To keep everything updated with the current user’s data you can enable a synchronization from WordPress back to your Active Directory.

Sync to Active Directory in Next ADI

NADI supports two options how the attributes are synchronized back to the Active Directory:

  1. Each time a WordPress user changes his profile, the user has to enter his AD credentials. This method has the advantage that no credentials are stored. The trade-off is that it can be annoying for the user to enter his credentials every time he changes his profile.
  2. Each time a WordPress profile gets updated, a dedicated service account (SA) is used. The SA’s credentials are stored encrypted inside WordPress’ database, which can led to heavy issues if you have a security breach. From a user’s perspective this is the more elegant way as they don’t need to enter their credentials.

Active Directory permissions

In any case, you have to set the correct Active Directory permissions so that LDAP attributes can be stored after the user’s profile has changed. If you did not do it, you will see the following error in your logs/debug.log file:

adLDAP last error: Insufficient access

Setting the permissions without a service account

Step Example
Use ADSI Edit to connect to your Active Directory
Navigate to the Organizational Unit where your users reside and select Properties from the context menu
On the tab Security choose the name SELF (SELBST) and enable the permission Write
Click on the button Advanced, navigate to the access permission Write for the principal SELF and click on Edit
Select This object and all descendant objects from the Applies to select list
Save the settings

Setting the permission with a service account

Follow the steps above, but instead of using SELF, assign the permissions to your proper service account.

Error “Insufficient access” still occurs

NADIS-127 Thanks for this section goes out to Martin Minne, who let us know about this issue.

If, after you have applied the correct Active Directory permissions above, you still receive the error Insufficient access, it might be due to way how the user has been created. If the user has been created created in a previous OU where the permission had not been set, and you moved it to your OU with the applied permissions, the user will keep permissions from the old OU. So, the best solution is to force to reload the permissions of the user with this command:

DSACLS "CN=user,OU=my_ouDC=domain,DC=tld" /P:N

You can use the following PowerShell script to apply the changes to all users of an OU:

# SCRIPT TO FORCE USER OBJECT TO GET INHERITED PERMISSIONS FROM PARENT OU
$ou = "OU=users,DC=domain,DC=tld"
 
$userlist = Get-ADUser -SearchBase "$ou" -Filter *
ForEach($user in $userlist)
{
	$dn = (Get-ADUser $user -Properties DistinguishedName).DistinguishedName
	$cn = (Get-ADUser $user -Properties Name).Name
	echo "Settings default inherited permissions from parent OU on user $cn"
	echo "SETTINGS PERMISSIONS FOR USER $cn" >> dsaclslogs.txt
	DSACLS "$dn" /P:N >> dsaclslogs.txt
}
echo "Done. Please consult dsaclslogs.txt if necessary."

Sync to Active Directory

Enable sync to AD

By enabling this option NADI will automatically synchronize the user’s profile back to the Active Directory when it has changed.

The synchronization is automatically triggered whenever a user profile gets updated through the user’s profile page.

Use Sync To AD service account

By enabling this option users will not be asked for their Active Directory password when updating their WordPress user profile. Instead a dedicated Active Directory service account is used. Please see the notes above.

Service account username

If Use Sync To AD service account is enabled the username of the service account must be defined. Please note that you have to explicitly add the domain information by appending the domain suffix.

The option User > Account suffix or any other configuration will not be applied for the service account.

Service account password

This option defines a NEW password for the Sync to AD service account. Leave this field blank if you don´t want to change the password.

Auth code

The authentication code must be used if you want to trigger the synchronization with help of a cron job. The menu option Sync to AD shows you the code snippets for wget and curl.