FAQ
June 29, 2024 at 4:56 AMGeneral
Why NADI and not ADI 2.0?
Because of the complete rewrite of ADI we originally wanted to name the new version of Active Directory Integration “ADI 2”. The rewrite should be a standalone plug-in and not hosted in the old WordPress repository because of problems with automatic upgrades. Our plan was to register active-directory-integration-2 as a plug-in name but a) WordPress does no longer allow name of brands (Active Directory) at the beginning of a plug-in name and b) the 2 is also not allowed. So we ended up with NADI = ADI 2.0 = successor of ADI.
Requirements
What PHP version is required to make NADI work?
NADI requires at least PHP 8.1 as older PHP versions are EOL.
Which versions of PHP do work with NADI?
Our build pipeline executes unit tests against
- 8.1.$LATEST-STABLE
- 8.2.$LATEST-STABLE
- 8.3.$LATEST-STABLE
You can assume that NADI is compatible with all of these versions.
What additional modules are required?
NADI requires at least php_ldap
, php_mbstring
and php_mcrypt
.
What WordPress version is required?
We require WordPress since 5.4
What webserver is required?
NADI does not have any special requirements for the underlying webserver. Apache 2.2, Apache 2.4, nginx and IIS should all work fine.
Does NADI run on web hosters like WP Engine?
It depends upon your web hoster’s configuration. For WP Engine, please take a look at the page Running NADI on WP Engine.
Features
Does NADI support OpenLDAP, Active Directory Federation Services (AD FS) or Microsoft Azure?
No. NADI does only work with Active Directory-compatible LDAP schemas. We are only supporting Active Directory instances on Windows Server 2003, 2008, 2012 (R2), 2016 and 2019 in their different versions.
Does NADI work with Samba and derivatives like Synology Directory Server?
We have no official support but tested NADI successfully against Samba 4.12.14 in a single domain environment. Derivatives like Synology Directory Server should also work.
Does NADI work with Synology LDAP Server?
No. Synology LDAP server is based upon OpenLDAP. OpenLDAP is not supported.
Does NADI work with any theme?
In general NADI works with any theme. But we have customers who are experiencing problems when using the wOffice theme. wOffice changes the login form in a way that causes NADI (and other plug-ins) no longer to work as intended.
Active Directory
Is Azure Active Directory supported?
No. Azure Active Directory (AAD) does not expose LDAP so there is no way to query or authenticate your AAD users.
Is Azure Active Directory Domain Services supported?
We do not support Azure Active Directory Domain Services (AAD DS) but from a technical point of view it works. AAD DS exposes LDAP, so you can use all features of NADI.
Is AWS Directory Service for Microsoft Active Directory supported?
AWS Directory Service for Microsoft Active Directory, or AWS Managed Microsoft AD, is a Windows Server virtual machine. You can connect NADI to it.
Which Active Directory versions are supported?
We support the domain functional level Windows Server 2003 and newer.
How many Active Directory domains can NADI handle?
NADI can handle as many AD domains as you like but each WordPress site can have exactly one AD domain assigned. One AD domain can be assigned to multiple WordPress sites. Furthermore each userPrincipalName in all of your Active Directory domains must be unique so there must not be the same UPN suffix in different AD domains. For using multiple Active Directory domains you need to run WordPress as multisite network instance
- Each Active Directory domain must have a unique userPrincipalName.
- Create a new profile for each Active Directory domain
- Enable User > Append suffix to new users. This option must not be changed.
- Fill the UPN suffixes of the domain into User > Account suffix
- Assign the profile to the corresponding sites.
It is necessary that each user of every Active Directory domain has a unique userPrincipalName.
We have a test and production instance in our environment. Can we make NADI to work with both?
Yes and no. During the process of copying the users from your production to the test instance you must change the userPrincipalName from “username@prod.ad” to “username@test.ad”. Please take a look at the previous answer to this topic.
Does NADI support domain forests?
since 2.2.0 NADI has rudimentary support for Active Directory domain forests. You have to use one of your Global Catalogs for authentication.
Can NADI create users in Active Directory?
No. NADI can create Active Directory users in WordPress but not vice versa. There are too many corner cases and security related problems which can not be easily implemented. Maybe we will add this feature someday if it gets sponsored - the effort for this is extremely high.
User accounts
A user account is shown as disabled inside WordPress. Why does this happen?
These are the following reasons:
- The user is marked as disabled in your Active Directory. NADI just propagates this status.
- The user has been been deleted and recreated with the same sAMAccountName or userPrincipalName but a different GUID. This case should be very rare.
- The given user account has one of the following flags set for its userAccountControl attribute:
-
UF_INTERDOMAIN_TRUST_ACCOUNT
-
UF_WORKSTATION_TRUST_ACCOUNT
-
UF_SERVER_TRUST_ACCOUNT
-
UF_MNS_LOGON_ACCOUNT
-
UF_PARTIAL_SECRETS_ACCOUNT
For security reasons, these flags must not be used with a normal user account and NADI will automatically disable the user.
- The user’s userAccountControl attribute is missing the flag UF_NORMAL_ACCOUNT.
You can use ADSI Edit to identify the flags of the user’s userAccountControl attribute. Fix the userAccountControl flag or create a dedicated account which is only used for the given purpose.
