AD-Integration für WordPress

This post is also available in: English (Englisch)

Es gibt einen Nachfolger von ADI: Next ADI. Du kannst es auf wordpress.org herunterladen. Professionellen Support für Next ADI gibt es auf https://www.active-directory-wp.com/. ADI 1.x wird nicht länger unterstützt.
Diese Seiten beschreiben das WordPress-Plugin Active Directory Integration.

Warum?

Ich brauchte ein WordPress mit Active Directory Integration. Nichts leichter als das – dachte ich. Es wird doch bestimmt ein Plugin geben, dass es mir ermöglicht Benutzer gegebenüber einem Active Directory zu authentifizieren und am besten auch noch zu authorisieren. Mit drupal mache ich das schließlich auch. Ich habe dann auch tatsächlich ein entsprechendes Plugin gefunden: Active Directory Authenticationvon Jonathan Marc Bearak. Es ist ein tolles Plugin und nach kurzem herumspielen funktionierte es auch. Allerdings hatte ich ein riesiges Problem damit: Sicherheit! Und so musste ich dann selber ran.

Sicherheit

In Jonathans Plugin war eine verschlüsselte Kommunikation zwischen WordPress und dem AD Server nicht vorgesehen. Die benutzte adLDAP-Libraryunterstützt zwar LDAPS, aber das ganze ist sehr frickelig und LDAPS ist sowieso deprecated. Stattdessen sollte man START-TLS verwenden. Die Library unterstützt das allerdings nicht. Blöd! Also musste ich auch noch adLDAP anpassen. Wenn wir nun die Authentifizierung eines öffentlichen WordPress-Blogs mittels AD vornehmen, dann ist einer Brute-Force-Attacke Tür und Tor geöffnet. Somit habe ich eine Funktionalität implementiert, die dem einen Riegel vorschiebt. Wenn man nun noch HTTPS für das gesamte Blog oder zumindest den Login verwendet, können wir uns recht sicher sein, dass nichts schief geht.

Funktionalität

Active Directory Integration gestattet es WordPress Benutzer gegen eine Active Directory zu authentifizieren, authorisieren, sowie Benutzer automatisch in WordPress anzulegen und upzudaten. Das Plugin lässt sich sehr einfach installieren und konfigurieren. Einfach das Plugin aktivieren, Domain Controller eintragen und fertig! Allerdings kann man noch mehr damit anstellen.

  • Benutzer gegen einen oder mehrere AD Server authentifizieren,
  • Benutzer über Gruppenmitgliedschaft authorisieren,
  • Benutzer die sich am AD authentifizieren können in WordPress anlegen und updaten,
  • Zuweisung von WordPress-Rollen auf Basis von AD Gruppen,
  • sichere Kommunikation zum AD Server mittels TLS (empfohlen),
  • Benutzung von Nicht-Standard-Ports für die Kommunikation zu AD Servern,
  • Schutz vor Brute-Force-Attacken,
  • sendet E-Mails an Benutzer und/oder Administratoren, wenn eine Benutzerkonto durch den Brute-Force-Schutz gesperrt wurde,
  • Mehrsprachiges Backend (Englisch und Deutsch bereits enthalten),
  • „rückstandsloses“ Deinstallieren des Plugins,
  • setzen des Anzeigenamens aus AD Attributen (sAMAccountName, displayName, description, SN, CN, givenName oder mail).

Anforderungen

  • WordPress ab 2.7.1 (nur getestet mit 2.7.1 und 2.8.x, wahrscheinlich funktioniert es aber ab 2.5.x)
  • PHP 5 (wegen Verwendung der aktuellen adLDAP-Library)
  • LDAP Unterstützung (auf dem Server muss die LDAP Unterstützung aktiviert sein)
  • OpenSSL Unterstützung (damit TLS funktioniert, muss die OpenSSL Unterstützung auf dem Server aktiviert sein)

Download

Das Plugin kann von wordpress.orgheruntergeladen werden.

Installation

  1. Mit Administrationsrechten am WP anmelden, z.B. als Benutzer „admin“.
  2. Den Ordner active-directory-integration in den Plugins-Ordner hochladen, normalerweise ist das „wp-content/plugins“.
  3. Auf der Plugins-Seite das Plugin aktivieren.
  4. Unter „Einstellungen > Active Directory Integration“ das Plugin konfigurieren und dabei möglichst TLS aktivieren.
  5. Aktivieren des Admin-SSL-Modes durch hinzufügen der Zeile
    define('FORCE_SSL_ADMIN', true);

    zur wp-config.php damit die Kennwörter nicht im Klartext über das Netz gehen.

