AD Authentication Integration & Network Privacy problem

I have no experience with AD & WP so I’m not going to be able to assist you.

Good evening Ron. This is probably outside of the scope of what you developed the plugin for, so I understand if it’s not something that you want to support.

In doing more testing and thinking through the workflows, it seems that Network Privacy is firing off and stopping the user before the AD plugin sees that the user is trying to access the site (if the AD plugin did see that, it would create the user entry in the WordPress database, which Network Privacy would see and then let the user through).

Are you aware of any way that the plugin could be modified to specify that the AD plugin should do its job first … or if it sees that the user is logged into a network site to call the AD plugin’s functions? I’m certainly not asking you to modify the plugin to do so, as it’s a very specific thing for those using an AD or similar LDAP plugin, more hoping for guidance in where I might start looking in the Network Privacy code.

Thank you for your work on Network Privacy. In instances where I’ve manually added users to the sites and don’t have to rely on the AD group membership, it works great! And if I have the user login directly to the site in question, it works great then too. It’s just when they login to a different site in the network and try to traverse to a site which they’ve never logged in to.

You would have to change the priority or hook in use in one of the two plugins. Since I’m not familiar with the other one I can’t offer any insight into which one(s) might need adjusting.

I’ll try to do some testing on this when I have a chance. I haven’t come across this issue on our site, yet; but I’ll see if I can replicate it. Thanks.

EDIT – I just did some preliminary testing. If the user is already a user within the WordPress installation somewhere (a user on another site in the network), they should be able to login and automatically be added to the site. I’ll have to remove my AD user account from our system altogether before I can test to see what it does with a completely new user.

I just performed the following tasks, and was successfully able to login and view the site:

1. Deleted my AD user account from our WordPress installation (to make sure I was starting fresh)
2. Checked the privacy settings for one of my sites; made sure it was set to only allow contributors to view the site
3. Modified my ADAI settings to map my AD security group to “contributor” when creating a new user account based on AD credentials
4. Logged out of my Super Admin (non-AD) account
5. Went to the home page of the private site
6. Entered my AD credentials and logged in

1. Deleted my AD user account again
2. Modified my ADAI settings so that only members of my security group were allowed to login
3. Logged out of my Super Admin account
4. Went to the home page of the private site
5. Entered my AD credentials and logged in

As I said, in both instances, I was able to login & view the site. I then ran one more test, changing the ADAI settings so that only members of another security group (not one of which I’m a member) can login to the site. I was (as expected) stopped from being able to login and view the site.

The final test I ran did come up with a less-than-satisfactory result, but it points to an issue in my ADAI plugin, rather than an issue in the Network Privacy plugin; and, honestly, I’m not sure how to effectively fix it.

If the ADAI settings are not set up to automatically update a user’s role every time that user logs in, the role won’t be updated appropriately. Unfortunately, if you do enable that setting, that user’s role will be updated every single time they login (natch), which means that any manual changes you’ve made to that user’s role (promoting or demoting) will be lost. Thanks.

@cgrymala – thanks ?? It sounds as though some of the AD changes are not being propagated correctly or are delayed, etc.