Huhu, gibts ne Chance, dass ADI auch für WordPress-MU nutzbar wird? Generell scheints zu gehen (man konnte schon ADA halbwegs drauffrickeln), aber es gibt da Probleme beim Konfigurieren (angelbich keine options-Seite).

Jo, das klingt gut. MU-Kompatibilität ist definitiv eine Sache für die 1.0. Ich werde es mit auf die Roadmap setzen.

Hi,

I don’t know where to report a bug. If I enter my username while capslock is on, it creates a second account in wordpress and resets the permissions on my lowercase (existing) account in wordpress to whatever I have it set for new users (author in this case).

Seems like a fix would be to lower case the username input before doing the AD compare?

GREAT plugin.

Cheers,
Robert

Ok, I´ll have a look at this the next days.

Hi Robert,
I agree with you: this is a bug. WordPress usernames are case sensitive and Active Directory samaccountnames are not. The simplest (and imho best) solution is to convert the entered usernames to lower case. I fixed this in the development version. Version 0.9.7 will be released soon.

Is there a demo?

Hi Craig,
unfortunately there´s no demo. I would have to setup a Windows Server only for the demo which is not possible at present. If you have problems setting it up for a test you can ask me for help.

Is there any documentation on the TLS option? I have openssl installed along with php-imap. I have the option selected for TLS using 389 as the plugin states and define (‘FORCE_SSL_ADMIN’,true); in wp-config.php. However, doing a network sniff the password is in clear text in the packet.

Hi Jim,
thanks a lot for this report. I have checked it and you are right. A small typo prevented the use of tls. I have fixed it and released ADI 0.9.7.

I just installed 0.97 and activate the plugin with wp 2.8.x, but i think i missed something or didn’t active another plugin; now I can’t login as an admin. I’m getting ”
Fatal error: Call to undefined function ldap_connect()” If this is not the place to ask please let me know, thanks. Omar.

ADI 0.9.7 works as advertised. Connections is now in TLS and packet is encrypted.

For those not familiar with AD and SSL/TLS check out:

http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl

Feature request: Ability to edit local accounts password.

This may come into play with the MU product functionality needs but right now in single user WordPress I have a couple of “resource” accounts that are not in AD (and won’t be). I can edit most of the local users info but I have to deactivate the AD plugin to change the password. Even creating new local accounts there is no password option when the plugin is active. Deactivating is workable but a little annoying doing the extra steps.

@OMAR: Looks like you have no LDAP support installed on your host. Look here for installation instructions: http://www.php.net/manual/en/ldap.installation.php

@Jim: I added a new option “Enable local password changes”. Use the development version for testing.

Did some very basic testing. Good news first. I now have the ability to edit passwords of current local users. I can create a local user with a password. I can change the local account of an AD generated password and still login with the AD password and not the newly changed one (which to me is good). Now the bad news. Newly created local accounts created with the plug-in active can NOT login. Local accounts can NOT login with the plug-in deactivated if created when the plug-in was active. Local accounts can have their password changed with the plug-in deactivated and then they can login. Local accounts created with plug-in deactivate work with plug-in is active — just don’t change the password or it breaks as mentioned above.

Secret Key/SALT mismatch or something?

Different problem…somewhere around 0.9.6 (using .0.9.7) I no longer have the adintegration table. I am getting the following in my error logs.

WordPress database error Table ‘testdb.wp_qa_adintegration’ doesn’t exist for query INSERT INTO wp_qa_adintegration (user_login, failed_login_time) VALUES (‘test1′,1251728352) made by wp_signon, wp_authenticate, apply_filters, call_user_func_array, ADIntegrationPlugin->authenticate, ADIntegrationPlugin->ad_authenticate, ADIntegrationPlugin->_store_failed_login, referer: http://…..

Also receiving errors around activation and deactivation of plugin. I believe this is where the table is created and deleted.

