AD Authentication Integration Server Settings

Active Directory Authentication Integration

Description

This plugin allows WordPress to authenticate, authorize, create and update against an Active Directory domain. This plugin is based heavily on the Active Directory Integration plugin, but has been modified to work with Multi Site and even Multi Network installations of WordPress.

Some of the features included in this plugin are:

  • authenticate against more than one AD Server (for balanced load or to see if the user exists on any of the queried servers)
  • authorize users by Active Directory group memberships
  • auto create and update users that can authenticate against AD
  • mapping of AD groups to WordPress roles
  • use TLS and/or LDAPS for secure communication to AD Servers (recommended)
  • use non standard port for communication to AD Servers
  • protection against brute force attacks
  • user and/or admin e-mail notification on failed login attempts
  • determine WP display name from AD attributes (sAMAccountName, displayName, description, SN, CN, givenName or mail)
  • enable/disable password changes for local (non AD) WP users
  • WordPress 3.0/3.1 compatibility, including Multi Site and Multi Network

This plugin is based on glatze’s Active Directory Integration plugin, which is based upon Jonathan Marc Bearak’s Active Directory Authentication plugin and Scott Barnett’s adLDAP, a very useful PHP class.

Aside from the changes to make this plugin work more effectively with WordPress Multi Site, this version of the plugin also encrypts the password used to connect to the AD server when it is stored in the database.

Download

You can download the latest version of this plugin at the WordPress plugin repository.

Important Notice

Since I don’t currently have access to multiple AD servers, this plugin has only been tested on a single installation of WordPress with a single AD server. Therefore, it is entirely possible that there are major bugs.

At this time, I am seeking people to test the plugin, so please report any issues you encounter.

Requirements

This plugin requires WordPress. It might work with versions older than 3.0, but it has not been tested with those.

This plugin also requires PHP5. Some attempt has been made to make it compatible with PHP4, but it has not been tested in that environment.

This plugin requires LDAP support to be compiled into PHP. If the ldap_connect() function is not available, this plugin will output an error message and will not do anything.

Installation

  1. Download the latest ZIP file of this plugin
  2. Unzip the file and upload the active-directory-authentication-integration directory to the wp-content/plugins/ folder on your Web server
  3. Network Activate the plugin and adjust the settings
  4. If you have John James Jacoby’s WP Multi Network plugin, David Dean’s Networks for WordPress or Ron and Andrea Rennick’s Networks+ installed and activated, you will then have the option to activate this plugin on all networks. Do so.
  5. Adjust the settings

Frequently Asked Questions

Can I use this plugin if I’m not running Multi Site?
You certainly can. This plugin should be fully compatible with a regular WordPress installation, a WordPress Multi Site installation and even a WordPress Multi Network installation.
Why am I able to login using AD on one site, but not another in a multisite installation?
This plugin will only affect sites on which it is activated. If you do not network-activate it in a multisite installation, you won’t be able to login using AD credentials on any of the sites on which it’s not activated. Likewise, if you are running a multi-network installation, the plugin will need to be network-activated on all of your networks (there is an option in the plugin once it’s activated on one network to activate it on all networks) in order for login to check the Active Directory on all networks.
Can I use this plugin for normal LDAP authentication?
I’m honestly not sure. As far as I know, this plugin is only compatible with Active Directory servers, but it’s possible it might work with other implementations of LDAP.
Why am I seeing a message about LDAP not being supported?
This plugin requires that LDAP support be compiled into PHP in order to work properly. If you are seeing that error message, it means that the plugin detected that the PHP ldap_connect() function is not available.
Is it possible to use TLS with a self-signed certificate on the AD server?
Yes, this works. But you have to add the line TLS_REQCERT never to your ldap.conf on your web server. If you don’t already have one, create it. On Windows systems the path should be c:\openldap\sysconf\ldap.conf.
Can I use LDAPS instead of TLS?
Yes, you can. In previous versions of this plugin, you needed to put ldaps:// in front of the server in the option labeled “Domain Controller” (e.g. ldaps://dc.domain.tld), enter 636 as port and deactivate the option “Use secure connection?”. However, in the latest version(s), you simply need to check the appropriate checkbox.
Why do I see “Should this set of options be updated for all of your networks?” at the top of each settings section?

