Huhu, gibts ne Chance, dass ADI auch für Wordpress-MU nutzbar wird? Generell scheints zu gehen (man konnte schon ADA halbwegs drauffrickeln), aber es gibt da Probleme beim Konfigurieren (angelbich keine options-Seite).

Jo, das klingt gut. MU-Kompatibilität ist definitiv eine Sache für die 1.0. Ich werde es mit auf die Roadmap setzen.

Hi,

I don’t know where to report a bug. If I enter my username while capslock is on, it creates a second account in wordpress and resets the permissions on my lowercase (existing) account in wordpress to whatever I have it set for new users (author in this case).

Seems like a fix would be to lower case the username input before doing the AD compare?

GREAT plugin.

Cheers,
Robert

Ok, I´ll have a look at this the next days.

Hi Robert,
I agree with you: this is a bug. WordPress usernames are case sensitive and Active Directory samaccountnames are not. The simplest (and imho best) solution is to convert the entered usernames to lower case. I fixed this in the development version. Version 0.9.7 will be released soon.

Is there a demo?

Hi Craig,
unfortunately there´s no demo. I would have to setup a Windows Server only for the demo which is not possible at present. If you have problems setting it up for a test you can ask me for help.

Is there any documentation on the TLS option? I have openssl installed along with php-imap. I have the option selected for TLS using 389 as the plugin states and define (‘FORCE_SSL_ADMIN’,true); in wp-config.php. However, doing a network sniff the password is in clear text in the packet.

Hi Jim,
thanks a lot for this report. I have checked it and you are right. A small typo prevented the use of tls. I have fixed it and released ADI 0.9.7.

I just installed 0.97 and activate the plugin with wp 2.8.x, but i think i missed something or didn’t active another plugin; now I can’t login as an admin. I’m getting ”
Fatal error: Call to undefined function ldap_connect()” If this is not the place to ask please let me know, thanks. Omar.

ADI 0.9.7 works as advertised. Connections is now in TLS and packet is encrypted.

For those not familiar with AD and SSL/TLS check out:

http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl

Feature request: Ability to edit local accounts password.

This may come into play with the MU product functionality needs but right now in single user Wordpress I have a couple of “resource” accounts that are not in AD (and won’t be). I can edit most of the local users info but I have to deactivate the AD plugin to change the password. Even creating new local accounts there is no password option when the plugin is active. Deactivating is workable but a little annoying doing the extra steps.

@OMAR: Looks like you have no LDAP support installed on your host. Look here for installation instructions: http://www.php.net/manual/en/ldap.installation.php

@Jim: I added a new option “Enable local password changes”. Use the development version for testing.

Did some very basic testing. Good news first. I now have the ability to edit passwords of current local users. I can create a local user with a password. I can change the local account of an AD generated password and still login with the AD password and not the newly changed one (which to me is good). Now the bad news. Newly created local accounts created with the plug-in active can NOT login. Local accounts can NOT login with the plug-in deactivated if created when the plug-in was active. Local accounts can have their password changed with the plug-in deactivated and then they can login. Local accounts created with plug-in deactivate work with plug-in is active — just don’t change the password or it breaks as mentioned above.

Secret Key/SALT mismatch or something?

Different problem…somewhere around 0.9.6 (using .0.9.7) I no longer have the adintegration table. I am getting the following in my error logs.

WordPress database error Table ‘testdb.wp_qa_adintegration’ doesn’t exist for query INSERT INTO wp_qa_adintegration (user_login, failed_login_time) VALUES (‘test1′,1251728352) made by wp_signon, wp_authenticate, apply_filters, call_user_func_array, ADIntegrationPlugin->authenticate, ADIntegrationPlugin->ad_authenticate, ADIntegrationPlugin->_store_failed_login, referer: http://…..

Also receiving errors around activation and deactivation of plugin. I believe this is where the table is created and deleted.