HI People,

What this error means, i dont get anything in logs or i can login with the Active directory username and password.
The only thing in httpd error log is “[Thu Sep 10 17:50:54 2009] [error] [client 10.3.50.12] File does not exist: /var/www/html/wordpress/wp-content/plugins/active-directory-integration/css”

You help would be greatly appreciated.
Aj

I enabled your plugin yesterday and it works great.
I’d like to find out if I can list multiple Active Directory groups to authorize against?, can I list two with a comma seperation?
Under: Authorization / Authorize by group membership
Thanks for your time

Hey there… Great plugin! I would love to get this working on my site. The problem is, even after I insert all of the information necessary to make it work, when I attempt to login at the wp-login screen, all I get is an Invalid username. I’m not sure how to check if it is hitting my AD, but I have the following areas populated:
Domain Controllers
Base DN
Account Suffix
Authorize by group membership

Any thoughts as to why it isn’t working for me?

I was able to install the original plugin by Jonathan Marc Bearak and that one worked, however I want to use the additional functionality you have in yours, such as specifying the display name.

Thanks in advance!

Maurice-

Hi Lori,
right now only one group is possible for authorization. But you can replace the method _check_authorization_by_group() near line 902 in ad-integration.php with the code below. Then you can use multiple groups separated by a semicolon (e.g. “group1;group2;group3″). This change will be part of the next version.

protected function _check_authorization_by_group($username) {
if ($this->_authorize_by_group) {
$authorization_groups = explode(';', $this->_authorization_group);
foreach ($authorization_groups as $authorization_group) {
if ($this->_adldap->user_ingroup($username, $authorization_group, true)) {
return true;
}
}
return false;
} else {
return true;
}
}


Hi ajay,
which version of the plugin do you use?

Hi Mo,
you need to fill in the following informations:
* Domain Controller
* Port (only, if you use a non standard port)
* Bind User
* Bind User Password
* BASE DN
* Account Suffix (don´t forget a leading @)

Authorization group is not needed. Don´t use it at first. If you can logon without, then try to enable it and see if it works.

Hi,
geniales Plugin … nur eine Frage … gibt es eine Möglichkeit einen User mit zusätzlichen Feldern aus dem AD zu erstellen?
grüße, Stefan

I’ve been using Jonathan Marc Bearak’s version of ADI until I found your version – great to see this plug-in being updated! Since I upgraded to WP 2.8.4 it seems that I’ve got problems logging in with and changing passwords of local IDs, I think this is the same problem as jc513 reported back in August.
Seems slightly different however. If I create a new local user in the Users control panel (Add New) I get an entirely different password sent to me via email than what I entered while creating the user. I can log in with the password that was sent to me, but not with the one I entered. If I deactivate the ADI plugin then the passwords seem to work correctly.
With the ADI plugin active I can’t log in with the original Admin account (and I can’t change the password to one that works!). AD authentication works great however!

Hi cst,

I have same problem with Ajay.
“File does not exist: /var/www/html/wordpress/wp-content/plugins/active-directory-integration/css” error log on apache’s

Run on Windows 2k3 PHP 5.2.9, Apache 2.2.11 MySql 5.0.51
Latest plugin

Please advice.

Thanks,
Bag

Moin Stefan,
welche Felder meinst Du? Kannst Du das näher spezifizieren?

Hi BagNin,
Hi ajay,
I updated the development version: http://downloads.wordpress.org/plugin/active-directory-integration.zip.

Let me know, if this solves the problem.

Still no luck with me

192.168.1.147 – - [30/Sep/2009:17:50:56 +0700] “GET /blog/wp-login.php HTTP/1.1″ 500 -
192.168.1.147 – - [30/Sep/2009:17:51:01 +0700] “GET /blog/wp-login.php HTTP/1.1″ 500 -

Bag

Ahhh …. I am deeply sorry …
It’s work fine after i put a ‘magnification glass’ on the settings ….

Excellent scripts, appreciate !
BagNin

Hi!

