neosit / active-directory-integration2 Goto Github PK

It's more of a feature request than an issue:

Adding a sync option for the attribute "thumbnailPhoto" would be a great feature.
Upload and store your user's pictures to AD and sync them back as profile pictures in WordPress.

Have you thought about such a feature?

What have been changed from the "old" version to this "Next" version?
I can't have the Verify Credentials to work in this "Next" version, but are working in the "old" version.
Yes I know the username and the password are correct.
And no, I can't activate the log (as the error message tell me), because I can't save the settings without this verifying credentials.

Hi,

I have been getting the following error

Attributes for '$username': could not be loaded. Does the sAMAccountName or userPrincipalName exist? Is the provided base DN valid?

I have read the documentation about this error and made sure the Base DN is set correctly. Unfortunately this didn't make any difference.

I dived into the code and i found that the Adi_Authentication_SingleSignOn_Service uses the user's sAMaccount name to retrieve the user's attributes. This succeeds. Then it tries to authenticate using the parents class authenticate method (Adi_Authenticaton_LoginService). However, this fails because this time it uses the userPrincipalName which in my case often differs from the sAMaccount name.

When i change the attribute it uses for the createUpnCredentials to samaccountname it works.

Is this a faulty AD configuration?

Just wanted to say I am really liking this plugin. It's multisite support is just what I needed.

Hello,

I'm running an intranet website with wordpress via Apache (xampp on an Windows Server) and want to login with SSO.
I allready installed Next Active Directory Integration and connected it with the LDAP Server and I can login with our domain users.
But I don't know how to configure SSO.
Can you help me with that?

Kind regards

I had Wordpress installed on IIS where SharePoint was also enabled, and SharePoint enabled claimsbased authentication, so my REMOTE_USER Looks like this claims|domain\username which of course broke the NLMT SSO.

I have rewritten the setNetbiosName function of Credentials.php to look something like this:

	public function setNetbiosName($login) {
		$parts = explode("\\", $login);
		if (sizeof($parts) >= 2) {
			
			// check if the username has claims prefixed, then the REMOTE_USER looks like this 0#.w|domain\username
			$parts_claims = explode ("|",$parts[0]);
			if (sizeof($parts_claims)>=2)
				$this->netbiosName = strtoupper($parts_claims[1]);
			else
				$this->netbiosName = strtoupper($parts[0]);

		}
			
	}

not sure if it is worth including in the official build - it is a strange configuration, but it is something that could possible be seen in the wild with IIS and SharePoint installed.
(also see https://msdn.microsoft.com/en-us/library/office/jj163913.aspx for some Background on the 0#.w part of the username)

Hi. I will never make my plugins folder be owned by the web server, nginx or apache. I own all WordPress core files, plugins and themes. The only folder I give ownership to the server is wp-content/uploads.

This error came up immediately when I activated the plugin.

Warning: fopen(/var/www/html/site.com/wp-content/plugins/next-active-directory-integration/logs/debug.log): failed to open stream: Permission denied in /var/www/html/site.com/wp-content/plugins/next-active-directory-integration/vendor/apache/log4php/src/main/php/appenders/LoggerAppenderFile.php on line 99 Warning: log4php: [LoggerAppenderFile:file]: Failed opening target file. Closing appender. in /var/www/html/site.com/wp-content/plugins/next-active-directory-integration/vendor/apache/log4php/src/main/php/LoggerAppender.php on line 283

You count from 35 down to 0 in your block message ('timeLeft' => $timeLeft + 5), but the time in the message is initially set to 30 (<span id='secondsLeft'>$timeLeft</span>). So its a bit confusing if it counts like this: 30, 34, 33, ....

Maybe you should change the $timeLeft in the beginning of the function to $timeLeft + 5

File: classes/Adi/Authentication/Ui/ShowBlockedMessage.php
Function: showBlockMessage

Hello guys,
I really need your help. Ive been trying to get this work for many hours.
I got a multisite installation and activated it for all but in profile options page I cant selct any profile. When I click on "Create new profile" nothing happens. In a site with the plugin the settings page is deactivated, so I cant write in any field.
I recently tried another browser and pc. Im logged in with administrator account, but tried it with another and nothing changed. I thought its maybe a fail with the rights but everything should be ok.
Maybe you know something about this.

