was this:

    1) Set anonymous access for everything instead of only authenticated, i.e. basically set it back to default
    2) Made a copy of wp-login.php (called it wp-admlogin.php) and made sure that all post requests in it refer to itself instead og wp-login.php
    3) Made wp-login.php authentication only, i.e. no anonymous access
    4) Set the logout-path in HTTP-Authentication point to wp-admlogin.php
    5) Require login in WordPress to access pages

    People will by default be redirected to wp-login.php to be authenticated, where they are being authenticated by your plugin and redirected back to where they entered the site. If they click logout they are referred to the wp-admlogin.php page instead of the default, which is now accessible to anon users, i.e. they can see the form and log in as a WordPress-user og click the HTTP-Authenticate button below it. Works a charm.

    Thanks a lot.

  5. CoolRaoul
    Member
    Posted 2 years ago #

    Hello yhniels, I'm basically trying to achieve the same configuration as yours
    Could you please explains more precisely what you mean by:

    Made wp-login.php authentication only, i.e. no anonymous access

  6. Thomas Nielsen
    Member
    Posted 2 years ago #

    Could you please explains more precisely what you mean by:

    Jeps. I made a copy of wp-login.php called wp-admlogin.php and in IIS set access to the original to exclude anonymous access. That way, when accessing wp-login.php IIS will require the browser to login and with NTLM enabled in IIS that will make the browser attempt to login first with the current user (on the client) and thus make an AD authentication. The copy, wp-admlogin.php, is accessible to everyone. So, when setting the logout-path to point to wp-admlogin.php, you give the client a possibility to access a login page that does *not* force NTLM validation.

    More specifically, you remove IUSR_WHATEVER from the access control list for wp-login.php which effectively removes anonymous access for that file. Activate NTLM in IIS and you should be set to go.

  7. CoolRaoul
    Member
    Posted 2 years ago #

    Ok Thanks

    Since I've a Apache/Unix based implementation, I'l will have to use another aproach to achieve the same results

    Apparently the following .htaccess could work for me:

    <filesmatch "wp-adminlogin.php$">
        Satisfy any
    </filesmatch>
    
    AuthName "<my authname here>"
    AuthType Basic
    AuthBasicProvider ldap
    
    AuthLDAPURL ldap:<my ldap path here>
    require valid-user
  8. Thomas Nielsen
    Member
    Posted 2 years ago #

    Yes, the only thing it has to do is require authentication on the original wp-login.php and allow anonymous on the copy.

    By the way; the plugin http://wordpress.org/extend/plugins/user-switching/ proved to be very useful for this type of setup, because logging in as someone else suddenly becomes a tiny bit tedious. With this plugin an administrator can "Switch" to another user context on the fly. Pretty nifty companion for HTTP-Authentication, in fact.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic