imap authentication plugin

We’ve set up a new blog for people to start playing with at work. As part of the set up I wanted to link back into the central authentication used for workstation login, etc… So the options were really kerberos, or radius. As the authority is an AD controller LDAP is not really considerable and getting php to work with kerberos or radius is a real hassle requiring extra modules to be compiled and loaded.

So I had a quick look at Daniel’s http authentication plugin, and coded up a imap authentication plugin.

Don’t forget to apply the patch if you’re not using WordPress 1.5.1 yet. You will need to configure the mailbox url under options > imap authentication if you’re using anything but unsecured localhost access. The mailbox location is passed directly to php’s imap_open function, so you can use pop/imap/nntp in secure or non-secure mode, your choice.

The user suffix is only required if your server requires the @domain.com part of the email address when logging in, and you don’t want to add that as part of the user’s wordpress login name.

Side-note: I also secured wp-login and wp-admin/ to force access via https, thereby furthur increasing the security passwords used on the site.

Update: I’ve addded the plugin to the WordPress plugin repository.

Update #2: It seems that wordpress doesn’t like redirects in wp-admin, so I’ve had to disable the forced https for that folder. However I continue to use it for wp-login.

Update #3: Version 0.6

11 comments on “imap authentication plugin

  1. Pingback: Photo Matt » IMAP Auth for WP

  2. Pingback: Mo-ing » 2 Authentication plugins

  3. It keeps saying I have an incorrect password.

    I can telnet like this just fine:
    telnet your.imap.host.com 143
    * OK [CAPABILITY IMAP4REV1...]
    1 LOGIN “your_username” “your_password”
    1 OK [CAPABILITY...] … User your_username authenticated

    I have {my.imap.host.com:143}INBOX as my mailbox and no user suffix, yet it doesn’t work.

    Any ideas?

  4. If you’ve got a tool like netcat, or tcpdump, try and see what data is being sent to the mail server. I’m guessing that it’s probably trying to enable TLS and the server doesn’t support it.

  5. I’m trying to set this up with WordPress 1.5.2, fresh install, nothing out of the ordinary and as soon as I enable the plugin, I get lines like this everywhere:

    Warning: Cannot modify header information – headers already sent by (output started at /usr/local/var/www/internal/news/wp-content/plugins/imap-authentication.php:153) in /usr/local/var/www/internal/news/wp-admin/admin.php on line 10

    Warning: Cannot modify header information – headers already sent by (output started at /usr/local/var/www/internal/news/wp-content/plugins/imap-authentication.php:153) in /usr/local/var/www/internal/news/wp-admin/admin.php on line 11

    Warning: Cannot modify header information – headers already sent by (output started at /usr/local/var/www/internal/news/wp-content/plugins/imap-authentication.php:153) in /usr/local/var/www/internal/news/wp-admin/admin.php on line 12

    Warning: Cannot modify header information – headers already sent by (output started at /usr/local/var/www/internal/news/wp-content/plugins/imap-authentication.php:153) in /usr/local/var/www/internal/news/wp-admin/admin.php on line 13

    Any Idea? I have the same problem with the http authentication module.

  6. You probably find that the file has a blank line at the bottom, make sure that the closing ‘?>’ is the final two bytes in the file, and that there isn’t a newline afterwards.

  7. Thanks for the reply, that was it, I had a space after the ‘?>’ on the last line. I had no idea PHP was so picky, I’m a perl guy myself. Anyway, great plugin, thanks a lot.

  8. I like the plugin, but I think it has some serious security issues (that come from the http-authentication plugin). Because the check passwords function simply sets both passwords to the username, the security can be bypassed with some trivially forged cookies. The value set as the password needs to be something that the user doesn’t already know.

  9. Indeed. It could be ‘secured’ a bit more by adding a secret keyword in login and check_password functions that is only known to the server admin. Unfortuantly this ‘fix’ is still open to offline brute force attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>