Thank you.

Is it possible to sync the AD attribute "thumbnailPhoto"?

This attribute doesn't sync because the length and the encoding (I think).

More info: http://stackoverflow.com/questions/16937863/display-thumbnailphoto-from-active-directory-in-php?noredirect=1&lq=1

Hello!

I get the error below for each of the users im importing for my AD to Wordpress. The users are created alright and everything seems to work accordingly, Is there any setting i could try to change to get rid of the message, it kinda clutters down the import screen.

Thanks in Advance

I have been using Active Directory Integration 1.1.8 successfully but I recently changed to a MultiSite Installation and needed support for MultiSite.

I deactivated Active Directory Integration 1.1.8 and then installed Next Active Directory Integration 2.0.7. When I attempted to Network activate Next Active Directory I received the following error:

Plugin could not be activated because it triggered a fatal error.

Parse error: syntax error, unexpected ‘.’, expecting ‘,’ or ‘;’ in /var/www/html/forms/wp-content/plugins/next-active-directory-integration/classes/Core/Logger.php on line 22

I checked the file in question and line 22 is referencing the log file:

const LOG_PATH = NEXT_AD_INT_PATH . ‘/’ .’logs/debug.log’;
const FILE_CONVERSION_PATTERN_FILTER = ‘next_ad_int_file_conversion_pattern_filter’;
const ECHO_CONVERSION_PATTERN_FILTER = ‘next_ad_int_echo_conversion_pattern_filter’;

Any ideas?

Next ADI should support custom user roles again.
https://wordpress.org/support/topic/do-not-support-custom-roles/

Hi,

I saw in my last project some unusual behavior. Its seems that

require_once("functions.php"); //line 29 of index.php

in index.php of Next Active Directory Integration plugin in fact call some other functions.php than this from plugin (next messages in trace were connected with functions in custom theme ). I'm not good in php and spent long time to fiugure what's the problem. Soo.. after change of file name both in directory and in require_once - problem dissapear.. But i noticed that more elegant and maybe universal solution will be like this:

require_once(dirname(__FILE__)."/functions.php");

maybe it will be helpfull for someone

New installation on WP. IIS 7, Windows 2008, WordPress 4.6.1 (not officially supported but should work?), PHP 5.3.26

On activating the plugin I get the white screen.

PHP Errors log shows the following:

[27-Sep-2016 10:48:17] PHP Fatal error: Call to undefined method stdClass::findAll() in D:...\wp-content\plugins\next-active-directory-integration\classes\Core\Migration\Configuration\Abstract.php on line 69

I was finally able to get Next AD Integration installed and migrated settings from AD Integration v1 however when users login their WordPress User Roles are lost?

I have some defined ad -> wp user roles defined but not all users have an ad equivalent in wordpress

Any thoughts?

• rename plugin to Next Active Directory Integration (Active Directory Integration 2 or Active Directory Integration NX was not accepted by wordpress.org)
• change function and option prefix to next_ad_int_ required for releasing on wordpress.org
• change class prefix to NextADInt_ required for releasing on wordpress.org
• fix broken profile assignment in Wordpress 4.6
• fix bug in adLDAP.php causing an endless loop
• fix broken uninstaller
• fix profile option/configuration save button which does not stay deactivated
• remove hardcoded plugin name
• add check for mcrypt
• use get_sites instead of wp_get_sites for Wordpress 4.6

Having some issues connecting our install to the AD on the client's system.
Would love to pay for a support ticket, but can't find any info on how to do that.
Please let me know!!

When I make an ldap profile where one AD group maps to the wordpress super admins role it doesn't seem to do anything. The user logs in and they aren't assigned that role.

All the other AD group to Wordpress Roles work.

Wordpress Version: 4.6.1

I'm aware that Next ADI has not been tested with Wordpress 4.6.1, but I would like to bring this bug to the attention of the developers. When a user has been locked out after the maximum number of login attempts, Next ADI sends an email to the administrator. However, the 'From' email address is invalid; it shows as wordpress@https://sub.domain.com (which I think could be coming from Wordpress's General settings for the site URL).

