Fork me on GitHub

General

Why Next ADI and not ADI 2.0?

Because of the complete rewrite of ADI we originally wanted to name the new version of Active Directory Integration "ADI 2". The rewrite should be a standalone plug-in and not hosted in the old WordPress repository because of problems with automatic upgrades. Our plan was to register active-directory-integration-2 as a plug-in name but a) WordPress does no longer allow name of brands (Active Directory) at the beginning of a plug-in name and b) the 2 is also not allowed. So we ended up with Next ADI = ADI 2.0 = successor of ADI.

Requirements

What PHP version is required to make Next ADI work?

Next ADI requires at least PHP 5.3.29. With the first version of Next ADI in 2017 we require PHP 5.6. The EOL for 5.5 is hit at 31.12.2016.

Which versions of PHP do work with Next ADI?

Our build pipeline executes unit tests against

  • 5.6.$LATEST-STABLE
  • 7.0.$LATEST-STABLE

You can assume that Next ADI is compatible with all of these versions.

What additional modules are required?

Next ADI requires at least php_ldap, php_mbstring and php_mcrypt.

What WordPress version is required?

WordPress since 4.0

What webserver is required?

Next ADI does not have any special requirements for the underlying webserver. Apache 2.2, Apache 2.4, nginx and IIS should all work fine.

Does Next ADI run on web hosters like WP Engine?

It depends upon your web hoster's configuration. For WP Engine, please take a look at the page Running NADI on WP Engine.

Features

Does Next ADI support OpenLDAP, Active Directory Federation Services (AD FS) or Microsoft Azure?

No. Next ADI does only support on-premise installations of Active Directory instances and is tested against Windows Server 2003, 2008 and 2012 (R2) in their different versions.

Active Directory

Is Azure Active Directory supported?

No. Azure Active Directory (AAD) does not expose LDAP so there is no way to access your AAD users.

Is Azure Active Directory Domain Services supported?

We do not support Azure Active Directory Domain Services (AAD DS) but from a technical point of view it works. AAD DS exposes LDAP so you can use all features from Next ADI.

Which Active Directory versions are supported?

We support the domain functional level Windows Server 2003 and newer.

How many Active Directory domains can Next ADI handle?

Next ADI can handle as many AD domains as you like but each WordPress site can have exactly one AD domain assigned. One AD domain can be assigned to multiple WordPress sites. Furthermore each userPrincipalName in all of your Active Directory domains must be unique so there must not be the same UPN suffix in different AD domains. For using multiple Active Directory domains you need to run WordPress as multisite network instance

  • Each Active Directory domain must have a unique userPrincipalName.
  • Create a new profile for each Active Directory domain
  • Enable User > Append suffix to new users. This option must not be changed.
  • Fill the UPN suffixes of the domain into User > Account suffix
  • Assign the profile to the corresponding sites.

It is necessary that each user of every Active Directory domain has a unique userPrincipalName.

We have a test and production instance in our environment. Can we make Next ADI to work with both?

Yes and no. During the copy of the prod's users to the test instance you must change the userPrincipalName from "username@prod.ad" to "username@test.ad". Please take a look at the previous answer to this topic.

Does Next ADI support domain forests?

No, not fully. You can configure Next ADI to use one of your Global Catalogs for authentication. Users can login but Sync to WordPress/Active Directory will not work. If you need really need this feature please contact us.

Can Next ADI create users in Active Directory?

No. Next ADI can create Active Directory users in WordPress but not vice versa. There are too many corner cases and security related problems which can not be easily implemented. Maybe we will add this feature someday if it gets sponsored - the effort for this is extremely high.

Connecting to Active Directory

I receive the error 'Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Can't contact LDAP server'

There can be a few reasons in why this error appears. It is highly unlikely that it is a bug of NADI but a problem in your network connectivity. Please do the following:

  • Check the configured hostnames of the domain controllers:
    • If you are using DNS names, can the webserver running WordPress resolve the IP addresses of the DNS names? You can test it by issuing a ping $DNS_ENTRY on the webserver's console.
    • If you are using DNS names with .local tld, there can be serious problems with resolving correct IP addresses. It highly depends on the operating system and enabled services. You should enter the full DNS name to IP mapping into the hosts file of the webserver or use IP addresses instead of DNS names.
  • Does the firewall of the webserver's operating system allow outgoing TCP connections to you domain controller? Does any firewall between the webserver and the domain controller block the traffic? You can easily check this by issuing an telnet $DOMAIN_CONTROLLER 398 on the webserver's console.
  • If you are running WordPress on a Linux host with SELinux enabled you have to make that SELinux allows outgoing network connections. You can temporarily test it by issuing a setsebool -P httpd_can_network_connect 1 on the webserver's console.
  • Please check the username and password of the used LDAP connection. Are they valid?