That means that this plugin detected that you have either the Networks+ plugin, the WP Multi Network plugin or the Networks for WordPress plugin installed and activated. If you leave this checkbox ticked, any changes you make to that section of settings will be saved on all of the networks, rather than just being saved on the current network.

If you do not have any of those plugins installed and activated, you should not see this option. If you do, that is a bug and should be reported.

Why do I see the checkbox mentioned above on one network, but not another?
Again, that option will only appear on sites where the Multi Network or Networks for WordPress plugin is active. If you only have that plugin activated on a single site, this AD Authentication Integration plugin will have no way of knowing that you are running multiple networks.
How do I request new features or report a bug with this plugin?
Please either start a new topic in the official WordPress support forums or make a comment on the appropriate post within my plugins blog.
How do I enable debug information?
There are multiple levels of debug information within this plugin, all carried over from glatze’s plugin. To set the debug level, find the following line in the active-directory-authentication-integration.php file:

$ADAuthIntObj->setLogLevel(ADAI_LOG_NONE);

and change it to:

$ADAuthIntObj->setLogLevel(ADAI_LOG_DEBUG);

Other than “none” and “debug”, there are 5 other levels of debug information. ADAI_LOG_DEBUG is the highest level, meaning that all debug information output from this plugin will be displayed on-screen. ADAI_LOG_NONE is the lowest level, meaning that no information will be displayed on the screen. The levels of logging are (from highest to lowest):

  • ADAI_LOG_DEBUG
  • ADAI_LOG_INFO
  • ADAI_LOG_NOTICE
  • ADAI_LOG_WARN
  • ADAI_LOG_ERROR
  • ADAI_LOG_FATAL
  • ADAI_LOG_NONE

To Do

  • Add ability to validate against multiple AD servers (check one, then the other – rather than just load-balancing as the plugin currently does) – Done as of 0.6
  • Update admin interface to utilize native meta box interface rather than custom layout – Done as of 0.4a
  • Separate the profile information from the role equivalent groups in the “auto update user” setting – Done as of 0.3a
  • Anything else? Let me know below.

Screenshots

Changelog

0.6 (August 30, 2011)

  • Updated adLDAP class to latest version
  • Added ability to authenticate against multiple servers in succession, rather than just load-balancing against mirrors
  • Updated a lot of the labels and language strings to be more explanatory
  • Added new options to Display Name selector
  • Added option to randomize user’s WordPress password each time they login through AD
  • Rewrote entire authentication system
  • Added ability to auto-add users to other sites in multisite/multinetwork (assuming they are already signed into another site in the install)
  • Fixed potential bug/issue in user role equivalency
  • Added options page to individual sites in multisite environment for mapping groups to roles and authorizing by AD group
  • Moved failed logins from separate database table to native WordPress transients
  • Added custom error messages for login failures
  • Added option to display custom message when user attempts to reset/retrieve lost password

0.5a (May 9, 2011)

  • Updated some of the labels on the options screen to make them a little more explanatory.
  • Fixed a critical bug that stopped the options from being saved in certain situations.
  • Updated options page to use HTML label elements properly for each field
  • Tested for compatibility with WordPress 3.2

0.4a (April 28, 2011)

  • Updated administrative user interface to use native WordPress metaboxes

0.3a (May 2, 2011)

  • Separated the option to append user suffixes during validation against the AD server and appending user suffixes to the WordPress account username (previously, if you appended user suffixes to the WordPress account username, that suffix was also used in the validation process; which caused validation to fail on some AD servers). There are now two separate setting for “WordPress account suffix” and “AD Account Suffix”.
  • Updated the way “automatic user update” is handled. Previously, if you had automatic user update enabled, and you had role-equivalent settings configured, all users that matched those role-equivalent settings would be given those roles when they logged in; even if you had previously promoted a specific user to a higher WordPress role. You now have the option to enable that feature or not; separately from the setting that updates the user’s contact information on login.