Redacted error message below:

[05-Oct-2016 16:21:35 UTC] PHP Fatal error:  Uncaught phpmailerException: Invalid address: wordpress@https://sub.domain.com; in C:\rc-wordpress\wp-includes\class-phpmailer.php:946
Stack trace:
#0 C:\rc-wordpress\wp-includes\pluggable.php(352): PHPMailer->setFrom('wordpress@https...', 'WordPress', false)
#1 C:\rc-wordpress\wp-content\plugins\next-active-directory-integration\classes\Adi\Mail\Notification.php(215): wp_mail('kyle.flan@n...', '[Site Name...', 'Someone tried t...', Array)
#2 C:\rc-wordpress\wp-content\plugins\next-active-directory-integration\classes\Adi\Mail\Notification.php(195): NextADInt_Adi_Mail_Notification->sendMail('kyle.flan@n...', Object(NextADInt_Adi_Mail_Message))
#3 C:\rc-wordpress\wp-content\plugins\next-active-directory-integration\classes\Adi\Mail\Notification.php(99): NextADInt_Adi_Mail_Notification->sendMails(Object(NextADInt_Adi_Mail_Message))
#4 C:\rc-wordpress\wp-content\plugins\next-active-directory-integration\classes\Adi\Mail\Notification.php(64): NextADInt_Adi_Mail_Notification->sendNotification(Object(Ne in C:\rc-wordpress\wp-includes\class-phpmailer.php on line 946

Ist it possible to use more than kne Base-DN?

Does you team need any additional testing on the SSO side of things, I'd be happy to test out where I can (I can see that the script has parts of it in place)

After updating on the latest version I got this error message :
Fatal error: Uncaught Twig_Error_Loader: Unable to find template "option/element/domainsid.twig" (looked into: /var/www/html/wp-content/plugins/active-directory-integration2/views) in "blog-options-page.twig" at line 14. in /var/www/html/wp-content/plugins/active-directory-integration2/vendor/twig/twig/lib/Twig/Loader/Filesystem.php:194 Stack trace: #0 /var/www/html/wp-content/plugins/active-directory-integration2/vendor/twig/twig/lib/Twig/Loader/Filesystem.php(138): Twig_Loader_Filesystem->findTemplate('option/element/...') #1 /var/www/html/wp-content/plugins/active-directory-integration2/vendor/twig/twig/lib/Twig/Environment.php(266): Twig_Loader_Filesystem->getCacheKey('option/element/...') #2 /var/www/html/wp-content/plugins/active-directory-integration2/vendor/twig/twig/lib/Twig/Environment.php(324): Twig_Environment->getTemplateClass('option/element/...', NULL) #3 /var/www/html/wp-content/plugins/active-directory-integration2/twig/cache/c1/f2/419ea130d7db9c36bf68a8dc457b1006bf305ed0dc0a1b8bf5e89c8df9d9.php(170): Twi in /var/www/html/wp-content/plugins/active-directory-integration2/vendor/twig/twig/lib/Twig/Loader/Filesystem.php on line 194

When setting the Brute-Force Protection setting to '0' to disable, the screen saves - howevere navigating away from the NADI screens back back to the Security Page, the setting resets to the default value of '3'

When attempting to leave the field blank (it states you can leave it as blank or '0' the error displays

Maximum login attempts has to be numeric and cannot be negative

The plugin randomly deactivates causing users to not be able to log in. Nothing is showing in Apache, Wordpress, or plugin log files.

Hi When SSO will be implemented ?

Hi,

My AD administrator account password contains a single quote ( ' ) . The verifications fails, but not if I place this code in wp-content/plugins/active-directory-integration2/vendor/adLDAP/adLDAP.php (line 443)

$this->_ad_password = "mypassword";

Is this a bug?