Just wanted to say you’re doing great work with this plugin. I’m using WordPressMU and can’t wait for your plugin to support it. Have been trying out v0.97 but unfortunately it’s been far to unstable. The thing is though: I’m able to get it to work properly but it looses all it’s settings several times a day, why I don’t know.

Looking to the WordPressMU compatible v1.0! Cheers!

Hello,

Thank you so much for making this plugin!

Do you have any guidelines or more examples for the options “Authorize by group membership” and “Users are authorized for login only when they are members of a specific AD group.”?

I have tried many different groups, but I can not get it to work.

Thanks again for your effort with this plugin. Great work!

Thomas

I have the same issue Mo posted. I have followed every instruction as carefully as I could but it simply will not work.

Is it necessary for the entire blog to be SSL for this to work? I did go that route, and it still did not work.

I’d like to be able to enable AD authentication without using SSL. I am not concerned with packet sniffing on the LAN.

The “Active Directory Authentication” plug-in by Jonathan Marc Bearak does work for me, but I would like the extra capabilities of the new one.

I am running WP 2.8.4, freshly installed today with PHP 5.3.0. The LDAP option is enabled in PHP.

Can you help?

Hi Paul,
SSL is not necessary but recommended. It you don’t need it, don’t use it. Simply use port 389 and deactivate the “Use TLS” option. If you still have problems, send me an email.

Hi Thomas,
it should be simple. Create a new security group in AD (with the “Active Directory Users and Computers” snap-in), name it “wordpress-users” or somewhat and add one or more users. The new group and the users must be placed in the tree below the base dn (e.g. ou=unit,dc=domain,dc=tld). On the plug-in options page activate “Authorize by group membership” and enter the name of the created group (“wordpress-users” or whatever you have chosen). Now, only users who are members of this group should be able to logon. If you have multiple groups, seperate them by e semicolon (e.g. “domain-users;wordpress-users;test-users”).

To test the option “Role Equivalent Groups” add a completely new user to the security group “wordpress-users”. Enter “wordpress-users=author” in the respective options field. If you try to logon with the new user now, he is created automatically in your WordPress-DB with the role “author”. Seperate multiple group combinations by semicolon (“;”), e.g. “wordpress-admins=administrator;wordpress-users=author;wordpress-viewer=subscriber”. A user will be created based on the first match, from left to right, so you should obviously put the more powerful groups first.

If you can not get it to work, send me an email.

Well, I converted the entire site to SSL and tried again. The first error I got was that TLS did not work. As I understand it, TLS requires some extra setup on the AD server, which was not covered in the installation documentation for this plug-in. I don’t know how to do it. So I unchecked it. I am OK with the back-end traffic on the LAN transmitting plain-text paswords, as long as SSL covers them when the users type them in over the internet.

However, with TSL unchecked, it simply fails to work at all, with no error message. It simply tells me that the username or password is not valid.

It’s quite frustrating to read the installation instructions which say it’s quite easy, and include just a few easy steps, and then fail so utterly as I have after hours of working on this, and I am not an idiot user.

Has anyone tested this plug-in on WordPress 2.8.4 with a Windows 2008 Active Directory?

It seems that this SHOULD be simple, but it is not working. I don’t think I am missing any steps, especially if TLS is not required. Any ideas?

Also, I thought I would e-mail as your earlier reply asked me to, but I could not find an e-mail address on your blog or in the readme file.

Well, since I couldn’t get it to authenticate, I went with the “Active Directory Authentication” plug-in by Jonathan Marc Bearak. Not as many whiz-bangs, but at least it works.

Hi Thomas,
do you use a “bind user”?

Hi,

I’ve done some modification to your plugins
* allow to use CAS (code frorm wpCAS) , but use other Active directory function (like user creation, …)
* use SSL and not only TLS ( or use URI like ldaps://)

I’ve also done some (bad…) modification to ad_ldap classes because I use openLDAP and not Active Directory.

If you’re interested, send me an email, and I ‘ll send diff.

Your plugin are great.