HI People,

What this error means, i dont get anything in logs or i can login with the Active directory username and password.
The only thing in httpd error log is “[Thu Sep 10 17:50:54 2009] [error] [client 10.3.50.12] File does not exist: /var/www/html/wordpress/wp-content/plugins/active-directory-integration/css”

You help would be greatly appreciated.
Aj

I enabled your plugin yesterday and it works great.
I’d like to find out if I can list multiple Active Directory groups to authorize against?, can I list two with a comma seperation?
Under: Authorization / Authorize by group membership
Thanks for your time

Hey there… Great plugin! I would love to get this working on my site. The problem is, even after I insert all of the information necessary to make it work, when I attempt to login at the wp-login screen, all I get is an Invalid username. I’m not sure how to check if it is hitting my AD, but I have the following areas populated:
Domain Controllers
Base DN
Account Suffix
Authorize by group membership

Any thoughts as to why it isn’t working for me?

I was able to install the original plugin by Jonathan Marc Bearak and that one worked, however I want to use the additional functionality you have in yours, such as specifying the display name.

Thanks in advance!

Maurice-

Hi Lori,
right now only one group is possible for authorization. But you can replace the method _check_authorization_by_group() near line 902 in ad-integration.php with the code below. Then you can use multiple groups separated by a semicolon (e.g. “group1;group2;group3″). This change will be part of the next version.

protected function _check_authorization_by_group($username) {
if ($this->_authorize_by_group) {
$authorization_groups = explode(';', $this->_authorization_group);
foreach ($authorization_groups as $authorization_group) {
if ($this->_adldap->user_ingroup($username, $authorization_group, true)) {
return true;
}
}
return false;
} else {
return true;
}
}


Hi ajay,
which version of the plugin do you use?

Hi Mo,
you need to fill in the following informations:
* Domain Controller
* Port (only, if you use a non standard port)
* Bind User
* Bind User Password
* BASE DN
* Account Suffix (don´t forget a leading @)

Authorization group is not needed. Don´t use it at first. If you can logon without, then try to enable it and see if it works.

Hi,
geniales Plugin … nur eine Frage … gibt es eine Möglichkeit einen User mit zusätzlichen Feldern aus dem AD zu erstellen?
grüße, Stefan

I’ve been using Jonathan Marc Bearak’s version of ADI until I found your version – great to see this plug-in being updated! Since I upgraded to WP 2.8.4 it seems that I’ve got problems logging in with and changing passwords of local IDs, I think this is the same problem as jc513 reported back in August.
Seems slightly different however. If I create a new local user in the Users control panel (Add New) I get an entirely different password sent to me via email than what I entered while creating the user. I can log in with the password that was sent to me, but not with the one I entered. If I deactivate the ADI plugin then the passwords seem to work correctly.
With the ADI plugin active I can’t log in with the original Admin account (and I can’t change the password to one that works!). AD authentication works great however!

Hi cst,

I have same problem with Ajay.
“File does not exist: /var/www/html/wordpress/wp-content/plugins/active-directory-integration/css” error log on apache’s

Run on Windows 2k3 PHP 5.2.9, Apache 2.2.11 MySql 5.0.51
Latest plugin

Please advice.

Thanks,
Bag

Moin Stefan,
welche Felder meinst Du? Kannst Du das näher spezifizieren?

Hi BagNin,
Hi ajay,
I updated the development version: http://downloads.wordpress.org/plugin/active-directory-integration.zip.

Let me know, if this solves the problem.

Still no luck with me

192.168.1.147 – - [30/Sep/2009:17:50:56 +0700] “GET /blog/wp-login.php HTTP/1.1″ 500 -
192.168.1.147 – - [30/Sep/2009:17:51:01 +0700] “GET /blog/wp-login.php HTTP/1.1″ 500 -

Bag

Ahhh …. I am deeply sorry …
It’s work fine after i put a ‘magnification glass’ on the settings ….

Excellent scripts, appreciate !
BagNin

Hi!

Just wanted to say you’re doing great work with this plugin. I’m using WordpressMU and can’t wait for your plugin to support it. Have been trying out v0.97 but unfortunately it’s been far to unstable. The thing is though: I’m able to get it to work properly but it looses all it’s settings several times a day, why I don’t know.

Looking to the WordpressMU compatible v1.0! Cheers!

Hello,

Thank you so much for making this plugin!

Do you have any guidelines or more examples for the options “Authorize by group membership” and “Users are authorized for login only when they are members of a specific AD group.”?

I have tried many different groups, but I can not get it to work.

Thanks again for your effort with this plugin. Great work!

