Domain prefix and trust setup

Fixing the prefix entry was relatively easy. I modified the ad-integration.php file as follows:

Original:

// IMPORTANT!
		$this->_authenticated = false;
		$user_id = NULL;
		$username = strtolower($username);
		$password = stripslashes($password);

Modified:

// IMPORTANT!
		$this->_authenticated = false;
		$user_id = NULL;
		$username = strtolower($username);

		if (strpos($username,'\\') !== false) {
			$this->_log(ADI_LOG_NOTICE,'USERNAME-ORIG:'.$username);
			$parts = explode("\\\\",$username);
			$username = $parts[1].'@'.$parts[0].'.local';
			$this->_log(ADI_LOG_NOTICE,'USERNAME-MOD:'.$username);
		}

		$password = stripslashes($password);

It simply modifies the login if it was entered in with the domain prefix and converts it to a FQDN.

I added some code to allow for trust setups and to generally derive the basedn and domain controllers.

This works for my trust setup by leaving the basedn and domain controllers values blank in the admin module.

Original code:

$this->_log(ADI_LOG_NOTICE,'username: '.$username);
		$this->_log(ADI_LOG_NOTICE,'password: **not shown**');
		// Log informations
		$this->_log(ADI_LOG_INFO,"Options for adLDAP connection:\n".
					  "- account_suffix: $this->_account_suffix\n".
					  "- base_dn: $this->_base_dn\n".
					  "- domain_controllers: $this->_domain_controllers\n".
					  "- ad_port: $this->_port\n".
					  "- use_tls: ".(int) $this->_use_tls."\n".
					  "- network timeout: ". $this->_network_timeout);

Modified code:

$this->_log(ADI_LOG_NOTICE,'username: '.$username);
		$this->_log(ADI_LOG_NOTICE,'password: **not shown**');
		$this->_log(ADI_LOG_NOTICE,'basedn: '.$this->_base_dn);

		// If account suffix has domain and _base_dn is blank then
		// set the _base_dn using the domain information in account suffix
		if (strpos($this->_account_suffix,'@') !== false && $this->_base_dn == '' && strpos($this->_account_suffix,'.') !== false) {
			$parts = explode('@',$this->_account_suffix);
			$parts = explode('.',$parts[1]);
			$this->_base_dn = 'DC='.$parts[0].',DC='.$parts[1];
			$this->_log(ADI_LOG_INFO,"Derived _base_dn - ".$this->_base_dn);
		}
		// If domain controllers is blank then assume it is
		// a trust setup and use account suffix as DC
		if ($this->_domain_controllers == '') {
			$this->_domain_controllers = str_replace('@','',$this->_account_suffix);
			$this->_log(ADI_LOG_INFO,"Derived _domain_controllers ".$this->_domain_controllers);
		}
		// Log informations
		$this->_log(ADI_LOG_INFO,"Options for adLDAP connection:\n".
					  "- account_suffix: $this->_account_suffix\n".
					  "- base_dn: $this->_base_dn\n".
					  "- domain_controllers: $this->_domain_controllers\n".
					  "- ad_port: $this->_port\n".
					  "- use_tls: ".(int) $this->_use_tls."\n".
					  "- network timeout: ". $this->_network_timeout);

Hi there ip-rob.

Thanks for your post.

I, however, would like to know how did you manage to make the ldap bind against the AD. I know on the configuration side of the ADI plug in, there is nothing else I should look up. But maybe on the PHP LDAP on the WordPress installation or on the server side of the AD.

I have my AD running on windows 2008 R2 server standard. Im using a self signed certificate and many tools I am using are successfully authenticating against this server using LDAP over SSL (ldaps)

Can you help?

In my case, I’m not using authentication or SSL. The domain controller (by default) supports anonymous queries and my servers are on a private VLAN. So I’m not too worried about encrypting the traffic.

The plugin only has a username and password for the syncback option which I’m also not using. I prefer to keep the AD as the “secure” source.

Not sure if this helps or not. You can always try your setup using the bulk import tool to see if LDAP is working or not.

Hi there…

I am tried using above code to use doamin prefix (NTLM) instead of suffix. It doesn’t seem to work in my case. We have different NETBIOS as doamin name. Here’s the example:

Domain: us.it.local | uk.it.local | ch.it.local

NETBIOS: USIT |UKIT | CHHIT

So If I have to get authenticated with a server using us.it.local account, I will use usit\username and in case of ch.it.local I will use CHHIT\username

since your code split slashes \\ and put in as suffix, it does not work in our environment. Can you help me with a code where I can specify if:

username entered is USIT\”username” resolve it as “[email protected] and if username entered is CHHIT\”username” resolve it as “username”@ch.it.local

Sorry for multiple examples but I thought this will help.

Thanks in advance.

The easiest change to make would be to add code to check the value of the _base_dn. If the _base_dn is ‘USIT’ then make it us.it.local or if the _base_dn = ‘CHHIT’ then make it ch.it.local.

At least that is the way I would do it. Or you allow your users to enter the fqdn such as [email protected] which should be properly processed by the code because the check for an ‘@’ is successful skipping the _base_dn split.

Thanks. Thats exactly what I wanted. I not good at PHP. Can you help me with the code and also let me know where to add it?

I also prefer FQDN and since our end users are pretty used to of NTLM type logon, management wants to use it.

Thanks again ip-rob

Actually, I mis-typed. The _base_dn is the DC connection information for the search. You need to modify the code that creates the username.

After the code “$username = $parts[1].’@’.$parts[0].’.local’;”, add this code.
if ($parts[0] == ‘CCHIT’) {$username = $parts[1].’@ch.it.local’;}
if ($parts[0] == ‘USIT’) {$username = $parts[1].’@us.it.local’;}

This overrides the derived username with your “hard-coded” values. Not ideal, but it should work.

Rob

It worked like a charm. You’re great Rob. Many thanks.