Wednesday, 30 January 2008

HTTP Authentication for Wordpress MU

I've been experimenting recently with deploying Wordpress MU as a blogging solution. As we use cosign for all of our web authentication, we wanted wordpress MU to be able to accept the contents of the REMOTE_USER variable to authenticate users, rather than relying upon Wordpress's internal authentication solution.

Much web searching found a number of people asking similar questions, and the HTTP Authentication plugin for a single user Wordpress install. Unfortunately, this plugin didn't work "out-of-the-box" with Wordpress MU, so I ended up patching it. The modified plugin is available from http://www.sxw.org.uk/computing/software/wordpress-mu-http-auth.tar.gz

It's still tailored to my needs. There's no support for automatic blog creation, for example, although that would be trivial to add. I haven't looked at its integration with Wordpress in much detail yet, either.

To use it, you need to protect your wp-login.php and wp-signup.php files with something like:

<Files wp-login.php>
CosignProtected On
AuthType Cosign
Require valid-user
</files>

<Files wp-signup.php>
CosignProtected On
AuthType Cosign
Require group web/blog/create
</files>

And your wp-admin directory with:

CosignProtected On
AuthType Cosign
require valid-user
This also checks group membership before permitting blog creation.

To install the plugin, copy the file into your wp-content/mu-plugins directory, and configure using the HTTP Authentication tab in your Site Admin menu.

If you install this, please let me know how you get on!

We've also got an additional patch for wordpress MU which makes it use an HTTPS site for blogs, rather than HTTP - I'm happy to share that on request.

Posted by at 5 comments:
Subscribe to: Posts (Atom)