Thomas

I have the same issue Mo posted. I have followed every instruction as carefully as I could but it simply will not work.

Is it necessary for the entire blog to be SSL for this to work? I did go that route, and it still did not work.

I’d like to be able to enable AD authentication without using SSL. I am not concerned with packet sniffing on the LAN.

The “Active Directory Authentication” plug-in by Jonathan Marc Bearak does work for me, but I would like the extra capabilities of the new one.

I am running WP 2.8.4, freshly installed today with PHP 5.3.0. The LDAP option is enabled in PHP.

Can you help?

Hi Paul,
SSL is not necessary but recommended. It you don’t need it, don’t use it. Simply use port 389 and deactivate the “Use TLS” option. If you still have problems, send me an email.

Hi Thomas,
it should be simple. Create a new security group in AD (with the “Active Directory Users and Computers” snap-in), name it “wordpress-users” or somewhat and add one or more users. The new group and the users must be placed in the tree below the base dn (e.g. ou=unit,dc=domain,dc=tld). On the plug-in options page activate “Authorize by group membership” and enter the name of the created group (“wordpress-users” or whatever you have chosen). Now, only users who are members of this group should be able to logon. If you have multiple groups, seperate them by e semicolon (e.g. “domain-users;wordpress-users;test-users”).

To test the option “Role Equivalent Groups” add a completely new user to the security group “wordpress-users”. Enter “wordpress-users=author” in the respective options field. If you try to logon with the new user now, he is created automatically in your WordPress-DB with the role “author”. Seperate multiple group combinations by semicolon (“;”), e.g. “wordpress-admins=administrator;wordpress-users=author;wordpress-viewer=subscriber”. A user will be created based on the first match, from left to right, so you should obviously put the more powerful groups first.

If you can not get it to work, send me an email.

Well, I converted the entire site to SSL and tried again. The first error I got was that TLS did not work. As I understand it, TLS requires some extra setup on the AD server, which was not covered in the installation documentation for this plug-in. I don’t know how to do it. So I unchecked it. I am OK with the back-end traffic on the LAN transmitting plain-text paswords, as long as SSL covers them when the users type them in over the internet.

However, with TSL unchecked, it simply fails to work at all, with no error message. It simply tells me that the username or password is not valid.

It’s quite frustrating to read the installation instructions which say it’s quite easy, and include just a few easy steps, and then fail so utterly as I have after hours of working on this, and I am not an idiot user.

Has anyone tested this plug-in on Wordpress 2.8.4 with a Windows 2008 Active Directory?

It seems that this SHOULD be simple, but it is not working. I don’t think I am missing any steps, especially if TLS is not required. Any ideas?

Also, I thought I would e-mail as your earlier reply asked me to, but I could not find an e-mail address on your blog or in the readme file.

Well, since I couldn’t get it to authenticate, I went with the “Active Directory Authentication” plug-in by Jonathan Marc Bearak. Not as many whiz-bangs, but at least it works.

Hi Thomas,
do you use a “bind user”?

Hi,

I’ve done some modification to your plugins
* allow to use CAS (code frorm wpCAS) , but use other Active directory function (like user creation, …)
* use SSL and not only TLS ( or use URI like ldaps://)

I’ve also done some (bad…) modification to ad_ldap classes because I use openLDAP and not Active Directory.

If you’re interested, send me an email, and I ‘ll send diff.

Your plugin are great.

Best

Hi Florian,
sounds great. Send me your diff.

info@ecw.de is the right email ?

for your planned «support different port for different server», you can just try to use a check if hostname/domain controller are URI or not.

if hostname begin with ldap:// or ldaps://, it’s an URI => don’t set port.

I use URI with your plugins before adding the SSL option.

Best

Please send the diff to cst@ecw.de.

Thanks

I use the plugin with Windows 2008 AD, iis7+php. The problem is that if I enable TLS, I got

[ERROR] adLDAP exception: Bind to Active Directory failed. TLS didn´t work. AD said: Connect error

The plugin works if TlS is disabled. I have

[PHP_OPENSSL]
extension=php_openssl.dll

in php.ini. Is there any special settings on the AD and/or somewhere else? Thanks.

