chubbspsu

Just want to confirm that you are adding the mandatory fields as semi-colon separated fields and as group (the count for each element must match for this added functionality to work):
Domain Controller: ldaps://server1.com;ldaps://server2.com
Base DN: dc=server1,dc=com;dc=server2,dc=com
Account Suffix: @server1.com;@server2.com

The error you indicate above isn’t a domain authentication error, rather an authorization error (you’ve successfully authenticated at that point, but don’t appear to be a member of whatever group your configuration requires you to be in to proceed).

Assuming you have: two DC’s, two DN’s and two account suffixes, then I would check to see what the default group membership requirements you have (ADI Authorization tab in settings) and ensure it A) exists on Both DC’s and B) your test user is a member of it.

ixodides,
It’s a basic linux patch file I sent above…this won’t work on windows installations so I can’t be much help there but for linux:

copy/paste the patch file into a new file called “ADPatch.diff”

cd to the directory that the ad-integration.php lives in and run the command:

patch ad-integration.php < /path/to/ADPatch.diff

that should be it…PHP will pick up the changes on the fly then you just need to configure the Domain Controller, Base DN, Account Suffix as matched pairs as indicated above.

Not sure why I didn’t get the email from johnmac77 but the short answer is YES you can natively use the wordpress login box but need to require the users to enter their username+UPN suffix, i.e. [email protected]. You basically don’t need the first section of the diff in your code to make that part work.

Ok..took a while longer then I had hoped but was able to buckle down and merge into v 1.1.7 and happy to report it’s working as I had hoped with one caveat that I had to customize specific for our env that I’ll explain at the end of this post but here’s the patch file:

— Downloads/active-directory-integration 2/ad-integration.php 2015-04-29 14:18:18.000000000 -0500
+++ Documents/workspace/ADPlugin/ad-integration.php 2015-07-21 16:15:01.000000000 -0500
@@ -675,7 +675,12 @@
$this->_log(ADI_LOG_NOTICE,’User with ID 1 will never be authenticated by Active Directory Integration.’);
return false;
}
–
+
+ # only needed because we added a dropdown to wp-login.php to make selecting domain easier
+ if (isset($_REQUEST[‘login_suffix’]) && !is_null($_REQUEST[‘login_suffix’])){
+ $username = $username . $_REQUEST[‘login_suffix’];
+ }
+
// extract account suffix from username if not set
// (after loading of options)
// Extended for issue #0043
@@ -718,9 +723,26 @@
$this->_log(ADI_LOG_NOTICE,’username: ‘.$username);
$this->_log(ADI_LOG_NOTICE,’password: **not shown**’);

+ //Override Domain Controller if “AD_Integration_domain_controllers”, “AD_Integration_base_dn” and “AD_Integration_account_suffix” are all arrays AND
+ //a domain was specified on login, find array index of account_suffix and use corresponding indexes for
+ if (isset($_account_suffix)) { $pdomain = $_account_suffix;}
+
+ if (!is_null($pdomain) || trim($pdomain)!=”) {
+ $domain_array = explode(“;”,$this->_domain_controllers);
+ $base_dn_array = explode(“;”,$this->_base_dn);
+ //already created array above with $account_suffixes
+ if ((count($domain_array) === count($base_dn_array)) && (count($base_dn_array) === count($account_suffixes))){
+ $domain_index = array_search($pdomain, $account_suffixes);
+ $this->_account_suffix = $account_suffixes[$domain_index];
+ $this->_domain_controllers = $domain_array[$domain_index];
+ $this->_base_dn = $base_dn_array[$domain_index];
+ $this->_append_suffix_to_new_users = true;
+ $logTeaser = “with override”;
+ }
+ }

// Log informations
– $this->_log(ADI_LOG_INFO,”Options for adLDAP connection:\n”.
+ $this->_log(ADI_LOG_INFO,”Options for adLDAP connection $logTeaser:\n”.
“- account_suffix: $this->_account_suffix\n”.
“- base_dn: $this->_base_dn\n”.
“- domain_controllers: $this->_domain_controllers\n”.
@@ -850,7 +872,7 @@

// userinfo from AD
$this->_log(ADI_LOG_DEBUG, ‘ATTRIBUTES TO LOAD: ‘.print_r($this->_all_user_attributes, true));
– $userinfo = $this->_adldap->user_info($username, $this->_all_user_attributes); // Issue #0081 $username instead of $ad_username
+ $userinfo = $this->_adldap->user_info($ad_username, $this->_all_user_attributes); // Issue #0081 $username instead of $ad_username
$userinfo = $userinfo[0];
$this->_log(ADI_LOG_DEBUG,”USERINFO[0]: \n”.print_r($userinfo,true));

That last part may not be needed for your env. we added yet another company to our fold that has completely screwed up UPN suffixes so [email protected] fails for about 1/3rd of that domain’s users and I don’t have domain admin privs to fix them all on a large scale so I just overrode it to auth as user. you probably can drop the last stanza of the diff if you have a more sane env then I seem to have inherited.

