AD Integration Roadmap [Updated] June 22nd, 2010

ad-integrationHere the plans for further improvements of the Active Directory Integration WordPress plugin:

  • WordPress MU compatibility (planned for 1.0) Rudimentary implemented since but WordPress 3.0 MultiSite is supported.
  • WordPress 3.0 compatibility
  • tool for testing DONE 0.9.9-dev
  • object-orientation redesign DONE 0.9.1
  • code clean up DONE 0.9.1
  • email notification of user and/or admin when a user account is blocked DONE 0.9.1
  • drop table on uninstall or deactivation DONE 0.9.2
  • adding more languages
  • better user interface for role <> group assignment
  • set different ldap ports per server
  • help page DONE 0.9.2.
  • determine WP display name from AD attributes DONE 0.9.3
  • authenticate against multiple domains (perhaps, have to think about)
  • enable/disable password changes for local (non AD) WP users DONE 0.9.8
  • multiple authorization groups (as requested by Lori Dabbs) DONE 0.9.8

to be continued…

142 Kommentare
Christian Schild July 16th, 2009

Huhu, gibts ne Chance, dass ADI auch für WordPress-MU nutzbar wird? Generell scheints zu gehen (man konnte schon ADA halbwegs drauffrickeln), aber es gibt da Probleme beim Konfigurieren (angelbich keine options-Seite).

cst July 17th, 2009

Jo, das klingt gut. MU-Kompatibilität ist definitiv eine Sache für die 1.0. Ich werde es mit auf die Roadmap setzen.

Robert Nelson August 1st, 2009


I don’t know where to report a bug. If I enter my username while capslock is on, it creates a second account in wordpress and resets the permissions on my lowercase (existing) account in wordpress to whatever I have it set for new users (author in this case).

Seems like a fix would be to lower case the username input before doing the AD compare?

GREAT plugin.


cst August 4th, 2009

Ok, I´ll have a look at this the next days.

cst August 17th, 2009

Hi Robert,
I agree with you: this is a bug. WordPress usernames are case sensitive and Active Directory samaccountnames are not. The simplest (and imho best) solution is to convert the entered usernames to lower case. I fixed this in the development version. Version 0.9.7 will be released soon.

Craig August 17th, 2009

Is there a demo?

cst August 18th, 2009

Hi Craig,
unfortunately there´s no demo. I would have to setup a Windows Server only for the demo which is not possible at present. If you have problems setting it up for a test you can ask me for help.

jc513 August 21st, 2009

Is there any documentation on the TLS option? I have openssl installed along with php-imap. I have the option selected for TLS using 389 as the plugin states and define (‘FORCE_SSL_ADMIN’,true); in wp-config.php. However, doing a network sniff the password is in clear text in the packet.

cst August 24th, 2009

Hi Jim,
thanks a lot for this report. I have checked it and you are right. A small typo prevented the use of tls. I have fixed it and released ADI 0.9.7.

Omar Solis August 26th, 2009

I just installed 0.97 and activate the plugin with wp 2.8.x, but i think i missed something or didn’t active another plugin; now I can’t login as an admin. I’m getting ”
Fatal error: Call to undefined function ldap_connect()” If this is not the place to ask please let me know, thanks. Omar.

jc513 August 26th, 2009

ADI 0.9.7 works as advertised. Connections is now in TLS and packet is encrypted.

For those not familiar with AD and SSL/TLS check out:

jc513 August 26th, 2009

Feature request: Ability to edit local accounts password.

This may come into play with the MU product functionality needs but right now in single user WordPress I have a couple of “resource” accounts that are not in AD (and won’t be). I can edit most of the local users info but I have to deactivate the AD plugin to change the password. Even creating new local accounts there is no password option when the plugin is active. Deactivating is workable but a little annoying doing the extra steps.

cst August 27th, 2009

@OMAR: Looks like you have no LDAP support installed on your host. Look here for installation instructions:

cst August 27th, 2009

@Jim: I added a new option “Enable local password changes”. Use the development version for testing.

jc513 August 30th, 2009

Did some very basic testing. Good news first. I now have the ability to edit passwords of current local users. I can create a local user with a password. I can change the local account of an AD generated password and still login with the AD password and not the newly changed one (which to me is good). Now the bad news. Newly created local accounts created with the plug-in active can NOT login. Local accounts can NOT login with the plug-in deactivated if created when the plug-in was active. Local accounts can have their password changed with the plug-in deactivated and then they can login. Local accounts created with plug-in deactivate work with plug-in is active — just don’t change the password or it breaks as mentioned above.

Secret Key/SALT mismatch or something?

jc513 September 8th, 2009

Different problem…somewhere around 0.9.6 (using .0.9.7) I no longer have the adintegration table. I am getting the following in my error logs.

WordPress database error Table ‘testdb.wp_qa_adintegration’ doesn’t exist for query INSERT INTO wp_qa_adintegration (user_login, failed_login_time) VALUES (‘test1′,1251728352) made by wp_signon, wp_authenticate, apply_filters, call_user_func_array, ADIntegrationPlugin->authenticate, ADIntegrationPlugin->ad_authenticate, ADIntegrationPlugin->_store_failed_login, referer: http://…..

Also receiving errors around activation and deactivation of plugin. I believe this is where the table is created and deleted.

ajay September 10th, 2009

HI People,

What this error means, i dont get anything in logs or i can login with the Active directory username and password.
The only thing in httpd error log is “[Thu Sep 10 17:50:54 2009] [error] [client] File does not exist: /var/www/html/wordpress/wp-content/plugins/active-directory-integration/css”

You help would be greatly appreciated.

Lori Dabbs September 11th, 2009

I enabled your plugin yesterday and it works great.
I’d like to find out if I can list multiple Active Directory groups to authorize against?, can I list two with a comma seperation?
Under: Authorization / Authorize by group membership
Thanks for your time

Mo September 14th, 2009

Hey there… Great plugin! I would love to get this working on my site. The problem is, even after I insert all of the information necessary to make it work, when I attempt to login at the wp-login screen, all I get is an Invalid username. I’m not sure how to check if it is hitting my AD, but I have the following areas populated:
Domain Controllers
Base DN
Account Suffix
Authorize by group membership

Any thoughts as to why it isn’t working for me?