Sometimes user accounts get locked in the Active Directory
If your users experience a locked user account, this might be due to a configured Account Lockout Policy. Please consider to use some WordPress plug-ins to prevent Brute Force Attacks or configure the Account Lockout Policy accordingly
Connecting to Active Directory
I receive the error ‘Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Can’t contact LDAP server’
There can be a few reasons in why this error appears. It is highly unlikely that it is a bug of NADI but a problem in your network connectivity. Please do the following:
- Are your using TCP port 389 instead of 636 or vice versa?
- Check the configured hostnames of the domain controllers:
- If you are using DNS names, can the webserver running WordPress resolve the IP addresses of the DNS names? You can test it by issuing a
ping ${DNS_ENTRY}
on the webserver’s console. - If you are using DNS names with .local tld, there can be serious problems with resolving correct IP addresses. It highly depends on the operating system and enabled services. You can try to enter the full DNS name to IP mapping into the
/etc/hosts
file of the webserver or use IP addresses instead of DNS names.
- If you are using DNS names, can the webserver running WordPress resolve the IP addresses of the DNS names? You can test it by issuing a
- Does the firewall of the webserver’s operating system allow outgoing TCP connections to you domain controller? Does any firewall between the webserver and the domain controller block the traffic? You can easily check this by issuing an
telnet $DOMAIN_CONTROLLER 398
on the webserver’s console. - If you are running WordPress on a Linux host with SELinux enabled you have to make that SELinux allows outgoing network connections. You can temporarily test it by issuing a
setsebool -P httpd_can_network_connect 1
on the webserver’s console. - Please check the username and password of the used LDAP connection. Are they valid?
Security and Encryption
Is it possible to use TLS with a self-signed certificate on the AD server?
Please read Encryption with TLS.
Can I use LDAPS instead of STARTTLS?
Yes, you can. Just select “LDAPS” in the option Environment > Use encryption and enter 636 as port.
Are Active Directory passwords stored in the WordPress database?
By default: no. For security and administration reasons all passwords should only be stored in the Active Directory and nowhere else.
SSO
Which SSO techniques are supported?
NADI does support
- sAMAccountNames and userPrincipalNames provided by the webserver’s SSO layer
- since 2.0.11 NTLM
- since 2.2.0 Kerberos principals
NADI itself does not implement any SSO functionality.
Is X.509 certificate SSO authentication supported?
We have no official support for that but if your certificate is issued for the userPrincipalName the Kerberos SSO process is automatically used if SSO is enabled.
Can my SSO authenticated user log out?
Yes. If you want to impersonate as another user you can simply use the log out feature of WordPress. On the “Login” page you can enter any of your WordPress/Active Directory accounts or use the link Login with SSO to use your current user principal.
Why is another service account for SSO required?
Your user principal provided by the webserver does not include the password. The password is required to synchronize your user’s data from Active Directory to WordPress, for example for checking your security group membership. As most Active Directories does not provide anonymous LDAP binds, the service account is used to retrieve that information.
Can I remove the “Log in using SSO” link?
Please take a look in our Lifecycle documentation how to remove the link.
Debugging
Where are the AD attributes stored in WordPress?
If you activate Automatic user synchronization any AD attribute is stored inside the table wp_usermeta
.
You can set the meta key as you like or use the default behaviour, where the meta key is set to next_ad_int_<attribute>
(e.g. next_ad_int_physicaldeliveryofficename
for the office attribute).
Authentication
With WordPress 4.5 I could login with my e-mail address. Is this supported by Next Active Directory Integration?
No. After NADI has been enabled it uses only the userPrincipalName or sAMAaccountName of the user for authentication. If you exclude a given username, WordPress’ default login method is used which supports login by e-mail.
Authentication is successful but the user is not authorized by group membership. What is wrong?
There can be some reasons for this behaviour:
- A common mistake is that the Base DN is set to a wrong value. If the user resides in an Organizational Unit (OU) that is not “below” the Base DN the groups the user belongs to can not be determined.
A quick solution is to set the Base DN to something like
dc=mydomain,dc=local
without any OU. - Another common mistake is to use ou=users,dc=mydomain,dc=local instead of cn=users,dc=mydomain,dc=local as Base DN.
- Depending upon your NADI and Active Directory configuration you may enter the following situation: the sAMAccountname of the user is “testA” and the userPrincipalName is “testB”. The authentication phase will succeed in both cases because internally the Active Directory checks both attributes. The group membership for the authorization is looked up by adLDAP. If no “@” character is present in the username, adLDAP uses the sAMAccountname attribute to lookup the user. The username “testB” won’t be able to login because the lookup of his group returns always an empty set. The easiest way to fix this problem is to use the same sAMAccountName and userPrincipalName.
Is NADI case-sensitive?
No, it is not. You can log in with “administrator@test.ad” or “Administrator@TEST.AD”. All variations map to the same user principal in Active Directory. It is not possible to define the same user principal with different cases.
My Active Directory username (sAMAccountName or userPrincipalName) contains German Umlauts but the Umlauts are not shown in WordPress.
ADI-317 This is a restriction of WordPress and not a bug. WordPress does not allow Umlauts as part of the user login (user_login) name or nicename (user_nicename). When NADI adds users with Umlauts by using Test authentication, Sync To WordPress or login, WordPress automatically converts the fields to characters without diacritics. Active Directory itself converts usernames with diacritics during the authentication in their non-diacritics counterparts. You can log in with “Müller” or “Muller” - both are mapped by Active Directory to the same user account.
Project organization
Is there an official bug tracker for NADI?
Yes, we use GitHub. Any issue provided from the community will go there.
How do you handle support requests?
Please purchase a support plan and open a ticket.