Best

Hi Florian,
sounds great. Send me your diff.

info@ecw.de is the right email ?

for your planned «support different port for different server», you can just try to use a check if hostname/domain controller are URI or not.

if hostname begin with ldap:// or ldaps://, it’s an URI => don’t set port.

I use URI with your plugins before adding the SSL option.

Best

Please send the diff to cst@ecw.de.

Thanks

I use the plugin with Windows 2008 AD, iis7+php. The problem is that if I enable TLS, I got

[ERROR] adLDAP exception: Bind to Active Directory failed. TLS didn´t work. AD said: Connect error

The plugin works if TlS is disabled. I have

[PHP_OPENSSL]
extension=php_openssl.dll

in php.ini. Is there any special settings on the AD and/or somewhere else? Thanks.

Hi Eric,
do you use self-signed certificates? Then you have to configure openLDAP. Put the following line to the file ldap.conf on your webserver.
TLS_REQCERT never
If the webserver runs on a Windows machine the configuration file ldap.conf has to reside in the directory C:\openldap\sysconf\. If it doesn’t already exists, create the directories and the file with the line above.

If this doesn’t help, let me know.

Hi,

I’m having a similar problem as Paul Sterly where I can successfully use the AD authentication plugin (with HTTPS) but not this plugin. The Base DN is the same, I’ve tried turning on and off the Automatic User Creation. Is the Bind User required? I’ve tried leaving it blank and tried using the AD admin credentials without success. Who is the Bind User?

I noticed the test tool does not properly use input credentials, i.e. the username field is passed as the password while the password field is not passed at all. See below where I’ve left the Bind User blank.

AD Integration Logon Test

openLDAP installed

[INFO] method authenticate() called
[INFO] WP version: abc
[NOTICE] username:
[DEBUG] password: username
[INFO] loading options…
[INFO] Options for adLDAP connection:
– account_suffix: @
– base_dn: ou=,dc=,dc=,dc=,dc=
– domain_controllers:
– ad_username:
– ad_password:
– ad_port: 389
– use_tls:
[NOTICE] adLDAP object created.
[INFO] max_login_attempts: 3
[INFO] users failed logins: 0
[ERROR] Authentication failed
[WARN] storing failed login for user “”

Logon failed

If I test with a Bind User (the AD admin in this case) I get this error:

[ERROR] adLDAP exception: Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Invalid credentials

Any ideas where I’m going wrong here? I’m pretty sure its just a matter of correct configuration so maybe a working example would solve it? This is on a Debian Linux host and up-to-date Windows 2003 Server R2 SP2. Thanks and great work on what would be a fantastic plugin.

G

Hi Eric,

thanks for the great plugin.

I am using the latest version 0.9.9.3 against MS AD 2003 and everything works like a charm. When loggin in for the first time the user is created and the fields ‘Username’, ‘Nickname’, ‘Display name publicly as’ and ‘E-mail’ in the Profiile are filled in correctly.

The fields ‘First name’ and ‘Last name’ however stay empty.

As it’s been requested to sign every blog entry with the full username, I’m missing this option from the drop down field ‘Display name publicly as’.
Selecting ‘CN (Common name, the whole name)’ from the plugin settings menu doesn’t help either.

Any idea, what I’m missing here?

Thanks

Hi Olly,
Don’t know why First name and Last name are staying empty. I’ll have a look at this.

Greetings
Christoph

Hi George,
let’s see if I can help. The bind user is a user that used to logon to the Active Directory. This user should have the privileges to read everything and (for security reasons) no write privilege. A bind user is not strictly needed. Here is a little german How-To on setting up a special user with full read but no write privilege: http://wap.ecw.de/archives/993. For testing purposes you can use a domain administrators account. Don’t forget to include the domain (e.g. “administrator@mydomain.local“).

The behavior of the test tool in your installation is wierd. Which version of WordPress do you use?

If you have some informations that should not show up on this site, send me an email.

