Fork me on GitHub

On the Environment configuration page you have to enter the required information of your Active Directory environment.

Environment options of Next ADI

Active Directory Environment

Domain controllers

The domain controller represents the Active Directory server(s) used to authenticate and authorize your users. You can find your currently used domain controller when executing

nslookup

on your Windows client.



Lookup Active Directory by using command line

Multiple domain controllers can be defined by putting a single IP or DNS name in every input field.

  • Each IP must serve the same Active Directory domain.
  • Please note that the first domain controller is used by default. All other DCs are only used if ADI failed to connect or failed to authenticate the user to the previous one.
  • There is no real Round Robin implemented. All additional domain controllers are used as fallback only.

Port

This option defines the port which is used by Active Directory. By default the port is set to 389. The port is used for every defined domain controller.

Please note, that Microsoft provides access to Active Directory through TCP and UDP over port 389 and port 636.

Use encryption

Choose between:

  • STARTTLS - Active Directory provides STARTTLS over port 389
  • Lightweight Directory Access Protocol over SSL (LDAPS) - Active Directory provides LDAPS ober port port 636
  • None

If you want to use LDAPS the Port option has to be manually set to 636 or any other port your domain controller uses.

Hints

  • Active Directory uses StartTLS on port 389 for encrypting the communication after the connection has been established.
  • LDAP/S listens on port 636 and can not be used with STARTTLS.
  • All of your domain controllers must provide the same encryption methods. There can not be a primary DC which requires LDAPS and a second without LDAPS.

LDAP network timeout

The LDAP Network Timeout sets the time in seconds after which a connection attempt to the Active Directory is canceled. If the timeout has been reached ADI falls back to local WordPress authentication methods.

The default value for this option is 5 (seconds) which should be more than enough in most cases.

Base DN

The Base DN is the search root when looking up users and role mappings. The value of this option depends upon your Active Directory domain setting and could have a value like OU=users,OU=my organization,DC=domain,DC=tld. If you use a wrong base DN, the users can be authorized but their data can not be fetched from Active Directory. The debug.log contains a warning like:

Attributes for '$user@$upnSuffix': could not be loaded. Does the sAMAccountName or userPrincipalName exist? Is the provided base DN valid? 

To fix this error you should try each hierarchical path of the DN:

  • OU=users,OU=my organization,DC=domain,DC=tld
  • OU=my organization,DC=domain,DC=tld
  • DC=domain,DC=tld

As noted in the Security considerations sections this setting should restrict the access as far as possible. At its best please use only the organization unit (OU) where your users and groups are in.

You can only specify one base DN and not multiple. If you have multiple base DNs because of historical reasons, you can use the Global Catalog instead of the specific Domain Controller. To do so, you have to set the LDAP port to *3268* and use the top-level DN as base DN.

You can find your Active Dirctory Base DN if you follow this step by step guide correctly

  1. Connect to your Active Directory server with help of Remote Desktop.
  2. Open Start -> Administrative Tools -> Active Directory Users and Computers
  3. Right-click on your Domain Controller -> View -> Advanced Features
  4. Double-click on your Domain Controller -> double-click Users -> right-click Users -> Properties
  5. Attribute Editor -> Select distinguishedName in the list -> press View

    Active Directory attribute editor

  6. Copy your Base DN.

    Distinguished name of entry in attribute editor

Verify credentials

The username and password are needed to authenticate a member of the target domain in order to connect it to a WordPress site / ADI profile. This is required to assure that you are able to synchronize users of multiple Active Directory domains. Connecting your WordPress site or profile to a domain is required before you can save any configuration.

Domain SID

This options indicates that your WordPress site or ADI profile is currently connected to an Active Directory domain. It will display the domain SID, enabling you to check which Active Directory domain the WordPress site or profile is currently connected to.

NetBIOS name

since 2.0.11 The NetBIOS name is retrieved from the Active Directory configuration and is used during SSO with NTLM. You can not configure this option.