I was able to install the original plugin by Jonathan Marc Bearak and that one worked, however I want to use the additional functionality you have in yours, such as specifying the display name.

Thanks in advance!


cst September 18th, 2009

Hi Lori,
right now only one group is possible for authorization. But you can replace the method _check_authorization_by_group() near line 902 in ad-integration.php with the code below. Then you can use multiple groups separated by a semicolon (e.g. “group1;group2;group3″). This change will be part of the next version.

protected function _check_authorization_by_group($username) {
if ($this->_authorize_by_group) {
$authorization_groups = explode(';', $this->_authorization_group);
foreach ($authorization_groups as $authorization_group) {
if ($this->_adldap->user_ingroup($username, $authorization_group, true)) {
return true;
return false;
} else {
return true;

cst September 18th, 2009

Hi ajay,
which version of the plugin do you use?

cst September 19th, 2009

Hi Mo,
you need to fill in the following informations:
* Domain Controller
* Port (only, if you use a non standard port)
* Bind User
* Bind User Password
* Account Suffix (don´t forget a leading @)

Authorization group is not needed. Don´t use it at first. If you can logon without, then try to enable it and see if it works.

Stefan September 22nd, 2009

geniales Plugin … nur eine Frage … gibt es eine Möglichkeit einen User mit zusätzlichen Feldern aus dem AD zu erstellen?
grüße, Stefan

bheil September 24th, 2009

I’ve been using Jonathan Marc Bearak’s version of ADI until I found your version – great to see this plug-in being updated! Since I upgraded to WP 2.8.4 it seems that I’ve got problems logging in with and changing passwords of local IDs, I think this is the same problem as jc513 reported back in August.
Seems slightly different however. If I create a new local user in the Users control panel (Add New) I get an entirely different password sent to me via email than what I entered while creating the user. I can log in with the password that was sent to me, but not with the one I entered. If I deactivate the ADI plugin then the passwords seem to work correctly.
With the ADI plugin active I can’t log in with the original Admin account (and I can’t change the password to one that works!). AD authentication works great however!

BagNin September 30th, 2009

Hi cst,

I have same problem with Ajay.
“File does not exist: /var/www/html/wordpress/wp-content/plugins/active-directory-integration/css” error log on apache’s

Run on Windows 2k3 PHP 5.2.9, Apache 2.2.11 MySql 5.0.51
Latest plugin

Please advice.


cst September 30th, 2009

Moin Stefan,
welche Felder meinst Du? Kannst Du das näher spezifizieren?

cst September 30th, 2009

Hi BagNin,
Hi ajay,
I updated the development version:

Let me know, if this solves the problem.

BagNin September 30th, 2009

Still no luck with me :-( – - [30/Sep/2009:17:50:56 +0700] “GET /blog/wp-login.php HTTP/1.1″ 500 - – - [30/Sep/2009:17:51:01 +0700] “GET /blog/wp-login.php HTTP/1.1″ 500 -


BagNin September 30th, 2009

Ahhh …. I am deeply sorry …
It’s work fine after i put a ‘magnification glass’ on the settings ….

Excellent scripts, appreciate !

Johan Carlsson October 12th, 2009


Just wanted to say you’re doing great work with this plugin. I’m using WordPressMU and can’t wait for your plugin to support it. Have been trying out v0.97 but unfortunately it’s been far to unstable. The thing is though: I’m able to get it to work properly but it looses all it’s settings several times a day, why I don’t know.

Looking to the WordPressMU compatible v1.0! Cheers! :-D

Thomas Berglund October 13th, 2009


Thank you so much for making this plugin!

Do you have any guidelines or more examples for the options “Authorize by group membership” and “Users are authorized for login only when they are members of a specific AD group.”?

I have tried many different groups, but I can not get it to work.

Thanks again for your effort with this plugin. Great work!


Paul Sterley October 14th, 2009

I have the same issue Mo posted. I have followed every instruction as carefully as I could but it simply will not work.

Is it necessary for the entire blog to be SSL for this to work? I did go that route, and it still did not work.

I’d like to be able to enable AD authentication without using SSL. I am not concerned with packet sniffing on the LAN.

The “Active Directory Authentication” plug-in by Jonathan Marc Bearak does work for me, but I would like the extra capabilities of the new one.

I am running WP 2.8.4, freshly installed today with PHP 5.3.0. The LDAP option is enabled in PHP.

Can you help?

cst October 14th, 2009

Hi Paul,
SSL is not necessary but recommended. It you don’t need it, don’t use it. Simply use port 389 and deactivate the “Use TLS” option. If you still have problems, send me an email.

cst October 14th, 2009

Hi Thomas,
it should be simple. Create a new security group in AD (with the “Active Directory Users and Computers” snap-in), name it “wordpress-users” or somewhat and add one or more users. The new group and the users must be placed in the tree below the base dn (e.g. ou=unit,dc=domain,dc=tld). On the plug-in options page activate “Authorize by group membership” and enter the name of the created group (“wordpress-users” or whatever you have chosen). Now, only users who are members of this group should be able to logon. If you have multiple groups, seperate them by e semicolon (e.g. “domain-users;wordpress-users;test-users”).

To test the option “Role Equivalent Groups” add a completely new user to the security group “wordpress-users”. Enter “wordpress-users=author” in the respective options field. If you try to logon with the new user now, he is created automatically in your WordPress-DB with the role “author”. Seperate multiple group combinations by semicolon (“;”), e.g. “wordpress-admins=administrator;wordpress-users=author;wordpress-viewer=subscriber”. A user will be created based on the first match, from left to right, so you should obviously put the more powerful groups first.

If you can not get it to work, send me an email.

Paul Sterley October 15th, 2009

Well, I converted the entire site to SSL and tried again. The first error I got was that TLS did not work. As I understand it, TLS requires some extra setup on the AD server, which was not covered in the installation documentation for this plug-in. I don’t know how to do it. So I unchecked it. I am OK with the back-end traffic on the LAN transmitting plain-text paswords, as long as SSL covers them when the users type them in over the internet.

However, with TSL unchecked, it simply fails to work at all, with no error message. It simply tells me that the username or password is not valid.

It’s quite frustrating to read the installation instructions which say it’s quite easy, and include just a few easy steps, and then fail so utterly as I have after hours of working on this, and I am not an idiot user.