It’s on my list of things to do but I haven’t had a chance to try and merge it in yet. I will hopefully tinker a bit this weekend and see how dramatic the changes are to the files but from reading the changelog it looked like it may be pretty straightforward…

Steve

My company is actually one of about 5 different child companies and our WP intranet is hosted by the parent. We were asked to make it so that each person could use the credentials from their child company to login and we accomplished this with some minor tweaks to the plugin. The only thing though is I’m not sure how to submit to the author the changes…all my work is based on the 1.1.5 plugin so would have to be ported to 1.1.7 but I’d like the author to take a look and see if it’s worth merging into the upstream.

The idea is that the three main values (Domain Controller, Base DN, account suffix) all be semi-colon separated values where the order (array key) matters and keeps the values together. So with the patch applied, the values would look like:

Domain Controller: ldaps://server1.com;ldaps://server2.com
Base DN: dc=server1,dc=com;dc=server2,dc=com
Account Suffice: @server1.com;@server2.com

We also check the box to append suffix to username so that we eliminate the issue of duplicate usernames between the unrelated domains. There’s a bit of custom code to allow a user to select their company from a dropdown on the login page but you can also use the username format “[email protected]” and it works just fine.

Here is the patch for the ad-integration.php file (again for v 1.1.5):

— ad-integration.php (revision 70)
+++ ad-integration.php (working copy)
@@ -676,7 +676,12 @@
$this->_log(ADI_LOG_NOTICE,’User with ID 1 will never be authenticated by Active Directory Integration.’);
return false;
}
–
+
+ # only needed because we added a dropdown to wp-login.php to make selecting domain easier
+ if (isset($_REQUEST[‘login_suffix’]) && !is_null($_REQUEST[‘login_suffix’])){
+ $username = $username . $_REQUEST[‘login_suffix’];
+ }
+
// extract account suffix from username if not set
// (after loading of options)
// Extended for issue #0043
@@ -719,9 +724,26 @@
$this->_log(ADI_LOG_NOTICE,’username: ‘.$username);
$this->_log(ADI_LOG_NOTICE,’password: **not shown**’);

+ //Override Domain Controller if “AD_Integration_domain_controllers”, “AD_Integration_base_dn” and “AD_Integration_account_suffix” are all arrays AND
+ //a domain was specified on login, find array index of account_suffix and use corresponding indexes for
+ if (isset($_account_suffix)) { $pdomain = $_account_suffix;}
+
+ if (!is_null($pdomain) || trim($pdomain)!=”) {
+ $domain_array = explode(“;”,$this->_domain_controllers);
+ $base_dn_array = explode(“;”,$this->_base_dn);
+ //already created array above with $account_suffixes
+ if ((count($domain_array) === count($base_dn_array)) && (count($base_dn_array) === count($account_suffixes))){
+ $domain_index = array_search($pdomain, $account_suffixes);
+ $this->_account_suffix = $account_suffixes[$domain_index];
+ $this->_domain_controllers = $domain_array[$domain_index];
+ $this->_base_dn = $base_dn_array[$domain_index];
+ $this->_append_suffix_to_new_users = true;
+ $logTeaser = “with override”;
+ }
+ }

// Log informations
– $this->_log(ADI_LOG_INFO,”Options for adLDAP connection:\n”.
+ $this->_log(ADI_LOG_INFO,”Options for adLDAP connection $logTeaser:\n”.
“- account_suffix: $this->_account_suffix\n”.
“- base_dn: $this->_base_dn\n”.
“- domain_controllers: $this->_domain_controllers\n”.
@@ -3298,4 +3320,4 @@
// Load the plugin hooks, etc.
$AD_Integration_plugin = new ADIntegrationPlugin();

-?>
\ No newline at end of file
+?>

Thanks,
Steve