Security

Is it possible to use TLS with a self-signed certificate on the AD server?

Please read Encryption with TLS.

Can I use LDAPS instead of STARTTLS?

Yes, you can. Just select "LDAPS" in the option ​Environment > Use encryption​ and enter ​636​ as port.

Are Active Directory passwords stored in the WordPress database?

By default: no. For security and administration reasons all passwords should only be stored in the Active Directory and nowhere else.

SSO

Which SSO techniques are supported?

Next ADI does support

  • Kerberos
  • since 2.0.11 NTLM

Next ADI itself does not implement any SSO functionality.

Is X.509 certificate SSO authentication supported?

We have no official support for that but if your certificate is issued for the userPrincipalName the Kerberos SSO process is automatically used if SSO is enabled.

Can my SSO authenticated user log out?

Yes. If you want to impersonate as another user you can simply use the log out feature of WordPress. On the "Login" page you can enter any of your WordPress/Active Directory accounts or use the link Login with SSO to use your current user principal.

Why is another service account for SSO required?

Your user principal provided by the webserver does not include the password. The password is required to synchronize your user's data from Active Directory to WordPress, for example for checking your security group membership. As most Active Directories does not provide anonymous LDAP binds, the service account is used to retrieve that information.

Debugging

Where are the AD attributes stored in WordPress?

If you activate Automatic user creation and Automatic user synchronization any AD attribute is stored inside the table wp_usermeta. You can set the meta key as you like or use the default behaviour, where the meta key is set to next_ad_int_ (e.g. next_ad_int_physicaldeliveryofficename for the office attribute).

Authentication

With WordPress 4.5 I can login with my e-mail address. Is this supported by Next Active Directory Integration?

No. After Next ADI has been enabled it uses only the userPrincipalName or sAMAaccountName of the user for authentication. If you exclude a given username WordPress' default login method is used which supports login by e-mail.

Authentication is successful but the user is not authorized by group membership. What is wrong?

There can be some reasons for this behaviour:

  • A common mistake is that the Base DN is set to a wrong value. If the user resides in an Organizational Unit (OU) that is not "below" the Base DN the groups the user belongs to can not be determined. A quick solution is to set the Base DN to something like dc=mydomain,dc=local without any OU.
  • Another common mistake is to use ou=users,dc=mydomain,dc=local instead of cn=users,dc=mydomain,dc=local as Base DN.
  • Depending upon your Next ADI and Active Directory configuration you may enter the following situation: the sAMAccountname of the user is "testA" and the userPrincipalName is "testB". The authentication phase will succeed in both cases b/c internally the Active Directory checks both attributes. The group membership for the authorization is looked up by adLDAP. If no "@" character is present in the username, adLDAP uses the sAMAccountname attribute to lookup the user. The username "testB" won't be able to login because the lookup of his group returns always an empty set. The easiest way to fix this problem is to use the same sAMAccountName and userPrincipalName.

Is Next ADI case-sensitive?

No, it is not. You can log in with "administrator@test.ad" or "Administrator@TEST.AD". All versions map to the same username in Active Directory. It is not possible to define the same username with different cases.

My Active Directory username (sAMAccountName or userPrincipalName) contains German Umlauts but the Umlauts are not shown in WordPress.

ADI-317 This is a restriction of WordPress and not a bug. WordPress does not allow Umlauts as part of the user login (user_login) name or nicename (user_nicename). When Next ADI adds users with Umlauts by using Test authentication, Sync To WordPress or login, WordPress automatically converts the fields to characters without diacritics. Active Directory itself converts usernames with diacritics during the authentication in their non-diacritics counterparts. You can log in with "Müller" or "Muller" - both are mapped by Active Directory to the same user account.

Project organization

Is there an official bug tracker for Next ADI?

Yes, we use GitHub. Any issue provided from the community will go there: https://github.com/NeosIT/active-directory-integration2/issues.

How do you handle support requests?

Please purchase a support license and open a ticket.