Has anyone tested this plug-in on WordPress 2.8.4 with a Windows 2008 Active Directory?

It seems that this SHOULD be simple, but it is not working. I don’t think I am missing any steps, especially if TLS is not required. Any ideas?

Also, I thought I would e-mail as your earlier reply asked me to, but I could not find an e-mail address on your blog or in the readme file.

Paul Sterley October 17th, 2009

Well, since I couldn’t get it to authenticate, I went with the “Active Directory Authentication” plug-in by Jonathan Marc Bearak. Not as many whiz-bangs, but at least it works.

cst November 2nd, 2009

Hi Thomas,
do you use a “bind user”?

Flo November 24th, 2009


I’ve done some modification to your plugins
* allow to use CAS (code frorm wpCAS) , but use other Active directory function (like user creation, …)
* use SSL and not only TLS ( or use URI like ldaps://)

I’ve also done some (bad…) modification to ad_ldap classes because I use openLDAP and not Active Directory.

If you’re interested, send me an email, and I ‘ll send diff.

Your plugin are great.


cst November 24th, 2009

Hi Florian,
sounds great. Send me your diff.

Flo November 24th, 2009 is the right email ?

for your planned «support different port for different server», you can just try to use a check if hostname/domain controller are URI or not.

if hostname begin with ldap:// or ldaps://, it’s an URI => don’t set port.

I use URI with your plugins before adding the SSL option.


cst November 24th, 2009

Please send the diff to


eric December 2nd, 2009

I use the plugin with Windows 2008 AD, iis7+php. The problem is that if I enable TLS, I got

[ERROR] adLDAP exception: Bind to Active Directory failed. TLS didn´t work. AD said: Connect error

The plugin works if TlS is disabled. I have


in php.ini. Is there any special settings on the AD and/or somewhere else? Thanks.

cst December 3rd, 2009

Hi Eric,
do you use self-signed certificates? Then you have to configure openLDAP. Put the following line to the file ldap.conf on your webserver.
If the webserver runs on a Windows machine the configuration file ldap.conf has to reside in the directory C:\openldap\sysconf\. If it doesn’t already exists, create the directories and the file with the line above.

If this doesn’t help, let me know.

George December 4th, 2009


I’m having a similar problem as Paul Sterly where I can successfully use the AD authentication plugin (with HTTPS) but not this plugin. The Base DN is the same, I’ve tried turning on and off the Automatic User Creation. Is the Bind User required? I’ve tried leaving it blank and tried using the AD admin credentials without success. Who is the Bind User?

I noticed the test tool does not properly use input credentials, i.e. the username field is passed as the password while the password field is not passed at all. See below where I’ve left the Bind User blank.

AD Integration Logon Test

openLDAP installed

[INFO] method authenticate() called
[INFO] WP version: abc
[NOTICE] username:
[DEBUG] password: username
[INFO] loading options…
[INFO] Options for adLDAP connection:
– account_suffix: @
– base_dn: ou=,dc=,dc=,dc=,dc=
– domain_controllers:
– ad_username:
– ad_password:
– ad_port: 389
– use_tls:
[NOTICE] adLDAP object created.
[INFO] max_login_attempts: 3
[INFO] users failed logins: 0
[ERROR] Authentication failed
[WARN] storing failed login for user “”

Logon failed

If I test with a Bind User (the AD admin in this case) I get this error:

[ERROR] adLDAP exception: Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Invalid credentials

Any ideas where I’m going wrong here? I’m pretty sure its just a matter of correct configuration so maybe a working example would solve it? This is on a Debian Linux host and up-to-date Windows 2003 Server R2 SP2. Thanks and great work on what would be a fantastic plugin.


Olly December 7th, 2009

Hi Eric,

thanks for the great plugin.

I am using the latest version against MS AD 2003 and everything works like a charm. When loggin in for the first time the user is created and the fields ‘Username’, ‘Nickname’, ‘Display name publicly as’ and ‘E-mail’ in the Profiile are filled in correctly.

The fields ‘First name’ and ‘Last name’ however stay empty.

As it’s been requested to sign every blog entry with the full username, I’m missing this option from the drop down field ‘Display name publicly as’.
Selecting ‘CN (Common name, the whole name)’ from the plugin settings menu doesn’t help either.

Any idea, what I’m missing here?


cst December 8th, 2009

Hi Olly,
Don’t know why First name and Last name are staying empty. I’ll have a look at this.


cst December 8th, 2009

Hi George,
let’s see if I can help. The bind user is a user that used to logon to the Active Directory. This user should have the privileges to read everything and (for security reasons) no write privilege. A bind user is not strictly needed. Here is a little german How-To on setting up a special user with full read but no write privilege: For testing purposes you can use a domain administrators account. Don’t forget to include the domain (e.g. “administrator@mydomain.local“).

The behavior of the test tool in your installation is wierd. Which version of WordPress do you use?

If you have some informations that should not show up on this site, send me an email.


Robbie Greenwell December 11th, 2009

Great Plugin but I have one question. I setup SSL over LDAP on WIndows 2003. Unfortunatly it looks like it only listens on port 636. Is there away for the plug in to ust TLS and port 389? If not that have you heard of away to force Microsoft to look at that port?

cst December 14th, 2009

Olly informed me that everything is working now. He had a typo in the options.

cst December 14th, 2009

Hi Robbie,
I don’t know exactly what your problem is. If you use LDAP over SSL then Windows uses port 636. If you use (START_) TLS then the port is 389 because the encryption is started after the first connection on port 389 is established. If you use a firewall with DNAT (port forwarding etc.) or non standard ports on your Windows server and you need a different port you can enter this on the options page.
Please be more specific, so I can help you.

Robbie Greenwell December 14th, 2009

Okay sorry for the confusion; but I think I am confused as well.

No firewall is place between the LDAP server and the Web Server. Microsoft uses port 636 but the AD Integration is using port 389. I thought if the Integratrion tool initiates a secure connection it is going to use port 389 on which our Domain controllers are listening on port 636; which then it won’t be able to connect. I was hoping there was a way to tell the AD tool to use port 636 for it’s Secure LDAP so it will get an answer from our Domain controllers. Right now as soon as we turn that feature on we can’t log on to our page; with it off it works fine.

Am I looking at this wrong?