0.2a (March 16, 2011)

  • Updated the way scripts and styles are registered within the plugin
  • Added support for Networks for WordPress multi-network plugin and Networks+ multi-network plugin
  • Hopefully fixed bug that caused existing users to not be able to login with AD credentials
  • Updated the way multi-network plugins are detected, allowing the plugin to identify multi-network setups even when the multi-network plugin is only active on one network
  • Included AD Connection Test script (a modified version) from glatze’s plugin for testing/debugging purposes
  • Added more debug information
  • Hopefully fixed a bug in authorization by AD groups
  • Fixed a bug that caused admins not to be able to configure plugin in non-Multisite installations

0.1a

  • This is the first version

33 thoughts on “Active Directory Authentication Integration

  1. DonChino

    Um, how exactly do you configure this thing? I downloaded it but there are no instructions on how to configure and/or activate. I mean I hit activate but then it is telling me : “You do not have the appropriate permissions to update these options. Please work with an administrator of the site to update the options. Thank you.”

    I am the only user and I just created the WordPress so it is a clean Vanilla installation, but I can’t figure out how to configure this thing and checking comments inside files, so not exactly intuitive. Can you throw up some quick instructions on where to put the DOMAIN name and other such things?

    Reply
    1. Curtiss Grymala Post author

      I can’t believe nobody else noticed the issue you’re experiencing (or, at least, no one has yet reported it to me). I checked the code when I read your comment, and there is a typo in the code that checks your permissions. It works in a MultiSite installation, but will cause the error you experienced in a regular installation of WordPress.

      Until I am able to release an updated version including this fix, you should be able to do the following:

      Open the class-active-directory-authentication-integration.php file
      Go to line 497
      Replace the code on line 497, which currently looks like:
      if( ( ADAI_IS_NETWORK_ACTIVE && !current_user_can( 'delete-users' ) ) || ( !ADAI_IS_NETWORK_ACTIVE && !current_user_can( 'manage-options' ) ) ) {
      with:
      if( ( ADAI_IS_NETWORK_ACTIVE && !current_user_can( 'delete_users' ) ) || ( !ADAI_IS_NETWORK_ACTIVE && !current_user_can( 'manage_options' ) ) ) {

      Finally, to answer your initial question, once you make that correction, you will see some options that can be edited. There are 4 sections of options on that page. Only the first section will be initially visible when you load the page. Clicking on the paragraphs under each section heading will expand/hide the appropriate section. I realize this is completely unintuitive; but it’s only been built to be functional so far. Making the interface more intuitive and user-friendly is a task I plan to complete once I’ve identified and hopefully corrected any major bugs in the plugin. Thank you for your feedback. I will update this comment thread once I’ve got a new version with the bugfix I mentioned above.

      Reply
    2. Curtiss Grymala Post author

      A new version of this plugin was released today; hopefully fixing the bug you noticed. Once you upgrade, you should see the different settings sections I mentioned in my previous comment. Thanks.

      Reply
  2. Pingback: Active Directory Authentication Integration v0.2a | Ten-321 WordPress Plug-Ins

  3. Aldo

    First off, great plugin! I had a question about how you handle redirects. When a user is first being authenticated, after they successfully authenticate they are redirected to the dashboard. But on future logins, they are redirected to the profile page. Also, just so you know, all my users are subscribers by default. Thanks!

    Reply
    1. Curtiss Grymala Post author

      The redirects are handled entirely by WordPress. This plugin only handles authentication, it then hands off the rest of the login process back to WordPress; so if an odd redirect is occurring, that’s something deeper in WordPress that’s causing that.

      Are you using WordPress MultiSite? If so, are you sure that your users are actually being added as subscribers, or are they only being added to the network (with no role on the site(s))?

      Reply
  4. Zac Curran

    Thanks for this plugin, I have just played around with it and found it quite useful but there is one thing that I have noticed and that is that this plugin doesn’t seem to work with AD groups that have a space in the name like “domain users”.

