The User tab contains all user-specific configuration options. This includes settings like how users should be displayed, created, updated etc.

User options of Next ADI

User Settings

Exclude usernames from authentication

Every username you provided in here will not be authenticated during login. Instead the local WordPress password is used. This option ensures that you can set up Next Active Directory Integration and still log in with your WordPress administrator account. You have to explicitly declare every username you want to exclude. This means that if you want to exclude “administrator@test.ad” from authentication you have to add “administrator@test.ad” to the list and not only “administrator”. If you are using the account suffix “@test.ad” and you are excluding “administrator”, the user can still log in with “administrator@test.ad”. You have to exclude explicitly “administrator@test.ad”.

Usernames added to the list are case-insensitive.

Please note:

  • The first administrator of a network installation (super admin) and the first administrator of a site are implicitly never authenticated against the Active Directory. This ensures that the administrator can login at every time.
  • The user who activates NADI is automatically added to the list of excluded usernames during the activation of the plug-in. This does not necessarily have to be the first administrator. You can remove this user after you have successfully tested your settings.

since 2.3.0 The configuration setting does explicitly apply for form-based and SSO logins. If you need to check for additional conditions, you can programatically use the filters next_ad_int_auth_sso_login_requires_ad_authentication and next_ad_int_auth_form_login_requires_ad_authentication, see also authentication API.

Account suffix

The Account Suffix is added to all usernames during the Active Directory authentication process. Example: An Account Suffix @company.local is used. When the user my_username logs in, the fully username is set to my_username@company.local.

Do not forget to start the suffix with “@”.

If you have multiple account suffixes like @emea.company.local, @africa.company.local put every account suffix in its own field. The primary domain name (@company.local) must reside in the last text field.

Allow users to login with one of their ProxyAddresses

This options allows your users to authenticate against the Active Directory using one of their proxy email addresses. The proxy address will be used to fetch their samAccountName from the Active Directory.

Use sAMAccountName for newly created users

By default, NADI uses the userPrincipalName as username for newly created users. In a single Active Directory domain environment this can be changed so that the sAMAccountName is used as username.

Enabling or disabling this option will not change any of the existing WordPress usernames. It will only affects newly created users! In case you are enabling this option, you have to
  • either manually update WordPress' wp_user.user_login column with the correct userPrincipalName,
  • or delete the existing users and re-import them.
As soon as you are using multiple Active Directory domains, e.g. with help of the Global Catalog, we highly recommend to let this option disabled. The probability of having the same sAMAccountName in different Active Directory domains is high. NADI is not able to assign the proper Active Directory domain user.

If you are switching from one domain to multiple domains, you have to manually update the user_login column as described above.

Automatic user synchronization

After a successful login the WordPress profile of the user will be automatically synchronized with his Active Directory account. Requires “Automatic user creation” to be enabled.

Automatic update user description

This option will only work if you have already enabled Automatic user creation and Automatic user synchronization. As the title says it will automatically update the user’s description of new created users and users who login.

Default email domain

Whenever a user’s Active Directory attribute mail is empty, the user’s email address will be concatted by his username and the value of this option.

Email address conflict handling

This option handles email address conflicts caused by multiple user creation using the same email address. WordPress does only allow unique email addresses in an installation. You can choose between the following options

  • Prevent: User is not created, if his email address is already in use by another user (recommended)
  • Allow: Allow users to share one email address. (UNSAFE)
  • Create: In case of a conflict the new user is created with a unique and randomly generated email address.

Prevent email change

Prevent email change will stop already users authenticated by or synchronized with the Active Directory from changing their email address in WordPress. Users who have been added manually in WordPress and have not been authenticated yet by NADI are still able to change their email address.

Display name

This option allows you to configure how users should be displayed in posts and comments. By default the sAMAccountName is used. You can choose between the following options:

  • sAMAccountName (the username)
  • displayName
  • description
  • givenName (firstname)
  • SN (lastname)
  • givenName SN (firstname and lastname)
  • CN (Commone Name, the whole name)
  • mail (email address)

Show user status

Show additional columns (ADI User, disabled) in WordPress’ users list.

Additional columns in WordPress user list