Thanks for your help.

Vincent December 15th, 2009

I’m still struggeling with the following. I can login using AD user name and password but local passwords to the same account didn’t work any solutions? Or do I need to deactivate te plugin for it to work?

cst December 15th, 2009

Hi Vincent,
you are right there was an error with local passwords. The password stored in the WordPress database was always set to a random generated one, everytime you changed the local password. I fixed it in You can download the updated version in a few minutes from

Brian December 29th, 2009


Congratulations on making a terrific AD authentication solution. Everything else returned cryptic errors, but yours was a joy to use.

Only one small issue. On logout, I get the error “The page cannot be displayed because an internal server error has occurred.” I am located on the page wp-login.php?action=logout when this happens. Any idea why this might be happening?


cst December 29th, 2009

Hi Brian,
don’t know what’s going wrong at this point. I’ll have a look at this in january and give you feedback a soon as possible.

Greetings from Germany

John Butera February 5th, 2010

Hi love the plug-in any word on whne the MU support will be there?

cst February 8th, 2010

Hi John,
I don’t know exactly when I will find the time to complete the MU support. I hope an improved version with MU support will be out in the first quarter 2010.

John Butera February 17th, 2010


I left you a message last week about MU support. My company would be interested in paying you if you could provide get MU working in a reasonable amount of time. You can contact me by email that I provided in this post.


dave February 22nd, 2010

Das Plugin scheint sehr interessant zu sein, wir werden es für unsere Schule testen und gerne bei Gelingen einen Link zustellen.
Eine generelle Frage zum Plugin: Kann ich das WP komplett absichern, so dass gar kein Zugriff auf Inhalte ohne Anmeldung möglich ist? Und: Kann ich mit dem Plugin definieren, welche Benutzer/Gruppen welche Inhalte sehen dürfen?
Danke, Dave

cst February 22nd, 2010

Hallo Dave.

  1. Das generelle Absichern, so dass kein Zugriff ohne Anmeldung möglich ist, erledigst Du am besten über das Plugin Registered Only.
  2. Für spezifische Benutzer- und Gruppenberechtigungen benötigst Du weitere ergänzende Plugins, wie z.B. den Role Scoper.
Timo March 5th, 2010

The Problem is based on the fact, that AD-Integration does not user the dn to authenticate, but the password. In your case it will help to add the following lines to your ad-integration.php:

Line 384 (should be there already):
$this->_log(ADI_LOG_NOTICE,’adLDAP object created.’);
Add the following lines bleow the line above:

then find the line where it says
if ( $this->_adldap->authenticate($username, $password) )
(should be line 419 by then) and change it to:
if ( $this->_adldap->authenticate($dn, $password) )

this should solve all problems since it sends the dn instead of the username.
I had the problem myself and these few lines solve the problem of a server not accepting your credentials, although you’re a 100% sure, they’re right.

Jimsearbim March 17th, 2010

I have installed the AD Integration plugin (v.996) into WP (v2.9.1) and can get it to authenticate to our AD by specifying port 389 both with and without TLS.

Our AD server also has an ssl encrypted port 636. When I specify the plugin to use port 636 (no TLS) and run the Test Tool I get:

[ERROR] adLDAP exception: Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Can’t contact LDAP server.

The only thing I’m changing on the server configuration page for the plugin is the port number (389 to 636) and disabling TLS, so the credentials should be fine. After much reading and fiddling with ldap.conf and other parameters I’m concluding that the plugin cannot handle a SSL connection. Is that correct? Should I assume this plugin can only connect to a non-encrypted port (e.g., 389) and can use TLS as a way to secure that connection, and SSL is not something the plugin can handle?

If so that is fine, but if it can handle making an SSL connection via port 636 that would be best.

Thanks for this plugin. It will make our wordpress installation much easier to accept by our users, who groan when they hear they need to remember a new account and password (don’t we all).

cst March 18th, 2010

Hi Jimsearbim,
if TLS works for you, SSL isn’t needed. LDAPS communication to Active Directory on port 636 is deprecated.

But you can try the following: add “ldaps://” to domain controller, specify port 636 and uncheck “use TLS”. Hope this works. If not, write back.

Jimsearbim March 18th, 2010

I added the ldaps:// to each of the domain controllers I have in a semicolon separated list (e.g., ldaps://;…) with 636 as the port and TLS unchecked AND IT WORKED! Thanks for the quick and helpful reply!

Jimsearbim March 25th, 2010

The documentation says I can control access to a wordpress blog using this plugin and specifying AD groups. That is great but what if I also want to add individuals? For example, could I specify an AD group like “Faculty” and one student like “” to allow access to all faculty and the student Joe? If not then each blog installation, and I plan many, would need its own AD group for access control. I’m trying to avoid that if possible and only use existing AD groups and supplement with individuals.

Danny G Smith April 15th, 2010

Are there any tricks to getting this to work with 3.0 beta 1? I have excluded some of the details, as we are not using tls at this point, may in the future. Any help would be appreciated, as my company really wants ad to be used.

openLDAP installed
[INFO] method authenticate() called
[INFO] WP version: 3.0-beta1
[INFO] loading options…
ad_port: 389 – use_tls:
[ERROR] adLDAP exception: Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Invalid credentials
Logon failed

cst April 16th, 2010

Hi Danny,
ADI wasn’t testet with 3.0 beta so far. I’ll do it the next days. But I think your problems have nothing to do with WP 3.0. Does it work with WP 2.9?

Tim April 16th, 2010

I’ve made some modifications to make it work a little better in WordPress MU. Seems to be working well, now, or at least the way I’m using it.

I’m happy to send a diff if you’d like. Notably:

1) saving settings on one setup tab doesn’t blank the values on the others
2) the WP_PLUGIN_URL stuff is correctly using WPMU_PLUGIN_URL where necessary when IS_WPMU is set.

Thanks for the plugin!

cst April 19th, 2010

Hi Tim!
Sounds good. It’ll be nice if you send the diff, so I can add it to the source.