Greetz
Christoph

Great Plugin but I have one question. I setup SSL over LDAP on WIndows 2003. Unfortunatly it looks like it only listens on port 636. Is there away for the plug in to ust TLS and port 389? If not that have you heard of away to force Microsoft to look at that port?

Olly informed me that everything is working now. He had a typo in the options.

Hi Robbie,
I don’t know exactly what your problem is. If you use LDAP over SSL then Windows uses port 636. If you use (START_) TLS then the port is 389 because the encryption is started after the first connection on port 389 is established. If you use a firewall with DNAT (port forwarding etc.) or non standard ports on your Windows server and you need a different port you can enter this on the options page.
Please be more specific, so I can help you.

Okay sorry for the confusion; but I think I am confused as well.

No firewall is place between the LDAP server and the Web Server. Microsoft uses port 636 but the AD Integration is using port 389. I thought if the Integratrion tool initiates a secure connection it is going to use port 389 on which our Domain controllers are listening on port 636; which then it won’t be able to connect. I was hoping there was a way to tell the AD tool to use port 636 for it’s Secure LDAP so it will get an answer from our Domain controllers. Right now as soon as we turn that feature on we can’t log on to our page; with it off it works fine.

Am I looking at this wrong?

Thanks for your help.

I’m still struggeling with the following. I can login using AD user name and password but local passwords to the same account didn’t work any solutions? Or do I need to deactivate te plugin for it to work?

Hi Vincent,
you are right there was an error with local passwords. The password stored in the WordPress database was always set to a random generated one, everytime you changed the local password. I fixed it in 0.9.9.4. You can download the updated version in a few minutes from wordpress.org.

Hi,

Congratulations on making a terrific AD authentication solution. Everything else returned cryptic errors, but yours was a joy to use.

Only one small issue. On logout, I get the error “The page cannot be displayed because an internal server error has occurred.” I am located on the page wp-login.php?action=logout when this happens. Any idea why this might be happening?

Thanks

Hi Brian,
don’t know what’s going wrong at this point. I’ll have a look at this in january and give you feedback a soon as possible.

Greetings from Germany

Hi love the plug-in any word on whne the MU support will be there?

Hi John,
I don’t know exactly when I will find the time to complete the MU support. I hope an improved version with MU support will be out in the first quarter 2010.

Hi

I left you a message last week about MU support. My company would be interested in paying you if you could provide get MU working in a reasonable amount of time. You can contact me by email that I provided in this post.

Thanks
John

Hallo
Das Plugin scheint sehr interessant zu sein, wir werden es für unsere Schule testen und gerne bei Gelingen einen Link zustellen.
Eine generelle Frage zum Plugin: Kann ich das WP komplett absichern, so dass gar kein Zugriff auf Inhalte ohne Anmeldung möglich ist? Und: Kann ich mit dem Plugin definieren, welche Benutzer/Gruppen welche Inhalte sehen dürfen?
Danke, Dave

Hallo Dave.

1. Das generelle Absichern, so dass kein Zugriff ohne Anmeldung möglich ist, erledigst Du am besten über das Plugin Registered Only.
2. Für spezifische Benutzer- und Gruppenberechtigungen benötigst Du weitere ergänzende Plugins, wie z.B. den Role Scoper.

@Gerorge:
The Problem is based on the fact, that AD-Integration does not user the dn to authenticate, but the password. In your case it will help to add the following lines to your ad-integration.php:

Line 384 (should be there already):
$this->_log(ADI_LOG_NOTICE,’adLDAP object created.’);
Add the following lines bleow the line above:
$userinfo=$this->_adldap->user_info($username);
$dn=$userinfo[0]["dn"];

then find the line where it says
if ( $this->_adldap->authenticate($username, $password) )
(should be line 419 by then) and change it to:
if ( $this->_adldap->authenticate($dn, $password) )

this should solve all problems since it sends the dn instead of the username.
I had the problem myself and these few lines solve the problem of a server not accepting your credentials, although you’re a 100% sure, they’re right.