Hi Eric,
do you use self-signed certificates? Then you have to configure openLDAP. Put the following line to the file ldap.conf on your webserver.
TLS_REQCERT never
If the webserver runs on a Windows machine the configuration file ldap.conf has to reside in the directory C:\openldap\sysconf\. If it doesn’t already exists, create the directories and the file with the line above.

If this doesn’t help, let me know.

Hi,

I’m having a similar problem as Paul Sterly where I can successfully use the AD authentication plugin (with HTTPS) but not this plugin. The Base DN is the same, I’ve tried turning on and off the Automatic User Creation. Is the Bind User required? I’ve tried leaving it blank and tried using the AD admin credentials without success. Who is the Bind User?

I noticed the test tool does not properly use input credentials, i.e. the username field is passed as the password while the password field is not passed at all. See below where I’ve left the Bind User blank.

AD Integration Logon Test

openLDAP installed

[INFO] method authenticate() called
[INFO] WP version: abc
[NOTICE] username:
[DEBUG] password: username
[INFO] loading options…
[INFO] Options for adLDAP connection:
– account_suffix: @
– base_dn: ou=,dc=,dc=,dc=,dc=
– domain_controllers:
– ad_username:
– ad_password:
– ad_port: 389
– use_tls:
[NOTICE] adLDAP object created.
[INFO] max_login_attempts: 3
[INFO] users failed logins: 0
[ERROR] Authentication failed
[WARN] storing failed login for user “”

Logon failed

If I test with a Bind User (the AD admin in this case) I get this error:

[ERROR] adLDAP exception: Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Invalid credentials

Any ideas where I’m going wrong here? I’m pretty sure its just a matter of correct configuration so maybe a working example would solve it? This is on a Debian Linux host and up-to-date Windows 2003 Server R2 SP2. Thanks and great work on what would be a fantastic plugin.

G

Hi Eric,

thanks for the great plugin.

I am using the latest version 0.9.9.3 against MS AD 2003 and everything works like a charm. When loggin in for the first time the user is created and the fields ‘Username’, ‘Nickname’, ‘Display name publicly as’ and ‘E-mail’ in the Profiile are filled in correctly.

The fields ‘First name’ and ‘Last name’ however stay empty.

As it’s been requested to sign every blog entry with the full username, I’m missing this option from the drop down field ‘Display name publicly as’.
Selecting ‘CN (Common name, the whole name)’ from the plugin settings menu doesn’t help either.

Any idea, what I’m missing here?

Thanks

Hi Olly,
Don’t know why First name and Last name are staying empty. I’ll have a look at this.

Greetings
Christoph

Hi George,
let’s see if I can help. The bind user is a user that used to logon to the Active Directory. This user should have the privileges to read everything and (for security reasons) no write privilege. A bind user is not strictly needed. Here is a little german How-To on setting up a special user with full read but no write privilege: http://wap.ecw.de/archives/993. For testing purposes you can use a domain administrators account. Don’t forget to include the domain (e.g. “administrator@mydomain.local“).

The behavior of the test tool in your installation is wierd. Which version of WordPress do you use?

If you have some informations that should not show up on this site, send me an email.

Greetz
Christoph

Great Plugin but I have one question. I setup SSL over LDAP on WIndows 2003. Unfortunatly it looks like it only listens on port 636. Is there away for the plug in to ust TLS and port 389? If not that have you heard of away to force Microsoft to look at that port?

Olly informed me that everything is working now. He had a typo in the options.

Hi Robbie,
I don’t know exactly what your problem is. If you use LDAP over SSL then Windows uses port 636. If you use (START_) TLS then the port is 389 because the encryption is started after the first connection on port 389 is established. If you use a firewall with DNAT (port forwarding etc.) or non standard ports on your Windows server and you need a different port you can enter this on the options page.
Please be more specific, so I can help you.

Okay sorry for the confusion; but I think I am confused as well.

No firewall is place between the LDAP server and the Web Server. Microsoft uses port 636 but the AD Integration is using port 389. I thought if the Integratrion tool initiates a secure connection it is going to use port 389 on which our Domain controllers are listening on port 636; which then it won’t be able to connect. I was hoping there was a way to tell the AD tool to use port 636 for it’s Secure LDAP so it will get an answer from our Domain controllers. Right now as soon as we turn that feature on we can’t log on to our page; with it off it works fine.

