Fork me on GitHub

To keep everything secured you should be really attentive on this page. Please although read carefully the Security considerations section.

Security options of Next ADI

Single Sign On

Enable SSO

This option grants users the possibility to Single Sign On on WordPress. The user has to be previously authenticated by the webserver or frontend proxy. After the user has opened the WordPress site NADI checks for the existence of the Username variable. If it is available, the user is automatically authenticated and his account data is retrieved from the Active Directory.

Service account username

The service account is required to authenticate/re-authenticate/authorize a previously SSO authenticated user. You have to add a service account with read permission in the Active Directory. Please enter the full user information including the domain suffix. The option User Append suffix has no influence on this option.

Service account password

This option defines a new password for the SSO service account.

Username variable

This option defines the server variable which will be used to retrieve the current user. In most cases (Apache, IIS) this should be set to REMOTE_USER. Please consult your webserver's documentation for more information.

Disable SSO for XML-RPC

since 2.1.9

If you want to make tools like Live Writer working in an SSO environment, SSO must be deactivated for XML-RPC as Live Writer does not work with Kerberos or NTLM.


Enable login for smart card Users

This option allows users that usually require a smart card to authenticate against the Active Directory to login into the WordPress environment. Users which were deactivated by NADI because they require a smart card will be activated at the next "Sync to WordPress".

Enables login using a custom login page

If checked, NADI does also registers its hook when the URL /login is called. You have to make sure that this URL is mapped by WordPress.

Brute Force Protection

After we discussed the Brute Force Protection in our team we came to the conclusion that we will flag it as deprecated.
The reason for that is that we can´t make it as secure as other existing security plugins.
That is why we started testing some Brute Force Protection plugins to see if they work in combination with NADI.
We highly recommend you to use iThemes Security to secure your WordPress environment.
NADI Brute Force Protection will not receive updates anymore after the NADI v2.0.13 release and we are planning on removing it completely later this year.

Maximum number of allowed login attempts

Enter the amount of tries a user has to login with his wrong username and/or password combination before he is blocked for a specific time period. If you want to disable the bruteforce protection just set this number to 0.

Blocking time

With help of this option you can set the time a user is being blocked after the amount of failed login attempts has been reached.

Notify users of blocked account

If enabled ADI notifies the user by email about the circumstance that his account has been blocked.

Notify admins of blocked account

Enabling this option will notify the admin(s) about blocked user accounts as well.

E-mail addresses for notifications

This option must be configured if you have enabled Notify admins of blocked account. It configures the email addresses of WordPress administrators. Multiple email addresses can be used by separating them by using a semicolon.

If the admin notification event is triggered and no admin email has been set, the email is forwarded to the blog administrator's email address.

Example setting:;

Allow login via XML-RPC

If enabled it is possible to authenticate by NADI imported users against the Active Directory using the XML-RPC interface. This means you can use a WordPress client like �Open Live Writer� to create posts on your WordPress site using NADI users. We also implemented this feature to secure that no one is able to use the WordPress XML-RPC interface to brute-force your Active Directory users. After the amount of failed login attempts has been reached, NADI will deny XML-RPC authentication request for the set amount of time. If you do not activate this option NADI will deny all XML-RPC authentication requests for NADI users.