I have installed the AD Integration plugin (v.996) into WP (v2.9.1) and can get it to authenticate to our AD by specifying port 389 both with and without TLS.

Our AD server also has an ssl encrypted port 636. When I specify the plugin to use port 636 (no TLS) and run the Test Tool I get:

[ERROR] adLDAP exception: Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Can’t contact LDAP server.

The only thing I’m changing on the server configuration page for the plugin is the port number (389 to 636) and disabling TLS, so the credentials should be fine. After much reading and fiddling with ldap.conf and other parameters I’m concluding that the plugin cannot handle a SSL connection. Is that correct? Should I assume this plugin can only connect to a non-encrypted port (e.g., 389) and can use TLS as a way to secure that connection, and SSL is not something the plugin can handle?

If so that is fine, but if it can handle making an SSL connection via port 636 that would be best.

Thanks for this plugin. It will make our wordpress installation much easier to accept by our users, who groan when they hear they need to remember a new account and password (don’t we all).

Hi Jimsearbim,
if TLS works for you, SSL isn’t needed. LDAPS communication to Active Directory on port 636 is deprecated.

But you can try the following: add “ldaps://” to domain controller, specify port 636 and uncheck “use TLS”. Hope this works. If not, write back.

I added the ldaps:// to each of the domain controllers I have in a semicolon separated list (e.g., ldaps://dc.example.com;…) with 636 as the port and TLS unchecked AND IT WORKED! Thanks for the quick and helpful reply!

The documentation says I can control access to a wordpress blog using this plugin and specifying AD groups. That is great but what if I also want to add individuals? For example, could I specify an AD group like “Faculty” and one student like “joe@domain.com” to allow access to all faculty and the student Joe? If not then each blog installation, and I plan many, would need its own AD group for access control. I’m trying to avoid that if possible and only use existing AD groups and supplement with individuals.

Are there any tricks to getting this to work with 3.0 beta 1? I have excluded some of the details, as we are not using tls at this point, may in the future. Any help would be appreciated, as my company really wants ad to be used.

openLDAP installed
[INFO] method authenticate() called
[INFO] WP version: 3.0-beta1
[INFO] loading options…
ad_port: 389 – use_tls:
[ERROR] adLDAP exception: Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Invalid credentials
Logon failed

Hi Danny,
ADI wasn’t testet with 3.0 beta so far. I’ll do it the next days. But I think your problems have nothing to do with WP 3.0. Does it work with WP 2.9?

I’ve made some modifications to make it work a little better in WordPress MU. Seems to be working well, now, or at least the way I’m using it.

I’m happy to send a diff if you’d like. Notably:

1) saving settings on one setup tab doesn’t blank the values on the others
2) the WP_PLUGIN_URL stuff is correctly using WPMU_PLUGIN_URL where necessary when IS_WPMU is set.

Thanks for the plugin!

Hi Tim!
Sounds good. It’ll be nice if you send the diff, so I can add it to the source.

Hi!

The plugin works great! Except our environment has multiple OU’s. So the Base DN looks like this:
ou=nordnorge,ou=users and groups,dc=felles,dc=data,dc=krabbe,dc=no – and all users in “nordnorge” works great. But we also have users in for example:
ou=sornorge,ou=users and groups,dc=felles,dc=data,dc=krabbe,dc=no that dont work. And that why I tried this:
ou=users and groups,dc=felles,dc=data,dc=krabbe,dc=no – which dousent work at all. I also tried:

ou=nordnorge,ou=users and groups,dc=felles,dc=data,dc=krabbe,dc=no;ou=sordnorge,ou=users and groups,dc=felles,dc=data,dc=krabbe,dc=no – but no dice :-/

Anyone know how I can add more than one OU? Or make this plugin look deeper into our main OU ?

