The User tab contains all user-specific configuration options. This includes settings like how users should be displayed, created, updated etc.
Exclude usernames from authentication
Every username you provided in here will not be authenticated during login. Instead the local WordPress password is used. This option ensures that you can set up Next Active Directory Integration and still log in with your WordPress administrator account. You have to explicitly declare every username you want to exclude. This means that if you want to exclude “email@example.com” from authentication you have to add “firstname.lastname@example.org” to the list and not only “administrator”. If you are using the account suffix “@test.ad” and you are excluding “administrator”, the user can still log in with “email@example.com”. You have to exclude explicitly “firstname.lastname@example.org”.
Usernames added to the list are case-insensitive.
- The first administrator of a network installation (super admin) and the first administrator of a site are implicitly never authenticated against the Active Directory. This ensures that the administrator can login at every time.
- The user who activates NADI is automatically added to the list of excluded usernames during the activation of the plug-in. This does not necessarily have to be the first administrator. You can remove this user after you have successfully tested your settings.
since 2.3.0 The configuration setting does explicitly apply for form-based and SSO logins. If you need to check for additional conditions, you can programatically use the filters
next_ad_int_auth_form_login_requires_ad_authentication, see also authentication API.
The Account Suffix is added to all usernames during the Active Directory authentication process. Example: An Account Suffix @company.local is used. When the user my_username logs in, the fully username is set to email@example.com.
Do not forget to start the suffix with “@”.
If you have multiple account suffixes like @emea.company.local, @africa.company.local put every account suffix in its own field. The primary domain name (@company.local) must reside in the last text field.
Allow users to login with one of their ProxyAddresses
This options allows your users to authenticate against the Active Directory using one of their proxy email addresses. The proxy address will be used to fetch their samAccountName from the Active Directory.
Use sAMAccountName for newly created users
By default, NADI uses the userPrincipalName as username for newly created users. In a single Active Directory domain environment this can be changed so that the sAMAccountName is used as username.
- either manually update WordPress' wp_user.user_login column with the correct userPrincipalName,
- or delete the existing users and re-import them.
If you are switching from one domain to multiple domains, you have to manually update the user_login column as described above.
Automatic user synchronization
After a successful login the WordPress profile of the user will be automatically synchronized with his Active Directory account. Requires “Automatic user creation” to be enabled.
Automatic update user description
This option will only work if you have already enabled Automatic user creation and Automatic user synchronization. As the title says it will automatically update the user’s description of new created users and users who login.
Default email domain
Whenever a user’s Active Directory attribute mail is empty, the user’s email address will be concatted by his username and the value of this option.
Email address conflict handling
This option handles email address conflicts caused by multiple user creation using the same email address. WordPress does only allow unique email addresses in an installation. You can choose between the following options
- Prevent: User is not created, if his email address is already in use by another user (recommended)
- Allow: Allow users to share one email address. (UNSAFE)
- Create: In case of a conflict the new user is created with a unique and randomly generated email address.
Prevent email change
Prevent email change will stop already users authenticated by or synchronized with the Active Directory from changing their email address in WordPress. Users who have been added manually in WordPress and have not been authenticated yet by NADI are still able to change their email address.
This option allows you to configure how users should be displayed in posts and comments. By default the sAMAccountName is used. You can choose between the following options:
- sAMAccountName (the username)
- givenName (firstname)
- SN (lastname)
- givenName SN (firstname and lastname)
- CN (Commone Name, the whole name)
- mail (email address)
Show user status
Show additional columns (ADI User, disabled) in WordPress’ users list.