Ragnar May 12th, 2010


The plugin works great! Except our environment has multiple OU’s. So the Base DN looks like this:
ou=nordnorge,ou=users and groups,dc=felles,dc=data,dc=krabbe,dc=no – and all users in “nordnorge” works great. But we also have users in for example:
ou=sornorge,ou=users and groups,dc=felles,dc=data,dc=krabbe,dc=no that dont work. And that why I tried this:
ou=users and groups,dc=felles,dc=data,dc=krabbe,dc=no – which dousent work at all. I also tried:

ou=nordnorge,ou=users and groups,dc=felles,dc=data,dc=krabbe,dc=no;ou=sordnorge,ou=users and groups,dc=felles,dc=data,dc=krabbe,dc=no – but no dice :-/

Anyone know how I can add more than one OU? Or make this plugin look deeper into our main OU ?

Jimsearbim June 16th, 2010

I see in the roadmap:

“authenticate against multiple domains (perhaps, have to think about) ”

I could really use this feature. It looks like this wasdone (hacked) a while ago for the AD Authentication plugin:

I would be a good option for those, like me, with multiple domains, even if the username had to include the domain. I’m already doing this using the Plexcel mediawiki plugin that allows AD authentication from multiple domains, and our users do not mind entering their domain as part of their username (e.g., domain\username or username@domain.tld)

matt June 16th, 2010

Hello, I’m not sure where to submit bug reports / patches and am wondering if there is a bug in adLDAP.php — specifically in the user_groups function. I believe this:


should actually be this:


Without setting objectsid, the user_info will never find the real_primary group…

A variation of this bug may also appear in the contact_groups / contact_info functions which have similar syntax, and the following in contact_info is almost certainly wrong since it checks for “primarygroupid” twice and then uses objectsid a few lines later:

if ($this->_real_primarygroup && isset($entries[0]["primarygroupid"][0]) && isset($entries[0]["primarygroupid"][0])){



Ken June 21st, 2010

Hi there,

Just wondering will the plugin automatically log user in?
I have the plugin installed in WordPress 3, it creates and maps groups fine, but user still have to sign in manually


cst June 22nd, 2010

There is a bug in automatic user creation with WP 3.0. This is fixed quick and dirty in the development version. I will release very soon.

Jimsearbim June 25th, 2010

Does this plugin do any logging of its activities, or is my only source of information on what this plugin is doing located in the web server’s logs? For example, how could I find the number of user’s who successfully used this plugin to login, who tried to login but failed, what the responses were from the AD server, etc?

Jimsearbim June 25th, 2010

I just updated to WordPress 3.0 and AD Integration (from WP 2.9.1 and AD Integration and I can no longer login using an AD account as I could before. The test tool says “Authentication successful” but then says “Authentication by group failed”. The specified group has not changed and is Domain Users (all users). Any help appreciated. I am using port 389 w/TLS.

Jimsearbim June 25th, 2010

Update: When I replace the plugin with 0.9.8 it works again.

cst June 28th, 2010

For me it works. But could you please replace the file ad_ldap/adLDAP.php with the old one which comes with version 0.9.8 and tell me if works like it should.

Jimsearbim July 1st, 2010

Yes, that worked. Thanks!

James Delaney July 2nd, 2010


I’m pretty new to WordPress and am currently running 3.0 on a developement WAMP install.

I’ve succesfully installed your plugin and it looks like it will work really well. Unfortunately though I cannot now log in using my admin account – it is forcing me to use active directory yet I have not specified an active directory user to be an admin.

Help! :-)

cst July 2nd, 2010

Just disable the plugin. There are several ways to do that:
Use ftp to remove the folder ../wp-content/plugins/ad-integration

Let me know, if you need further help. By the way: you should always have an adminstrative account that is not authorized by active directory, which means the username should not exist in active directory.

James Delaney July 2nd, 2010

Thanks i’ll give that a try to get me back in but do you have any idea why it won’t authorise with my default WP admin account when the plugin is enabled?

Robert July 2nd, 2010

I’ve installed your plugin in wordpressmu.

the user authentification test works.I’ve set the authorization by group membership. however I have this message:

[WARN] Authorization by group failed. User is not authorized.

any idea where to look ? Thanks in advance.

Vincent Martineau July 6th, 2010

Nice plugin but I have one question.
When the user name contains a space (like “john smith”), the test tool report this error :
[NOTICE] Authentication successfull
[NOTICE] cleaning up failed logins for user “john smith”
[WARN] Authorization by group failed. User is not authorized.

But if I remove the space in the name (like “john”), the test tool report no error and the user is created in the WP database

What is wrong?

Ryan July 16th, 2010

I’m working with a clean install of wordpress 3.0 and have activated your plugin. I set everything up for using an ldaps server on port 636, When I test the connections everything returns as:

[ERROR] Authentication failed
[WARN] storing failed login for user “username”

username/passwords are correct. Any means of seeing what is actually causing the auth failure?

admin July 19th, 2010

Hi Ryan,
there are so many possible reasons. Have you set the correct BASE DN? Anyway: send me the report from the test tool (after changing confidential data). I’ll see what I can do for you.

Ryan July 20th, 2010

The base dn should be ok. I’m using it successfully in other web apps that do AD integration. Also worth noting, It binds to AD just fine. If I enter a bad bind user it actually gives me an error when trying. So it’s at least connecting to the domain controller.

AD Integration Logon Test
openLDAP installed
[INFO] method authenticate() called
[INFO] WP version: 3.0
[NOTICE] username: username
[DEBUG] password: password
[INFO] loading options…
[INFO] Options for adLDAP connection:
- account_suffix:
- base_dn: DC=our,DC=domain,DC=edu
- domain_controllers: ldaps://
- ad_username:
- ad_password: bind_password
- ad_port: 636
- use_tls:
[NOTICE] adLDAP object created.
[INFO] max_login_attempts: 5
[INFO] users failed logins: 0
[ERROR] Authentication failed
[WARN] storing failed login for user “rsanders”
Logon failed

Denise July 20th, 2010

thanks for this great plugin! is it possible to have a user directed only to one site upon login within a multi-site blog, and, if so, how would one do that? thanks again.

Ryan July 20th, 2010

I got this working, Simple mistake on my end. Nothing a few debug statements couldn’t help solve.

Peter B July 22nd, 2010

Ryan -

We are having that same error… Would you mind sharing your solution?


cst July 23rd, 2010

On multi-site blogs (since WordPress 3.0) every single blog has it’s own ADI configuration. No redirection is needed. But maybe I didn’t get what you mean.