    BTW – Is there any chance you could add SSO functionality for IIS servers like the “RealDolmen – IIS Authentication Plugin”? It is a tiny plugin with only a few lines of code and by commenting out its last line I have the two plugins working together but my users still need to log in manually the first time.

    Reply
    1. Curtiss Grymala Post author

      I didn’t realize AD groups were allowed to have spaces in their names. When you browse the active directory (assuming you have some sort of active directory browser), do you actually see a space in the name? The group name should actually be the “cn” (CN) portion of the group’s DN (distinguished name), I think. With the current versions of my plugin, I’m almost completely using the code that glatze used in version 0.9.9.7 or 0.9.9.8 of his Active Directory Integration plugin for those particular features, so I can’t say for certain; but a quick glance at my current code seems to indicate that that is the case.

      Spaces shouldn’t make a difference (assuming you’re using the CN of the group), as the code simply splits up the list of groups wherever a semi-colon appears (meaning that spaces should stay in place). Then, it sends that array of groups to the appropriate function in the adLDAP class and uses an in_array() function to check the groups. None of those things should be sensitive to spaces.

      However, in the next few weeks, I will be working on a completely rewritten version of this plugin. I learned a lot about Active Directory and the adLDAP class over the last two weeks while I was developing the Active Directory Employee List plugin, so I feel comfortable actually digging into the AD portion of this plugin (previously, I mostly only modified the WordPress parts of it) and getting my hands dirty with that. I’ll see if I can find any more information about the issue (and I might try to include a tool to help you look up the CN of all valid groups, just in case that’s where the issue is coming from) while I’m working on that.

      I’ll definitely take a look at the SSO functionality. I don’t have an IIS server, so there’s not much testing I can do with it; but I’ll see if I can dissect what it does and try to implement it within my plugin.

      Reply
  5. AD Wordpress Noob

    I haven’t got it working yet. I am getting the error “plugins\active-directory-authentication-integration\inc\class-adint_original_plugin.php on line 1064″ error when I go to make a new user in WordPress when the plugin is activated. It would be great if you made a walk through on a test domain that it wouldn’t matter if people see how the information. If you can’t do I’d love to help out as I have access to sever virtual machines. I am running latest version of WordPress and Plugin.
    Trying to get this to work for a Teacher organization. Web server is Windows running XAMPP. I’ve enabled the ldap module by removing the “;” from the line: “extension=php_ldap.dll”. Hit save. I also made sure that the php_ldap.dll is located in my system path.

    Reply
    1. Curtiss Grymala Post author

      I’m not sure if you got this issue solved or not. I apologize for taking so long to respond. This has been an absolutely crazy month.

      Unfortunately, I don’t really have access to anywhere that I would be able to create a fake AD server, so I can’t really set up a demo server to walk people through this.

      Can you try using the current Development Version of the plugin and see if that makes any difference at all? Thanks.

      Reply
  6. Jason

    I need to bind with something like Domain Name\Username. However if I enter
    Domain\User and save the settings it drops the \.
    Thanks

    Reply
  7. Mark Nipper

    I’ve got a patch for you. It fixes the broken path finding logic for determining where the plugin lives. This was causing a blank page out of the box for us because wp-content is NFS mounted underneath /usr/local/share/wordpress for us. This is probably going to get clobbered in this input field, so feel free to email me if you want a better copy.
    ---
    --- constants-active-directory-authentication-integration.php.orig 2012-02-10 14:58:58.710041000 -0600
    +++ constants-active-directory-authentication-integration.php 2012-02-10 16:27:26.520344000 -0600
    @@ -22,13 +22,13 @@
    /**
    * A constant to hold the absolute path to our main plug-in file
    */
    - define( 'ADAUTHINT_ABS_PATH', ( ( stristr( __FILE__, 'mu-plugins' ) ) ? WPMU_PLUGIN_DIR : WP_PLUGIN_DIR ) . '/' . ADAUTHINT_PLUGIN_BASENAME );
    + define( 'ADAUTHINT_ABS_PATH', plugin_dir_path( str_replace( 'inc/constants-', '', __FILE__ ) ) . basename( ADAUTHINT_PLUGIN_BASENAME ) );

