With the Permission page you can restrict which users of your Active Directory users are allowed to login.
Authorize by group membership
This option authorizes only members of the given Active Directory security groups to gain access to WordPress. The authorization occurs after the authentication. If you disable this option every Active Directory user below the Base DN can log in. The roles of the user are still defined by the Role equivalent groups.
If you have enabled Authorize by group membership you must provide the names of the Active Directory security groups which should have access to the WordPress instance. Only users being member of one of the configured Active Directory security groups can log into the WordPress instance.
Role equivalent groups
Enter the names of the Active Directory security groups which correspond to WordPress' roles. Every mapping has to be defined in its own row. A whole list of WordPress' Roles and Capabilities can be found at: http://codex.wordpress.org/Roles_and_Capabilities (3.8 Capability vs. Role Table).
Please note that group memberships cannot be checked across multiple domains: Let's suppose you have two domains A and B. A has a security group named A-1 and B has a security group named B-1. The user who wants to login is member of both domains. During the login only the first authenticated domain is used. Because of this he is a member of A-1 but not B-1. Any Role equivalent group for B-1 will not be assigned.
Examples for this option
ad-group = wp-role wordpressadmins = administrator wordpressmoderator = editor wordpressuser = contributor
If an Active Directory user is member of multiple security groups and all of them are mapped to WordPress roles, the roles are accumulated. If the user belongs to the security groups Sales_SEC and Financial_SEC and the "Role equivalent group" contains the following configuration
Sales_SEC = editor Financial_SEC = author Developer_SEC= administrator
then he belongs to the WordPress roles editor and author.
If you imported users from primary groups for example "Domain Users" via "id:513", you still have to enter the group name here.
Domain Users = editor
Clean existing Roles
If this option is enabled, it will remove all previous assigned WordPress roles while updating the user and assigning the roles configured in "Role equivalent groups".
Defining Multisite "super admins"
WordPress has a special role called "super admin" which is only available in Multisite environment. A Super Admin has access to the Multisite network administration and can do everything. Please note the following:
- As mentioned, the role super admin can only be assigned inside a Multisite environment.
- Because of security reasons the role super admin can only be assigned in a profile configuration and not in site configuration. You will see an error message if you try to assign the role inside a site configuration.
- After a user with role "super admin" has been synchronized for the first time he is added to the admin user list in WordPress Multisite.