Running IIS under Windows Server 2012r2

When enabling SSO, attempting to connect via SSO results in an HTTP 500 Error

PHP Logs:
[09-Sep-2016 04:25:50 UTC] PHP Fatal error:
Uncaught TypeError: Argument 1 passed to NextADInt_Adi_Authentication_Ui_ShowBlockedMessage::__construct() must be an instance of NextADInt_Multisite_Configuration_Service,
none given, called in wp-content\plugins\next-active-directory-integration\classes\Adi\Dependencies.php on line 1102 and defined in

\wp-content\plugins\next-active-directory-integration\classes\Adi\Authentication\Ui\ShowBlockedMessage.php:33

The user should be ablet o configure the log pattern for e.g. adding timestamps to the log messages

Our setup at our school:
It's multisite wordpress. We've imported all the users (+/- 10 000) through the sync button. Via curl or wget it fails (that's issue 1). The sync works via the sync button so all my users are imported in the root site.
Next I create a new site and add one our students as an admin. When I look at that site I still can see the ADI user so no problems yet. But when the users logs in for the first time. He loses his permissions and becomes unvisible in the userlist of that site. In my permission tab I've added a wordpress mapping for the staff of the school but no group mapping at all for our students.
I cannot add a mapping for our students because they may not read the blog of their fellow students. So if there's no mapping, I presume the ADI2 plugin stays off the existing permissions of a ADI user? But that's not the case...

Only the owner (student) and the staff may read their blog. Other plugins I use to accomplish this is "private by default". It basically makes every page and post you create private. You need editor or admin rights to see the posts...

I would really like to bring this over to our production systems. Is it in a state where I can do so? Minor bugs don't bother me too much. As long as the AD auth/Role mapping for Administrator/Contributor/Editor/Subscriber work then I am happy. This seems to be the case with my testing.

Hi there! Again, thanks for the awesome plugin. We have an issue with roles not being set from AD groups except in the first sub-site visited in a network-enabled WP install.

Setup

1. WordPress Network
2. Single Sign-On (auto login): on
3. Automatic User Creation: on
4. A profile where role-equivalent groups can be modified for each subsite
5. Your AD user being member of group EXAMPLE_GROUP
6. Subsite 1, where EXAMPLE_GROUP is mapped to the Editor role
7. Subsite 2, where EXAMPLE_GROUP is mapped to the Admin role

Steps to reproduce

1. While in a Windows session with your user, visit Subsite 1
2. Auto-login happens
3. Visit Subsite 1 /wp-admin to confirm you have Editor role
4. Visit Subsite 2
5. Admin bar still present: you are logged in
6. Visit Subsite 2 /wp-admin: you have no role, therefore access to nothing

You can "fix" this by logging out and visiting Subsite 2 first on your next visit/authentication, but this is not something that we can reasonably ask our users.

After the last commit, I am unable to log in as a new user into the WordPress site. Existing users are working without issues.

Notice: Undefined property: WP_Error::$ID in C:\inetpub\wwwroot\Portal-Test\wp-content\plugins\active-directory-integration2-master\classes\Adi\Authentication\LoginService.php on line 446

The following appears in the debug log:

[WARN ] Adi_User_Manager::findByActiveDirectoryUsername [line 122] WordPress user with wp_user_meta.samaccountname='wptest', user_login='[email protected]' or user_login='wptest' could not be found
[DEBUG] Adi_User_Manager::createAdiUser [line 176] Created new instance of User <no_wp_user_account>={id='', credentials='Credentials={login='wptest',sAMAccountName='wptest',userPrincipalName='[email protected]'}'}
[DEBUG] Adi_Authentication_LoginService::createUser [line 504] Checking preconditions for creating new user User <no_wp_user_account>={id='', credentials='Credentials={login='wptest',sAMAccountName='wptest',userPrincipalName='[email protected]'}'}
[DEBUG] Adi_User_Helper::getRandomPassword [line 162] Setting local password to the used for this login.
[ERROR] Core_Util_LoggerUtil::error [line 36]
[ERROR] Adi_Authentication_LoginService::createOrUpdateUser [line 482] Unable to update or create 'User wptest={id='', credentials='Credentials={login='wptest',sAMAccountName='wptest',userPrincipalName='[email protected]'}'}':

In the english localization of wordpress this plugin has a couple german words in the Permissions tab.

under Role equivalent groups it says Sicherheitsgruppe WordPress-Rolle.