I see in the roadmap:

“authenticate against multiple domains (perhaps, have to think about) ”

I could really use this feature. It looks like this wasdone (hacked) a while ago for the AD Authentication plugin:

http://blog.ktdreyer.com/2009/03/authenticating-wordpress-with-multiple.html

I would be a good option for those, like me, with multiple domains, even if the username had to include the domain. I’m already doing this using the Plexcel mediawiki plugin that allows AD authentication from multiple domains, and our users do not mind entering their domain as part of their username (e.g., domain\username or username@domain.tld)

Hello, I’m not sure where to submit bug reports / patches and am wondering if there is a bug in adLDAP.php — specifically in the user_groups function. I believe this:

$info=@$this->user_info($username,array(“memberof”,”primarygroupid”));

should actually be this:

$info=@$this->user_info($username,array(“memberof”,”primarygroupid”,”objectsid”));

Without setting objectsid, the user_info will never find the real_primary group…

A variation of this bug may also appear in the contact_groups / contact_info functions which have similar syntax, and the following in contact_info is almost certainly wrong since it checks for “primarygroupid” twice and then uses objectsid a few lines later:

if ($this->_real_primarygroup && isset($entries[0]["primarygroupid"][0]) && isset($entries[0]["primarygroupid"][0])){

Thanks,

–M

Hi there,

Just wondering will the plugin automatically log user in?
I have the plugin installed in WordPress 3, it creates and maps groups fine, but user still have to sign in manually

Thanks,
Ken

There is a bug in automatic user creation with WP 3.0. This is fixed quick and dirty in the development version. I will release 0.9.9.9 very soon.

Does this plugin do any logging of its activities, or is my only source of information on what this plugin is doing located in the web server’s logs? For example, how could I find the number of user’s who successfully used this plugin to login, who tried to login but failed, what the responses were from the AD server, etc?

I just updated to WordPress 3.0 and AD Integration 0.9.9.9 (from WP 2.9.1 and AD Integration 0.9.9.7) and I can no longer login using an AD account as I could before. The test tool says “Authentication successful” but then says “Authentication by group failed”. The specified group has not changed and is Domain Users (all users). Any help appreciated. I am using port 389 w/TLS.

Update: When I replace the 0.9.9.9 plugin with 0.9.8 it works again.

For me it works. But could you please replace the file ad_ldap/adLDAP.php with the old one which comes with version 0.9.8 and tell me if works like it should.

Yes, that worked. Thanks!

Hi

I’m pretty new to WordPress and am currently running 3.0 on a developement WAMP install.

I’ve succesfully installed your plugin and it looks like it will work really well. Unfortunately though I cannot now log in using my admin account – it is forcing me to use active directory yet I have not specified an active directory user to be an admin.

Help!

Just disable the plugin. There are several ways to do that:

http://www.stephanmiller.com/deactivate-wordpress-plugins-through-phpmyadmin/
Use ftp to remove the folder ../wp-content/plugins/ad-integration

Let me know, if you need further help. By the way: you should always have an adminstrative account that is not authorized by active directory, which means the username should not exist in active directory.

Thanks i’ll give that a try to get me back in but do you have any idea why it won’t authorise with my default WP admin account when the plugin is enabled?

Hi
I’ve installed your plugin in wordpressmu.

the user authentification test works.I’ve set the authorization by group membership. however I have this message:

[WARN] Authorization by group failed. User is not authorized.

any idea where to look ? Thanks in advance.

Nice plugin but I have one question.
When the user name contains a space (like “john smith”), the test tool report this error :
[NOTICE] Authentication successfull
[NOTICE] cleaning up failed logins for user “john smith”
[WARN] Authorization by group failed. User is not authorized.

But if I remove the space in the name (like “john”), the test tool report no error and the user is created in the WP database

What is wrong?

I’m working with a clean install of wordpress 3.0 and have activated your plugin. I set everything up for using an ldaps server on port 636, When I test the connections everything returns as:

[ERROR] Authentication failed
[WARN] storing failed login for user “username”

username/passwords are correct. Any means of seeing what is actually causing the auth failure?

Hi Ryan,
there are so many possible reasons. Have you set the correct BASE DN? Anyway: send me the report from the test tool (after changing confidential data). I’ll see what I can do for you.

