Active Directory Authentication Integration v0.6

The latest version of the Active Directory Authentication Integration plugin is a somewhat major revision. New features have been added, new options are available and much of the code has been completely rewritten.

Following is a quick rundown on the changes that were made to this version of the plugin:

  • Updated adLDAP class to latest version
  • Added ability to authenticate against multiple servers in succession, rather than just load-balancing against mirrors
  • Updated a lot of the labels and language strings to be more explanatory
  • Added new options to Display Name selector
  • Added option to randomize user’s WordPress password each time they login through AD
  • Rewrote entire authentication system
  • Added ability to auto-add users to other sites in multisite/multinetwork (assuming they are already signed into another site in the install)
  • Fixed potential bug/issue in user role equivalency
  • Added options page to individual sites in multisite environment for mapping groups to roles and authorizing by AD group
  • Moved failed logins from separate database table to native WordPress transients
  • Added custom error messages for login failures
  • Added option to display custom message when user attempts to reset/retrieve lost password

29 thoughts on “Active Directory Authentication Integration v0.6

    1. Curtiss Grymala Post author

      Unfortunately, that’s not available in the plugin. Since the Super Admin role isn’t a traditional WordPress role, the plugin can’t assign it through traditional means.

      It’s an interesting idea, though. I will look into that for a future version. Thanks for the idea.

      Reply
  1. Michael York

    Hi Curtis,

    I just want to be sure. Assuming a user has *never* accessed the WP site, but is on the AD server, all they have to do is *log-in*, without registering, and a WP account will be automatically generated for them?

    Thanks,
    –Michael

    Reply
    1. Curtiss Grymala Post author

      Michael,
      That’s correct. As long as you have the automatic user creation enabled, new WordPress users will be created for any person that exists inside Active Directory as soon as they try to login to WordPress. You can fine-tune which user accounts are created by telling the plugin only to approve users that belong to specific security or distribution groups in AD (if the user tries to login and they don’t belong to one of those groups, no user account will be created for them).

      Finally, you can also map specific security and distribution groups to WordPress roles; so, if you want members of one security group to become Administrators automatically, you can do that. Everyone else that exists in Active Directory will automatically become subscribers.

      Reply
  2. Gianfranco

    Hi,
    I use this plugin from the old version and with WordPress 3.1 (multisite configuration) has worked fine until the update to 3.2.
    I also have installed your plugin’s updates and, with the same configurations, now I can’t login with AD accounts.
    What I can do to fix the problem?
    Thanks for your support.

    Reply
    1. Gianfranco

      UPDATE:
      a message is displayied when I try to login with my AD account:
      “ERRORE: La password inserita per l’utente account@domain.it non è corretta.”
      (wrong password for the AD account)
      Seems like the check is on the local password and not the AD password.

      Reply
      1. Curtiss Grymala Post author

        This sounds like one of the following issues has occurred:

        The plugin somehow was deactivated during the update
        The plugin settings somehow got corrupted during the update

        Can you try deleting the plugin from your server temporarily, resetting the password for your account, and then re-installing and configuring the plugin to see if that makes any difference?

        Reply
  3. adplugtest

    Hey Curtiss,

    Thanks for the plugin. It is authenticating with my AD but is not able to get any user information other than the displayname. Rest of it shows up as empty. Also, after the login, the user is redirected to the user profile page. Is there a way to change the redirect ?

    I am coming from Simple LDAP Plugin and the reason was it did not allow local users to login. I like your plugin better because it works well for WP and AD users alike except that the user details are blank and the after-login redirect.

    Your help is really appreciated.

    Reply
  4. Marc

    LDAP Not Supported
    Hi,

    Im getting the error (below) and cannot locate the PHP.ini file to enable it. (W2K8, IIS, WP 3.2.1).

    Cheers in advance!
    Marc

    Your PHP configuration does not appear to support

    LDAP connections; therefore, the Active Directory Authentication Integration plug-in will not work at all. It is recommended that you deactivate the plug-in until you are able to update your PHP configuration to support LDAP.

    Reply
    1. Rik Danner

      if you download PHP Manager and access it from IIS manager at the bottom you can ENABLE or DISABLE extensions just enable the PHP_LDAP.dll and your all set to configure the settings in the plugin.

      Reply
  5. Bryan White

    Curtiss,

    Thanks so much for making this plugin. It does 99% of what we need. I have a question about the other 1%.

    If I add a new field in the WordPress database called “specialID” how hard would be to edit the plugin code so that it pulls another attribute from Active Directory and puts it in that new “specialID” field?

    Thanks again,

    Bryan

    Reply
    1. Curtiss Grymala Post author

      There isn’t an option like that in the plugin right now; but I am adding 2 filters to the development version that should assist in this.

      Once the new development version is available (should be in about an hour), you should be able to use the following filters:

      • adai-ad-user-info – use this filter to adjust the fields that are retrieved from AD
        A numerically-indexed array of ‘displayname’, ‘givenname’, ‘sn’, ‘samaccountname’, ‘cn’, ‘mail’, ‘description’ is sent by default.
      • adai-user-meta-fields – use this to create an associative array of additional fields that should be added to the user’s meta information. An empty array is sent through the filter, but you can add as many fields as you want. Those fields should be added to the user meta (which can be retrieved using the get_user_meta function).