Ken July 26th, 2010

I need to put this after line 482 in adLDAP.php file to avoid ldap_search filter warning

if (stristr($group_name, ‘+’)) {

the patch is from adLDAP.php 3.3.1

Can you please append this in the next update so I don’t need to manually edit the class every time?


AX64 July 26th, 2010

Running Plugin Version
I’m running wordpress internally so its not a public site.

AD Integration Logon Test
openLDAP installed
[INFO] method authenticate() called
[INFO] WP version: 2.9.1
[NOTICE] username: admin
[DEBUG] password: adminpassword
[INFO] loading options…
[INFO] Options for adLDAP connection:
- account_suffix:
- base_dn: OU=CA,DC=americas,DC=company,DC=com
- domain_controllers: servername
- ad_username:
- ad_password: password
- ad_port: 389
- use_tls:
[NOTICE] adLDAP object created.
[INFO] max_login_attempts: 3
[INFO] users failed logins: 0
[ERROR] Authentication failed
[WARN] storing failed login for user “admin”
Logon failed

Any suggestions would be appreciated.

cst July 26th, 2010

Hi Ken,
thanks a lot for your fix. I’ll add it to 1.0, which comes very soon.

cst July 26th, 2010

Hi AX64,
try to login with full username like or enter an account suffix. Let me know if this works.

Peter B July 27th, 2010

I’m using AD 2008 here and some users (domain admins) can authenticate, but no other users can. Any ideas what could that be?

Error messages same as many others above…

[NOTICE] adLDAP object created.
[INFO] max_login_attempts: 3
[INFO] users failed logins: 0
[ERROR] Authentication failed
[WARN] storing failed login for user “llewis”
Logon failed


AX64 July 27th, 2010


I used the full username like you mentioned I got a bit further.

[NOTICE] adLDAP object created.
[INFO] max_login_attempts: 3
[INFO] users failed logins: 0
[NOTICE] Authentication successfull
[NOTICE] cleaning up failed logins for user “”
[WARN] Authorization by group failed. User is not authorized.

Do I need to do anything about the group authorization fail warning?

AX64 July 27th, 2010

It would be a nice feature especially when using on an INTRANET to have users simply put their user id to login rather than

Greg July 27th, 2010

Is there something special I need to configure to allow post authors to receive an email when a comment is made on one of their posts? Currently the admin email address of the site is getting the notifications and not the post author. Does something need to be configured in AD?

cst July 27th, 2010

Hi Greg,
ADI only takes care on authentication and authorization. Everything else is standard, default WordPress.

cst July 27th, 2010

Hi AX64,
this feature is already implemented. Just enter “” in the “Account Suffix” option.

Ryan August 5th, 2010

My issue was that I left off the “@” symbol in the Account Suffix text field(ADI settings->user). I had assumed this would be entered automatically and I just needed to enter our domain. As such it was trying to authenticate as instead of Since my bind user was proper it was binding just fine, but wasn’t authenticating users.

Steve August 24th, 2010

This is a great plugin and I want to thank you for your work on it. One small bug that I noticed is that when you do not have the “Enable local password changes” activated, and then make any kind of change to the user’s profile (for example, modifying the email address) of a non-AD account (like admin), the password in the database changes so that I can no longer log on as that user. In order to login, I have to revert the password back in the MySQL. By activating the “Enable local password changes,” I don’t see this behavior.

cst August 28th, 2010

Ok, that really seems to be a bug. I’ll have a look and it will be fixed with 1.0.0. I’ll inform you, when a new developer version is ready for download.

Raja September 2nd, 2010

Hi cst,
I am using wordpress 3.0.1 and ldap integration and active directory
I am able to authenticate without TLS option.
when i check Use TLS option, i get error ldap server unavailable.
I noticed my certificate name on AD server does not match with server name.

so I followed your suggestions of configuring ldap.conf file with
“TLS_REQCERT never ” on the webserver. I still can’t authenticate using TLS (or) ldaps://url and port 636.

see the logs below. first is successful next two are failed

AD Integration Logon Test
openLDAP installed
[INFO] method authenticate() called
[INFO] WP version: 3.0.1
[NOTICE] username: username
[DEBUG] password: password
[INFO] loading options…
[INFO] Options for adLDAP connection:
- account_suffix:
- base_dn: OU=Users,DC=xxx,DC=xxx
- domain_controllers:
- ad_username:
- ad_password: xxx
- ad_port: 389
- use_tls:
[NOTICE] adLDAP object created.
[INFO] max_login_attempts: 3
[INFO] users failed logins: 0
[NOTICE] Authentication successfull
[NOTICE] cleaning up failed logins for user “xxx”
[INFO] user role:
[NOTICE] Updating user “xxx” with following data:
- email:
- first name: xxxx
- last name: xxx
- display name: xxx
- role:
[NOTICE] – user_id: 2

AD Integration Logon Test
openLDAP installed
[INFO] method authenticate() called
[INFO] WP version: 3.0.1
[NOTICE] username: username
[DEBUG] password: password
[INFO] loading options…
[INFO] Options for adLDAP connection:
- account_suffix:
- base_dn: OU=Users,DC=xxx,DC=xxx
- domain_controllers: ldaps://
- ad_username:
- ad_password: xxx
- ad_port: 636
- use_tls:
[ERROR] adLDAP exception: Bind to Active Directory failed.
Check the login credentials and/or server details.
AD said: Can’t contact LDAP server
Logon failed

AD Integration Logon Test
openLDAP installed
[INFO] method authenticate() called
[INFO] WP version: 3.0.1
[NOTICE] username: username
[DEBUG] password: password
[INFO] loading options…
[INFO] Options for adLDAP connection:
- account_suffix:
- base_dn: OU=Users,DC=xxx,DC=xxx
- domain_controllers:
- ad_username:
- ad_password: xxx
- ad_port: 389
- use_tls: 1
[ERROR] adLDAP exception: Bind to Active Directory failed.
TLS didn?t work. AD said: Server is unavailable
Logon failed

any help is appreciated.

Lisa September 20th, 2010

I have the same issue as AX64. We have users log in with “” because if we try to do an entry in the account suffix, the user won’t authenticate.. for some reason. It is probably one of our settings somewhere in the plug-in, but not sure which.