    if( !defined( 'ADAUTHINT_ABS_DIR' ) )
    /**
    * A constant to hold the absolute path to the directory in which our plug-in is stored
    */
    - define( 'ADAUTHINT_ABS_DIR', ( ( stristr( __FILE__, 'mu-plugins' ) ) ? WPMU_PLUGIN_DIR : WP_PLUGIN_DIR ) . '/' . str_replace( '/inc/' . basename( __FILE__ ), '', plugin_basename( __FILE__ ) ) );
    + define( 'ADAUTHINT_ABS_DIR', dirname( plugin_dir_path( str_replace( 'inc/constants-', '', __FILE__ ) ) . 'ignored' ) );

    if( !defined( 'ADAUTHINT_OPTIONS_PAGE' ) )
    /**

    Reply
  8. Robert

    Awesome Plugin! I like that when I set it to auto create users it will create them with their email address as their wordpress username, which is exactly what I need; however, is there any way to enable email addresses to be used when creating users from the admin? I tried to look through your plugin code to see if I could identify how you were creating the users with email addresses for usernames programatically, but I couldn’t pinpoint it. Thanks!

    Reply
    1. Curtiss Grymala Post author

      Thanks for the positive feedback. Unfortunately, I don’t think it’s currently possible, with the way things are set up in the plugin and in WordPress to do what you’re asking. When WordPress sets up new user accounts on its own, it doesn’t allow symbols like @ to be included in usernames.

      I will definitely look into the possibility of having the plugin automatically append that information to new users created directly through WordPress; but I’m not sure how long it might be before I’d be able to figure it out, or how long it might be before I’d get that new feature released.

      For the time being, if the users are in active directory, we’ve been simply asking our users to login once; then we’ve been manually updating them. We’ve also been kind of using the distinction between users that have their full email addresses as their usernames and users that just have standard usernames to differentiate between users that were created automatically and users that were created manually.

      Reply
  9. Amanda Berlin

    Hey Curtiss,

    Thanks so much for the plug-in! I do have a question for you since I’m not sure exactly where to look next. I’m also using xampp on windows and I can’t seem to get tls to work at all. I don’t think it’s the plug-in, and i’m almost positive it isn’t our AD servers. I’ve kind of glossed over the php.ini, httpd.conf, httpd-xampp.conf, and httpd-ssl.conf, but I haven’t really noticed much not configured right. I did notice though that I don’t have a c:\openldap folder, which I read should have a config file located in it. Any ideas? Thanks!

    Reply
  10. Phillip Morley

    Hello, I am having a problem where some users within a specified Active Directory security group can access our blog site, and some get an “invalid username” error, but their user account works and is active and also works on other LDAP integrated applications. Why does this happen, and what is the fix?

    Reply
  11. Larry Voke

    I have installed WordPress but cannot get ActiveDirectory to authenticate with LDAP. A separate install of simple-ldap-login works fine. I get the following when I test: Any help is appreciated. Thank-you

    AD Integration Logon Test
    openLDAP installed
    [INFO] method authenticate() called
    [INFO] ——————————————
    PHP version: 5.3.3
    WP version: 3.4
    ADI version: 1.1.3
    OS Info : Linux reword 2.6.32-220.el6.x86_64 #1 SMP Wed Nov 9 08:03:13 EST 2011 x86_64
    Web Server : apache2handler
    adLDAP ver.: 3.3.2 Extended (201104081456)
    ——————————————
    [NOTICE] username: vokela
    [NOTICE] password: **not shown**
    [INFO] Options for adLDAP connection:
    – account_suffix: @bc.edu
    – base_dn: ou=people,dc=bc,dc=edu
    – domain_controllers: directory.bc.edu
    – ad_port: 389
    – use_tls: 0
    – network timeout: 10
    [NOTICE] adLDAP object created.
    [INFO] max_login_attempts: 3
    [INFO] users failed logins: 1
    [NOTICE] trying account suffix “@bc.edu”
    [ERROR] Authentication failed
    [WARN] storing failed login for user “vokela”
    Logon failed

    Reply
  12. Larry Voke

    We hoped to map LDAP groups to WordPress groups but this capability does not exist? WordPress allows mapping of AD groups to WordPress roles only?

