« browsing by numbers
ipsick »

imap authentication plugin

We’ve set up a new blog for people to start playing with at work. As part of the set up I wanted to link back into the central authentication used for workstation login, etc… So the options were really kerberos, or radius. As the authority is an AD controller LDAP is not really considerable and getting php to work with kerberos or radius is a real hassle requiring extra modules to be compiled and loaded.

So I had a quick look at Daniel’s http authentication plugin, and coded up a imap authentication plugin.

Don’t forget to apply the patch if you’re not using WordPress 1.5.1 yet. You will need to configure the mailbox url under options > imap authentication if you’re using anything but unsecured localhost access. The mailbox location is passed directly to php’s imap_open function, so you can use pop/imap/nntp in secure or non-secure mode, your choice.

The user suffix is only required if your server requires the @domain.com part of the email address when logging in, and you don’t want to add that as part of the user’s wordpress login name.

Side-note: I also secured wp-login and wp-admin/ to force access via https, thereby furthur increasing the security passwords used on the site.

Update: I’ve addded the plugin to the WordPress plugin repository.

Update #2: It seems that wordpress doesn’t like redirects in wp-admin, so I’ve had to disable the forced https for that folder. However I continue to use it for wp-login.

Update #3: Version 0.6

This entry was posted on Saturday, April 23rd, 2005 at 2:19 pm and is filed under linux, work. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

11 Responses to “imap authentication plugin”

  1. Photo Matt » IMAP Auth for WP Says:
    April 23rd, 2005 at 6:41 pm

    [...]

    IMAP Auth for WP

    April 23rd, 2005 8:40 am
    File under: Asides

    IMAP Authentication for WordPress

    « WordPress Theme Dissection

    [...]

  2. Matt Says:
    April 23rd, 2005 at 6:42 pm

    FYI for readers, it’s in the Plugin Repository here:

    http://svn.wp-plugins.org/imap-authentication/trunk/

  3. Mo-ing » 2 Authentication plugins Says:
    April 25th, 2005 at 4:16 am

    [...] Through Photo Matt, here are two auth plugins which are interesting: * HTTP auth * IMAP auth

     
    Leave a Reply [...]

  4. James Says:
    June 2nd, 2005 at 11:00 pm

    It keeps saying I have an incorrect password.

    I can telnet like this just fine:
    telnet your.imap.host.com 143
    * OK [CAPABILITY IMAP4REV1...]
    1 LOGIN “your_username” “your_password”
    1 OK [CAPABILITY...] … User your_username authenticated

    I have {my.imap.host.com:143}INBOX as my mailbox and no user suffix, yet it doesn’t work.

    Any ideas?

  5. Nurm Says:
    June 3rd, 2005 at 11:17 am

    If you’ve got a tool like netcat, or tcpdump, try and see what data is being sent to the mail server. I’m guessing that it’s probably trying to enable TLS and the server doesn’t support it.

  6. James Cole Says:
    August 19th, 2005 at 11:47 pm

    I’m trying to set this up with WordPress 1.5.2, fresh install, nothing out of the ordinary and as soon as I enable the plugin, I get lines like this everywhere:

    Warning: Cannot modify header information – headers already sent by (output started at /usr/local/var/www/internal/news/wp-content/plugins/imap-authentication.php:153) in /usr/local/var/www/internal/news/wp-admin/admin.php on line 10

    Warning: Cannot modify header information – headers already sent by (output started at /usr/local/var/www/internal/news/wp-content/plugins/imap-authentication.php:153) in /usr/local/var/www/internal/news/wp-admin/admin.php on line 11

    Warning: Cannot modify header information – headers already sent by (output started at /usr/local/var/www/internal/news/wp-content/plugins/imap-authentication.php:153) in /usr/local/var/www/internal/news/wp-admin/admin.php on line 12

    Warning: Cannot modify header information – headers already sent by (output started at /usr/local/var/www/internal/news/wp-content/plugins/imap-authentication.php:153) in /usr/local/var/www/internal/news/wp-admin/admin.php on line 13

    Any Idea? I have the same problem with the http authentication module.

  7. Nurm Says:
    August 20th, 2005 at 10:05 pm

    You probably find that the file has a blank line at the bottom, make sure that the closing ‘?>’ is the final two bytes in the file, and that there isn’t a newline afterwards.

  8. James Cole Says:
    August 21st, 2005 at 4:18 am

    Thanks for the reply, that was it, I had a space after the ‘?>’ on the last line. I had no idea PHP was so picky, I’m a perl guy myself. Anyway, great plugin, thanks a lot.

  9. Mark Quinn Says:
    August 22nd, 2005 at 6:05 am

    I like the plugin, but I think it has some serious security issues (that come from the http-authentication plugin). Because the check passwords function simply sets both passwords to the username, the security can be bypassed with some trivially forged cookies. The value set as the password needs to be something that the user doesn’t already know.

  10. Nurm Says:
    August 22nd, 2005 at 3:49 pm

    Indeed. It could be ’secured’ a bit more by adding a secret keyword in login and check_password functions that is only known to the server admin. Unfortuantly this ‘fix’ is still open to offline brute force attacks.

  11. Nurm Says:
    December 4th, 2005 at 11:17 pm

    I have updated the plugin to deal with this security issue.

Leave a Reply

Comment spam protected by SpamBam