Andrew October 21st, 2010

I love this plugin – it would be perfect for my company and solve so many problems. But our entire infrastructure relies on multiple login domains joe@division, fred@division2 etc which this plug in does not support. Any plans to make this available? Even a hint as to how it could be done? Thanks!

cst October 25th, 2010

Hi Andrew,
I have to think about this “multi domain” feature. Sounds good and possible.

And one question: Do you need support for more than one AD Server?

Iver October 26th, 2010

Hallo Andrew,

ich hab ein Problem bei der Authentifizierung via account_suffix bei meinem AD. Ich muss da leider über den kompletten DN des users authentifizieren, nur leider bietet das adLDAP bzw. Dein Plugin das nicht.

Ich hab allerdings adLDAP bzw. Dein Plugin erweitert, so dass bei mir eine Authentifizierung erfolgt. Die Idee ist, dass der root-admin bei gegebener base_dn den User im AD sucht. Hat er ihn gefunden, erfolgt dann die Authentifizierung. Dazu brauche ich allerdings noch ein prefix_dn, daher die Erweiterung auch in Deinem Plugin und nicht nur in der adLDAP.

Ich wäre sehr erfreut, wenn meine Erweiterung in Dein Plugin einfließen könnte. Bei Interesse einfach mailen. Ich schick Dir dann die beiden geänderten Klassen zu.

Ciao … Iver

Johannes October 27th, 2010

vielen Dank für das Plugin.
Habe das Problem, dass AD-Daten nicht in den WP-Benutzer übernommen werden. Wenn ich alle Daten von Hand in WP eintrage, werden sie nach dem nächsten Anmelden wieder entfernt. Any idea?! Danke!

cst October 27th, 2010

Hallo Johannes,
hast Du schon die Development Version ( ausprobiert? Wenn es auch damit nicht klappt, sende mir doch bitte eine Kopie der Ausgabe des Test-Tools (natürlich solltest Du sicherheitsrelevante Informationen darin abändern) an cst_(at) Ich schaue mir das dann an und kann Dir so vielleicht weiterhelfen.


cst October 27th, 2010

Hallo Iver,
das hört sich doch klasse an. Bitte sende mir Deine Änderungen zu (cst_(at), so dass ich sie noch in die 1.0 einfließen lassen kann.

Christoph (nicht Andrew)

Andrew October 28th, 2010

Hi cst,

No – single domain environment. But on Active Directory administrators *can* use Active Directory Domains and Trusts to add Alternative UPN Suffixes (e.g. so when setting up a new user you can create a new username with the standard domain (say user@test.local) but also use the dropdown menu to pick one of the UPN Suffix (so

I’m sure you know all the above – but just wanting to be clear.

I think with the advent of hosted systems (Remote Desktop etc) the use of universal logins for clients are becoming popular – same username for RD, Exchange, Sugar CRM etc. To do this for WordPress properly (which you’re 90% there) would be fantastic (as WP is very nice for other things beyond blogging e.g. simple support KB etc).

Anyway, something to ponder. Thanks for the replies (p.s. I failed German at school, Entschuldigung :) ).


cst October 29th, 2010

Hi Andrew,
my question if you need support for more than one AD Server, was a little bit unspecific. To be more specific: Do you need the AD plugin to COMMUNICATE with more than one AD Server or can all domains be queried via one host?
If so, it won’t be very complicated to let the plugin do, what you want.

Andrew October 29th, 2010

Hi cst,

Just the one host.

Andrew November 12th, 2010

Did anyone ever get a change to look at UPN? I’ve tried a few things – including adopting a hack from another WP widget but alas to no avail. Wish I’d paid more attention now in school :(

Elsa November 25th, 2010

We were using the plugin for almost 3 months, working great. However , we have one user that does not arrive to login. there only an browser error when he tries to log in. After several days, i found that the function user_groups( inside adLDAP.php) is the problem.
What I put in comment is :
//if ($recursive){
// foreach ($groups as $id => $group_name){
// $extra_groups=$this->recursive_groups($group_name);
// $groups=array_merge($groups,$extra_groups);
// }
and it works.
What does the function recursive_groups does ? I dont know yet why for all the users work this function but for only one it does not work.

Aren Cambre December 10th, 2010

Would love to see an option to prevent logins except by those with Active Directory accounts.

cst December 13th, 2010

This is possible. But what happens if the AD is (temporarily) not available? Someone must always have the chance to login. Only the admin user or all user with the admin role?

Aaron December 17th, 2010


I’m hoping you can help me set up the ADI, I have it sofar working great. when I login it creates an account for me in wp, but now I want it to create a group for that member.

I have in AD a department with the OU=OU Online, and using role manager I created a new role “online”. So I have put OU Online=online, but this fails. can you explain to me how I set up ADI for groups?

Thank you,


Aaron December 29th, 2010


I have Active Directory installed installed, and I have been using it so far and it was working great. We have been having some bugs getting the group to authenticate with ADI, so when I have groups checked and list the groups that I want to authenticate against it won’t let me log in as admin or any other group. when I had groups checked, I accidentially loged out as admin. now I can see my site but I can’t log in. I have tried to delete the plugin, but i still can’t login. Do you know if there is a way to edit your code so that I can log in, or is there a table in the database that I need to delete so that I can log in?

Thank you,


Aren Cambre January 6th, 2011

“This is possible. But what happens if the AD is (temporarily) not available? Someone must always have the chance to login. Only the admin user or all user with the admin role?”

If AD is down (which is very, very rare–we’ve designed it to be super high availability), we want no logins. Our AD is our authoritative account source, and this is a blog that we intend only for corporate users.

By the way, would be nice if you added a “subscribe to comments” feature. I didn’t realize you replied to my comment already.

Aren Cambre January 7th, 2011

Aha, you have the “subscribe to comments” now! Thank you!

Now on another note, an opportunity to improve Active Directory Integration:

Looks like if I want to restrict my accounts only to corporate accounts, I am stuck with a rather convoluted way of adding new people to existing blogs: 1. user logs in to base blog, 2. super admin promotes that user to individual blog, 3. only then can individual blog admin set that account’s privileges.

An ADI bug:

Aren Cambre January 10th, 2011

Just found another bug: line 227 of ad-integration.php has two problems:
1. It forces loading as HTTP even if I am accessing the site using HTTPS. So this will cause a security warning to IE users.
2. It wants to find the plugin in mu-plugins folder when used on a network. Isn’t mu-plugins deprecated?