    Thank-you,
    Larry Voke

    Reply
    1. Curtiss Grymala Post author

      Honestly, I don’t know. I don’t have an LDAP server on which to test this plugin, so I have no idea whether this plugin or any of its features work with a standard LDAP server or not. I know that mapping the Active Directory groups (distribution lists and security groups) to WordPress roles works, but couldn’t say whether or not it works with standard LDAP groups or not.

      Reply
  13. Larry Voke

    Thank-you Curtiss. Are there any plans to associate posts/blogs to departmental groups that would restrict access to departmental users?

    Thanks,
    Larry

    Reply
    1. Curtiss Grymala Post author

      Part of that is already available. The ADAI plugin has the ability to restrict logins to people that belong to specific distribution lists or security groups, so only they can login using AD credentials. It also, as mentioned above, has the ability to automatically assign WordPress roles (built-in roles or custom roles) to users automatically based on their AD distribution lists/security groups.

      However, actually modifying the capabilities assigned to each role or creating new custom roles is really a job for another plugin.

      I hope that answers your question. Thanks.

      Reply
  14. Chris

    My goal is to use WordPress as a blog at work and use Active Directory for staff to be able to log in and comment as well as view “staff only” posts.

    Many posts will be public, but I’d love to find a way to mark certain sections as staff only.

    Is that something I could do with this plugin? Or does this plugin handle users in a way that is compatible with other WordPress features/plugins that would enable this?

    Reply
    1. Curtiss Grymala Post author

      Chris,
      This plugin creates user accounts in WordPress by using the Active Directory information. Therefore, it should be fully compatible with any features/plugins that would enable the feature you’re looking for, but it certainly doesn’t do that on its own.

      I would suggest using a function or plugin to create a role called something like “Staff”, use a plugin to make specific posts viewable only by “Staff” and above, then use this plugin to automatically assign the “Staff” role to any users that login using their Active Directory credentials. Thanks.

      Reply
  15. Jimmy

    Hi,

    I can see in the feature mentioned “auto create and update users that can authenticate against AD”

    Is this plug in “Auto create user account in AD” once user register as local (WP User) ?

    Reply
    1. Curtiss Grymala Post author

      This plugin does not write to Active Directory. What that feature means is that this plugin will automatically create a WordPress user account based on information read from Active Directory, not the other way around. Thanks.

      Reply
  16. Jerrad

    Great plugin but I am having an issue where the ADI plugin is distorting the buttons and layout of my Pagelines theme Admin UI. Could I have something set that would be causing this?

    Reply
  17. lneely

    Curtiss:

    Having an apostrophe in the password is problematic with the AD Authentication Integration plugin, i.e., authentication fails with the apostrophe and succeeds without. This isn’t a critical problem and if I get time I will fix it myself, but just an FYI for you and other users of this plugin.

    Reply
    1. Curtiss Grymala Post author

      Thanks for the report. I’ll have to look and see what I can do about this issue. I know I encountered something similar in the way the ADEL plugin handled apostrophes, so I’ll have to see if I can adapt that fix. Thanks.

      Reply
  18. jkinning

    I am using the Active Directory Integration plugin and it logs in the users very well. I have a few Administrators that when they login they are unable to perform any edits. If I check the Grant this user super admin privileges for the Network they can then edit but they also get access to the Network of sites which I don’t want to allow. Is there some other setting somewhere I am missing to allow an Administrator to edit or provide the WordPress Administrator role as if the user was a local user? I have been banging my head for about 2 weeks trying to figure out why this is happening and am at a lost.

    Reply
    1. Curtiss Grymala Post author

      In the “Authorization and Authentication Settings” area, do you happen to have “Automatically update WordPress roles?” checked? It sounds like the plugin is resetting the user permissions when someone logs in for some reason.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>