Those should say Security Group and WordPress-Role

I can't seem to get ldap binds over 636(LDAPS) working on this new version in my dev environment. It works as long as I use 389.

After I have enabled the plugin on the network, on the front page occurs following errors.

Warning: require_once(library/Mobile_Detect.php): failed to open stream: No such file or directory in /srv/www/htdocs/phoenix-mu/functions.php on line 18 Fatal error: require_once(): Failed opening required 'library/Mobile_Detect.php' (include_path='.:/usr/share/php5:/usr/share/php5/PEAR') in /srv/www/htdocs/phoenix-mu/functions.php on line 18

The line require_once(library/Mobile_Detect.php) comes from my themes function. A interesting fact is, that these line should come from /srv/www/htdocs/phoenix-mu/functions.php (/srv/www/htdocs/phoenix-mu is my WP root) Here ist the path from root to my theme missing . Why?

Without the plugin the theme works again.

When using the 'Sync to Wordpress' or 'Sync to AD' feature, a user has no indication on the current status.

Possible solution:

• user clicks on 'Sync to ...'
• button changes state (disabled) and text ('Loading...')
• display a notification or hint ('Syncing users might take a while, depending on the amount of users')

Hey!

For some reason my sync returns zero users in the specified group and then fails with the information below even though there are six users in the group.

Is there any special permissions needed to sync?

[INFO ] Start of Sync to WordPress 
[INFO ] LDAP connection is *not* encrypted 

<b>Warning</b>: ldap_control_paged_result_response(): Result is: Referral (10) in <b>D:\Sites\Intranet\wp-content\plugins\next-active-directory-integration\vendor\adLDAP\adLDAP.php</b> on line <b>966</b>
[INFO ] In group 'intra-read-employee' are 0 members. 
[ERROR] No possible users for Sync to Wordpress were found. 

I enabled the log and tried to sync again and got the following in the log.

2016-11-02 09:21:12 [INFO ] NextADInt_Adi_Synchronization_WordPress::prepareForSync [line 159] Start of Sync to WordPress 
2016-11-02 09:21:12 [INFO ] NextADInt_Ldap_Connection::createConfiguration [line 101] LDAP connection is *not* encrypted 
2016-11-02 09:21:12 [INFO ] NextADInt_Ldap_Connection::findAllMembersOfGroups [line 529] In group 'intra-read-employee' are 0 members. 
2016-11-02 09:21:12 [ERROR] NextADInt_Adi_Synchronization_WordPress::synchronize [line 131] No possible users for Sync to Wordpress were found. 

Hello,

We use your plugin and are very satisfied, thank you for that.

However, we would like to know if you plan to add this feature in future updates:

Automatically add into Wordpress the existing users from Active Directory but not yet in Wordpress via the CRON task "Sync to WordPress"

Thank you for your answer.

Have a good day.

I am able to sync to wordpress sucessfully and I can then see the ad users created in wordpress after a sync. The problem is that the synced AD user cannot login? It says the password is incorrect? It does this for all the synced users.

If I then allow password change in wordpress for the ad user and then change the password to the AD password in wordpress, then the user can login?

I dont want to allow password changes in wordpress.... please help me to resolve the issue of why it is not syncing the users AD password on creation?

Not so much an issue but it'd be a really nice feature if a site was created for the user on initial login, perhaps with the blog titled the name of the account to begin with.

Thoughts?

Also, do you accept PRs from outsiders? :)

You missed a "%" in line 31 of classes\Adi\Mail\Message.php so the email address of the blocked user is always "s":
This account is associated with "%s %s" and the email address "s" -> This account is associated with "%s %s" and the email address "%s".

Many users want to use the pre-Windows 2000 user logon name like TEST\klammer.
The problem is that this user logon name is not unique and can cause problems.

The support for this user logon name should not be enabled by default. The user should be able to enable it.

Today I updated from 2.0.11 to 2.0.13. Now I cannot save my settings anymore, because the Base DN is empty. In my case the Base DN must be empty, because we use the global catalog in my company with four different domains in it. If i specifiy a Base DN, only one of the domains can be accessed and many of my coworkers cannot login.