Aren Cambre January 10th, 2011

Is there a formal bug tracker for this plugin?

Aaron January 11th, 2011


I was wondering if you could let me know how I can make it so that it will import the telephone number from AD into a custom meta field “phone”? I see it referenced in the code but I’m not sure how this can be done.



Aren Cambre January 13th, 2011

Test. (I never got email notification of Aaron’s Jan. 11 comment.)

John February 10th, 2011

Hi, I have been playing around with this plugin and i really like it. Especially the “Authorize by group membership”

However, it doesn’t work %100 and wanted to share my bug. For certain users in our AD, they get stuck in a recursive loop

I try to authenticate by “Domain Users”, but somehow it trims the group name and gets stuck in a recursive loop in the code.

This is the groups a user would get stuck in a loop.


This is a set a groups a user would be in, but will authenticate and not get stuck


Your help would be appreciated, thanks!

John February 10th, 2011

I dig a little deaper and found out the following in our AD




I get stuck in a recursive loop with SECUR-DL-INFORMATIQUE and SECUR-DL-INFORMATIQUE-FTP_OPERA

cst February 11th, 2011

Hi John,
it’s the first time, that I hear of such a recursive loop. I think the this is also new for the developers of the library adLDAP that ADI uses. But it’s a known bug in adLDAP. There is a possible fix and I’ll give it a try. If my tests are successfull, I send you the new adLDAP.php.

cst February 11th, 2011

Hi folks,
I have committed a new development version 1.0-RC2, which includes a fix for the recursive_groups bug. When a security group is a member of another security an vice versa, adLDAP got stuck in an infinite loop. I fixed this bug in adLDAP.php. I have also added some more debug informations in the Test Tool. You have to set WP_DEBUG to true in wp-config.php to get these informations:
define(‘WP_DEBUG’, true);

Please give it a try and send feedback.

cst February 21st, 2011

Hi folks,
you find a bug tracker for ADI on

Eduardo August 4th, 2011


We are using 1.1.1 version and we’ve found a little problem whem de user acount has defined to logon on especified workstation.
If the user has defined the workstations to logon, they can’t logon on the Active Directory Integration, but if we desactive this option the user can logon succesfully.
This option is located on: User Properties >> Accont ?? Logon Workstations.

There is some away to work in this type of environment?

cst August 5th, 2011

Hi Eduardo,
I can reproduce this behavior but this is what I’ve expected. “It’s not a bug, it’s a feature.”

And I don’t know any workaround. When you logon from a Windows Workstation the hostname is passed the along with the credentials to AD. But when you use LDAP (like ADI does) there is no LDAP attribute for the hostname to be sent. As a result the AD can not know from where (host) you want to logon. It won’t work, even if you enter the hostname of your web server to the list of allowed workstations.


Carsten August 8th, 2011

Hi Christoph

I was not getting my user meta data filled in wordpress.
The reason was I was choosing “displayName” as the “Display name”, thinking it would co-relate to wordpress’ “Display name publicly as”.

This had the effect that I coukld authenticate, but none of my user meta data was transferred from LDAP/AD to WP.

Going back to sAMAccountName did the job, but that now makes ma surname (login name) appear in al posts instead of the full name that I desire.

Goal: How can I make the display name within WP automatically be the displayName of Active Directory ? I don’t wnat any manual job to be done here.

many thanks!


Wil October 25th, 2011

I have a new install with wordpress 3.2.1 (not multisite) and ADI 1.1.1 and afterI trying some versions of ADI and wordpress I could’nt make it work fine. This is my log in wp 3.2.1 and ADI 1.1.1:
openLDAP installed
[INFO] method authenticate() called
[INFO] ——————————————
PHP version: 5.2.4-2ubuntu5.18
WP version: 3.2.1
ADI version: 1.1.1
OS Info : Linux AJ03WEB 2.6.24-28-virtual #1 SMP Fri Jun 18 13:25:12 UTC 2010 i686
Web Server : apache2handler
adLDAP ver.: 3.3.2 Extended (201104081456)
[NOTICE] username: johnny
[NOTICE] password: **not shown**
[INFO] Options for adLDAP connection:
- account_suffix: @olot.local
- base_dn: dc=www,dc=olot,dc=local
- domain_controllers: X.X.X.X
- ad_port: 389
- use_tls: 0
- network timeout: 0
[NOTICE] adLDAP object created.
[INFO] max_login_attempts: 3
[INFO] users failed logins: 0
[NOTICE] trying account suffix “@olot.local”
[ERROR] Authentication failed
[WARN] storing failed login for user “johnny”

What can I change in ADI?
Thanks CST!!

nickb November 28th, 2011

Hi Christoph,
do you have any plans to implement the “authenticate against multiple domains”-TODO-Point? This option sounds really great and of course, our government agency really needs that functionaltiy to authenticate users e.g. from domains like and through our wordpress server. Or do you know any other plugins / solutions for that prob.?
Thanks in advance and best wishes,

cst November 28th, 2011

Hi Nick,
if you have an urgent need for this feature, I should implement it soon.

I think you’re from germany, so let’s talk german. Sende mir einfach eine E-Mail an und beschreibe mal, wie genau ihr euch die Umsetzung vorstellt, welche Anforderungen ihr habt.

cst November 28th, 2011

Do you think you have set the right base_dn? http://www.olot.local looks very unusual. Have you tried base_dn = dc=olot,dc=local

Mike December 2nd, 2011

If a person is in two groups in active directory and i have content based on groups will a person see the content from both groups or just the first group in order left to right?



cst December 6th, 2011

Hello Mike,
I don’t know how you organize your posts and groups/roles, but it is as you suspect. In WordPress every user has ONE (1) role and ADI maps the first matching AD group (from left to right) to the corresponding WordPress role. There is no way (as far as I know) to let users have more than one role in WordPress.

Amol C December 13th, 2011


Thanks for the wonderful AD module, it has worked very easily and was the only module which got connected to my AD server without any issue.

Please can you plan a similar module for drupal.

eMail-Benachrichtigung bei weiteren Kommentaren.
Auch möglich: Abo ohne Kommentar.