      If it doesn’t work, let me know and I’ll try a different approach. Thanks.

      Reply
      1. Jonas

        Great, this was exactly what I was looking for. However, in order for this to work shouldn’t $userinfo be passed to the adai-user-meta-fields filter as well in order for me to be able to add any additional fields specified in adai-ad-user-info? Or am I missing something?

        Thanks for a great plugin!

        Reply
        1. Curtiss Grymala Post author

          I think that’s a good suggestion. I’ll take a look at the code when I have a chance and see if I need to add that or if that’s already in place in a different way. I’ll let you know either way. Thanks.

          Reply
  6. Patrick

    I love this plugin, thanks so much for writing it (first off!). I have a quick question though; is there a way to turn off local passwords, so that users do not have two passwords? I am getting an issue where existing users who originally logged in with their AD passwords and then changed to a new password are still able to use this old password (I’m guessing it was stored as their local password on WP itself). Is there any way to fix this?

    Reply
  7. Andrea

    We are using the plugin with WordPress 3.3.1 but we few users we have problem with AD password. They seems alla the same, we try to delete the user from Wp but no chance. Have you any suggestion?

    Reply
  8. Justin

    We are running into an issue with certain password characters. If a user has a ; or ‘ in their password, they can’t log in to the blog. If they do not have these characters, they are able to log in.

    Reply
  9. lneely

    Curtiss:

    I was experiencing the same problem as one of your users, cf., http://wordpress.org/support/topic/plugin-active-directory-authentication-integration-does-this-have-to-be-configured-uniquely-for-each-site

    My university runs a Windows 2008 server with IIS7. The problem was that the ADAUTHINT_PLUGIN_BASENAME constant was returning the wrong value; it failed to remove the “inc/constants-” substring. I propose the following change. In the file inc/constants-active-directory-authentication-integration.php, change line 13 from

    define('ADAUTHINT_PLUGIN_BASENAME', plugin_basename(str_replace('inc/constants-', '', plugin_basename(__FILE__)));

    to:

    define('ADAUTHINT_PLUGIN_BASENAME', str_replace('inc/constants-', '', plugin_basename(__FILE__)));

    Doing this appears to fix the problem that bhill was describing. I have not confirmed yet if any other fixes need to be applied. I figure that’s a simple enough change, but let me know if you want me to submit a code patch somewhere.

    Thanks for your plugin, it’s REALLY useful. Cheers, -ln

    Reply
  10. Mike

    Hi,

    We attempted to install this on a multisite. As the superadmin I was able to set it up but it would not connect to the AD. I decided to turn it over to our AD admin to verify that the info he have me was corrcect. I logged out as super admin. I went to log back in and it gives me the AD connection error even though I’m trying to use the super admin account which is not in AD. I have two questions.

    1. If we use this, can we still have local accounts to wordpress like the superadmin?

    2. How can I gain access to my multisite network now that no local accounts or AD accounts seem to work?

    Thanks,

    Mike

    Reply
    1. Curtiss Grymala Post author

      Yes, you can still have local accounts, but the WordPress usernames cannot be usernames that exist within your Active Directory. So, for instance, if there is already an Active Directory username or distribution list called “webmaster”, you wouldn’t want to create a WordPress account using that username. Instead, you would want to call it something that’s not in AD already. Any username that exists in AD will be authenticated against the AD system; any username that does not exist in AD will pass through AD and attempt to authenticate against WordPress itself.

      I am hoping that, by now, you’ve figured out how to gain access to your site. If this happens in the future (or if someone else needs that information), you would FTP into your site and delete the wp-content/plugins/active-directory-authentication-integration directory. That would cause WordPress to deactivate the plugin, and allow you to authenticate against WordPress again.

      Reply
  11. Carlos

    Hello

    We have a multisite installation of WordPress and are using your plugin. When we installed it I had one of our IT people configure the settings and it has been working great until the last month or so when about 50% of the time logging in will draw a connection error and force the user to try again and again.

    I have a feeling that the problem is on our side but I wanted to ask if you have heard of this before from others and what they may have discovered.

    Thanks!

    Reply
    1. Curtiss Grymala Post author

      Carlos,
      I haven’t seen any reports of this nature. We do occasionally have problems logging in because our AD server goes down.

      Do you have the plugin configured with more than one domain controller? It’s possible that it’s working with one of them, but failing on another, which would explain the intermittent nature of the problem. If you do, can you try limiting it to one domain controller at a time and see if any of them fail consistently?

      Reply
        1. Carlos

          That was it!

          When I isolated each DC the first failed repeatedly and the other succeeded repeatedly

          I am going to have our server admins verify but at least the problem has gone away for users now

          Thanks again

          Reply

Leave a Reply

Your email address will not be published. Required fields are marked *