If multiple suffixes are set, the counter for failed logins is incremented for each suffix. So if 3 suffixes are set, the counter is set to 3 at one login attempt. It follows that the BruteForce protection is already triggered on the first login, if this is left with the default value of 3.

Hello there. First of all, thank you for the extremely useful plugin. We do have an issue with it, though.

Our multisite installation has existed for a year and half before we decided to implement SSO with your plugin. Therefore, a number of users already have local WordPress accounts. At this time, the approach you recommend is to prevent the creation of new AD users with the same email addresses as local users, which seems reasonable enough, but it locks these users into the old user/password paradigm.

The ideal solution would be for these users to be converted to AD users on first SSO auto-login attempt. This way they could connect transparently and still have access to the content they have already created. I understand this poses additional questions (what about roles, for example?) but I was wondering if this is something you've ever thought about.

Thanks!

I'm attempting on running the application via IIS (not sure if this issue exists on other web platforms)

When Activating:

The plugin generated 3 characters of unexpected output during activation. If you notice “headers already sent” messages, problems with syndication feeds or other issues, try deactivating or removing this plugin.

When browsing to any of the Setting pages for the plugin, then are blank

I am running WordPress on Windows Server 2012 R2 (IIS) with Next ADI 2.0.9. I have configured the server for Kerberos Authentication and tested this to ensure that I am indeed authenticating via Kerberos. I have also configured NextADI for SSO. I can log in by supplying my AD user credentials in Username/Password fields. However, SSO does not work. in the debug og, I am seeing the following error:

2016-10-07 10:58:19 [ERROR] NextADInt_Adi_Authentication_SingleSignOn_Service::authenticate [line 102] User could not be authenticated using SSO. exception 'NextADInt_Adi_Authentication_Exception' with message 'No profile found for authentication.' in C:\inetpub\wwwroot\isblog\wp-content\plugins\next-active-directory-integration\classes\Adi\Authentication\SingleSignOn\Validator.php:117
Stack trace:
#0 C:\inetpub\wwwroot\isblog\wp-content\plugins\next-active-directory-integration\classes\Adi\Authentication\SingleSignOn\Validator.php(62): NextADInt_Adi_Authentication_SingleSignOn_Validator->throwAuthenticationException('No profile foun...')
#1 C:\inetpub\wwwroot\isblog\wp-content\plugins\next-active-directory-integration\classes\Adi\Authentication\SingleSignOn\Service.php(84): NextADInt_Adi_Authentication_SingleSignOn_Validator->validateProfile(NULL)
#2 [internal function]: NextADInt_Adi_Authentication_SingleSignOn_Service->authenticate('')
#3 C:\inetpub\wwwroot\isblog\wp-includes\plugin.php(525): call_user_func_array(Array, Array)
#4 C:\inetpub\wwwroot\isblog\wp-settings.php(393): do_action('init')
#5 C:\inetpub\wwwroot\isblog\wp-config.php(89): require_once('C:\inetpub\wwwr...')
#6 C:\inetpub\wwwroot\isblog\wp-load.php(37): require_once('C:\inetpub\wwwr...')
#7 C:\inetpub\wwwroot\isblog\wp-login.php(12): require('C:\inetpub\wwwr...')
#8 {main}

Has anyone else encountered this?

Hi,

First of all, thanks for you tremendous work.

The plugin provides a lot of interesting and useful features, however, unless I misunderstood, It does not allow users to change their password (within the AD) through Wordpress. I think it could be a great feature, but It may be sensitive from a security point of view.

In my personal case, for instance, It could be useful. I developed a custom plugin to do that, but I thought it would be better if all was integrated in your plugin.

Thanks again for the nice work.

Sommy

Hey there, devs!

I'm trying to get your awesome plugin to work, but I'm having some problems. Not sure it's a bug but it feels like it. I've set up a test user in AD. When I try the "Test authentication" feature, it literally says "User logged on", but when I actually try to actually log on with that account on our site, I get a "Invalid account" or something similar. Not sure what it says in English as I'm using a Swedish install of Wordpress.

When I try with my personal account, it works though so I'm just confused as to what I'm doing wrong.

Logs with both login attempts below.

Thanks in advance!

log.txt
log_success.txt