The base dn should be ok. I’m using it successfully in other web apps that do AD integration. Also worth noting, It binds to AD just fine. If I enter a bad bind user it actually gives me an error when trying. So it’s at least connecting to the domain controller.

AD Integration Logon Test
openLDAP installed
[INFO] method authenticate() called
[INFO] WP version: 3.0
[NOTICE] username: username
[DEBUG] password: password
[INFO] loading options…
[INFO] Options for adLDAP connection:
- account_suffix:
- base_dn: DC=our,DC=domain,DC=edu
- domain_controllers: ldaps://our.domain.controller.edu
- ad_username: binduser@our.domain.edu
- ad_password: bind_password
- ad_port: 636
- use_tls:
[NOTICE] adLDAP object created.
[INFO] max_login_attempts: 5
[INFO] users failed logins: 0
[ERROR] Authentication failed
[WARN] storing failed login for user “rsanders”
Logon failed

thanks for this great plugin! is it possible to have a user directed only to one site upon login within a multi-site blog, and, if so, how would one do that? thanks again.

I got this working, Simple mistake on my end. Nothing a few debug statements couldn’t help solve.

Ryan -

We are having that same error… Would you mind sharing your solution?

Thanks

On multi-site blogs (since WordPress 3.0) every single blog has it’s own ADI configuration. No redirection is needed. But maybe I didn’t get what you mean.

Hi,
I need to put this after line 482 in adLDAP.php file to avoid ldap_search filter warning

if (stristr($group_name, ‘+’)) {
$group_name=stripslashes($group_name);
}

the patch is from adLDAP.php 3.3.1

Can you please append this in the next update so I don’t need to manually edit the class every time?

Cheers

Running Plugin Version 0.9.9.9
I’m running wordpress internally so its not a public site.

AD Integration Logon Test
openLDAP installed
[INFO] method authenticate() called
[INFO] WP version: 2.9.1
[NOTICE] username: admin
[DEBUG] password: adminpassword
[INFO] loading options…
[INFO] Options for adLDAP connection:
- account_suffix:
- base_dn: OU=CA,DC=americas,DC=company,DC=com
- domain_controllers: servername
- ad_username: aduser@americas.company.com
- ad_password: password
- ad_port: 389
- use_tls:
[NOTICE] adLDAP object created.
[INFO] max_login_attempts: 3
[INFO] users failed logins: 0
[ERROR] Authentication failed
[WARN] storing failed login for user “admin”
Logon failed

Any suggestions would be appreciated.

Hi Ken,
thanks a lot for your fix. I’ll add it to 1.0, which comes very soon.

Hi AX64,
try to login with full username like user@domain.com or enter an account suffix. Let me know if this works.

I’m using AD 2008 here and some users (domain admins) can authenticate, but no other users can. Any ideas what could that be?

Error messages same as many others above…

[NOTICE] adLDAP object created.
[INFO] max_login_attempts: 3
[INFO] users failed logins: 0
[ERROR] Authentication failed
[WARN] storing failed login for user “llewis”
Logon failed

Thanks!

Hi CST,

I used the full username like you mentioned I got a bit further.

[NOTICE] adLDAP object created.
[INFO] max_login_attempts: 3
[INFO] users failed logins: 0
[NOTICE] Authentication successfull
[NOTICE] cleaning up failed logins for user “admin@americas.company.com”
[WARN] Authorization by group failed. User is not authorized.

Do I need to do anything about the group authorization fail warning?

It would be a nice feature especially when using on an INTRANET to have users simply put their user id to login rather than username@domain.company.com

Is there something special I need to configure to allow post authors to receive an email when a comment is made on one of their posts? Currently the admin email address of the site is getting the notifications and not the post author. Does something need to be configured in AD?

Hi Greg,
ADI only takes care on authentication and authorization. Everything else is standard, default WordPress.

Hi AX64,
this feature is already implemented. Just enter “@domain.company.com” in the “Account Suffix” option.