Configuration Attributes
June 29, 2024 at 4:56 AMNext Active Directory Integration allows you to map Active Directory attributes to WordPress attributes and vice versa. On this configuration page you define your required mappings.
How it works
Every option is shown as a single row and has the following options
| Column | Property |
|---|---|
| AD attribute | Name of the attribute inside the Active Directory. You can select one of the attributes from the list |
| Data Type | Type of the Active Directory attribute. This influences how the attribute is displayed inside WordPress |
| WordPress attribute | Unique name of the attribute inside WordPress’ usermeta table. All attribute values are stored in there. |
| Description | This description is shown on the user’s profile page if View in User Profile is enabled |
| View in User Profile | If enabled, the attribute is shown on the user’s profile page |
| Sync to AD | If enabled, the attribute will be synchronized back to the Active Directory account if the administrator has enabled the Sync to AD feature. |
| Overwrite with empty value | If enabled, the WordPress attribute will be overwritten even if the AD attribute is empty. |
Attributes
The following AD attributes will be always mapped, even if they are not explicitly mapped by your configuration because they are required to make NADI work properly:
- cn
- givenname
- sn
- displayname
- description
- samaccountname
- userprincipalname
- useraccountcontrol
You can overwrite the mapping to make them viewable but you should not synchronize them back to AD.
What to do if LDAP attributes are empty during synchronization?
It might occur that you have mapped some of the attributes, but during synchronization the following log entry appears:
[DEBUG] NextADInt_Adi_User_Manager<some line> AD attribute "yourmappedattribute" is empty. Local value for attribute next_ad_int_depnr={type='list', syncable='', viewable='1', overwriteWithEmpty=''} left unchanged.
If this happens to you, check the following:
- In the mapping configuration, use the lower-case LDAP attribute name (e.g.
departmentnumberand notdepartmentNumber). - If you are using the Global Catalog (NADI is connected to port 3268 or 3269), make sure, that the attribute is available in the Global Catalog. For testing purposes, you can switch back to the normal LDAP port 389 or 636 and see if the attribute value is now available.
Data Types
Not all of the attributes can be synchronized back to the Active Directory:
| Data Type | Syncable to AD | Hint |
|---|---|---|
| string | Yes | Unicode Strings like homePhone |
| list | Yes | A list of Unicode Strings like otherHomePhone |
| integer | Yes | Integers or Large Integer attributes like logonCount |
| bool | No | Booleans use it from boolean attributes like fromEntry |
| octet | No | Octet Strings like jpegPhoto |
| time | No | UTC Coded Time like whenCreated |
| timestamp | No | Integers which store timestamps (not the unix ones) like lastLogon |
| cn | No | Common Name extracts the CN part and drops everything else - use it with manager |