Am I looking at this wrong?

Thanks for your help.

I’m still struggeling with the following. I can login using AD user name and password but local passwords to the same account didn’t work any solutions? Or do I need to deactivate te plugin for it to work?

Hi Vincent,
you are right there was an error with local passwords. The password stored in the WordPress database was always set to a random generated one, everytime you changed the local password. I fixed it in 0.9.9.4. You can download the updated version in a few minutes from wordpress.org.

Hi,

Congratulations on making a terrific AD authentication solution. Everything else returned cryptic errors, but yours was a joy to use.

Only one small issue. On logout, I get the error “The page cannot be displayed because an internal server error has occurred.” I am located on the page wp-login.php?action=logout when this happens. Any idea why this might be happening?

Thanks

Hi Brian,
don’t know what’s going wrong at this point. I’ll have a look at this in january and give you feedback a soon as possible.

Greetings from Germany

Hi love the plug-in any word on whne the MU support will be there?

Hi John,
I don’t know exactly when I will find the time to complete the MU support. I hope an improved version with MU support will be out in the first quarter 2010.

Hi

I left you a message last week about MU support. My company would be interested in paying you if you could provide get MU working in a reasonable amount of time. You can contact me by email that I provided in this post.

Thanks
John

Hallo
Das Plugin scheint sehr interessant zu sein, wir werden es für unsere Schule testen und gerne bei Gelingen einen Link zustellen.
Eine generelle Frage zum Plugin: Kann ich das WP komplett absichern, so dass gar kein Zugriff auf Inhalte ohne Anmeldung möglich ist? Und: Kann ich mit dem Plugin definieren, welche Benutzer/Gruppen welche Inhalte sehen dürfen?
Danke, Dave

Hallo Dave.

1. Das generelle Absichern, so dass kein Zugriff ohne Anmeldung möglich ist, erledigst Du am besten über das Plugin Registered Only.
2. Für spezifische Benutzer- und Gruppenberechtigungen benötigst Du weitere ergänzende Plugins, wie z.B. den Role Scoper.

@Gerorge:
The Problem is based on the fact, that AD-Integration does not user the dn to authenticate, but the password. In your case it will help to add the following lines to your ad-integration.php:

Line 384 (should be there already):
$this->_log(ADI_LOG_NOTICE,’adLDAP object created.’);
Add the following lines bleow the line above:
$userinfo=$this->_adldap->user_info($username);
$dn=$userinfo[0]["dn"];

then find the line where it says
if ( $this->_adldap->authenticate($username, $password) )
(should be line 419 by then) and change it to:
if ( $this->_adldap->authenticate($dn, $password) )

this should solve all problems since it sends the dn instead of the username.
I had the problem myself and these few lines solve the problem of a server not accepting your credentials, although you’re a 100% sure, they’re right.

I have installed the AD Integration plugin (v.996) into WP (v2.9.1) and can get it to authenticate to our AD by specifying port 389 both with and without TLS.

Our AD server also has an ssl encrypted port 636. When I specify the plugin to use port 636 (no TLS) and run the Test Tool I get:

[ERROR] adLDAP exception: Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Can’t contact LDAP server.

The only thing I’m changing on the server configuration page for the plugin is the port number (389 to 636) and disabling TLS, so the credentials should be fine. After much reading and fiddling with ldap.conf and other parameters I’m concluding that the plugin cannot handle a SSL connection. Is that correct? Should I assume this plugin can only connect to a non-encrypted port (e.g., 389) and can use TLS as a way to secure that connection, and SSL is not something the plugin can handle?

If so that is fine, but if it can handle making an SSL connection via port 636 that would be best.

Thanks for this plugin. It will make our wordpress installation much easier to accept by our users, who groan when they hear they need to remember a new account and password (don’t we all).

Hi Jimsearbim,
if TLS works for you, SSL isn’t needed. LDAPS communication to Active Directory on port 636 is deprecated.

But you can try the following: add “ldaps://” to domain controller, specify port 636 and uncheck “use TLS”. Hope this works. If not, write back.

I added the ldaps:// to each of the domain controllers I have in a semicolon separated list (e.g., ldaps://dc.example.com;…) with 636 as the port and TLS unchecked AND IT WORKED! Thanks for the quick and helpful reply!