174 Gedanken zu „AD-Integration für WordPress

  1. I am using your plugin in a project and would like to make a small donation for your plugin, do you have a Paypal address?

    NOTE to OTHERS: I see that quite a few people are using this awesome plugin, for what is most likely commercial projects, join me in a show of generosity and make a little contribution for time and effort!!

  2. Hello Christoph,

    I sent you the email and I figured out how to activate the Debug Mode. Please respond via email asap as we have a deadline of Friday to have this setup and in working order.

    Thanks!

  3. Hi Crystal,
    you can send me the output of the test tool to christoph@steindorff.de and I’ll have a look at your settings. Please activate the debug mode of WordPress before you start the test tool (define(‚WP_DEBUG‘, true); in wp-config.php). But don’t forget to deactivate it in production.

  4. We are trying to install and activate this plugin but we are getting the error „Authentication Failed: storing failed login for user „“. Can you please help us with the settings of the plugin so we can get this to work? We have no idea which setting is not connecting properly.

  5. Hello Christoph, and many thanks for your great contribution.

    I am using your plugin for a task I have been assigned since I’m lazy to write a plugin myself.
    I have found something interesting that I thought I should share with you as food for thought for future releases.

    I’ll start by saying that authentications work fine, but not user info retrieval. To explain myself:

    A large organisation with an AD forest having multiple child domains wants to authenticate AD users for their intranet WP instance.
    The IT department wants to have control over the user creation without involving the Infrastructure department,
    No groups or imports from the actuall AD, but manualy adding the user’s sam account name along with a dummy email.
    To achieve that, my configurations and customizations into your plugin are as follows:

    Configurations:

    [Server]
    Controller: „organisation.net“
    base DN: „dc=organisation,dc=“net“
    Note: The Controller is the root/parent of the forest.

    [User]
    Account suffix: all possible/allowed suffixes (organisation units, seperate location, seperate user base)
    Auto user creation: off
    Auto user update: on
    Auto user description: off
    Prevent Email change: off
    Password related: all off

    Customizations:

    Since LDAP servers can authenticate users without having the actual information stored,
    To get the user infornation I had to connect to the domain for which the user had been authenticated for
    based on the account suffix.

    In the ‚authenticate‘ function, after line 835 I added this snippet (can be a function if you like,
    I actually made a filter on $userinfo to centralize all of the customizations elsewhere but here is the inline version):

    „`php
    // Are there any details?
    if ( ! is_array($userinfo) ) {
    // Extract the account’s domain for which the user got authenticated
    $user_domain = substr($account_suffix,1);
    $tree = explode(‚.‘, $user_domain);
    $base_dn = „DC=“ . implode(‚,DC=‘,$tree);
    $user_controller[] = $user_domain;

    // Rebind to the domain where the user resides.
    $adLDAP = @new adLDAP(array(
    ‚account_suffix‘ => $account_suffix,
    ‚base_dn’=>$base_dn,
    ‚domain_controllers‘ => $user_controller,
    „ad_port“ => $this->_port,
    „use_tls“ => $this->_use_tls,
    „network_timeout“ => $this->_network_timeout
    )
    );
    // Don’t authenticate with a suffix. The library adds it.
    if (@$adLDAP->authenticate($ad_username, $password) === true){
    $res = @$adLDAP->user_info($ad_username, $this->_all_user_attributes);
    // Change the userinfo variable only if we had a successful response
    if (isset($res) && is_array($res) && $res[‚count‘] >= 1 && is_array($res[0]))
    {
    $userinfo = $res[0];
    }
    }
    // Clean up our mess.
    unset($user_domain, $tree, $base_dn, $user_controller, $adLDAP);
    }
    „`

    For updating user details based on AD, in line 855 I removed „$this->_auto_create_user AND“ from inside the if clause,
    although I do understand the reasoning behind the „_auto_create_user“ option.

    So far this works like a charm for my usecase and hopefully could be of some interest for somebody else.

  6. Hi Johnathon,
    thanks a lot for your bug report. I fixed this not in _get_failed_logins_within_block_time but at the beginning ofd the method authenticate(). We don’t need to go so far in the code when we got an empty username.

    You’ll get mentioned in the changelog of version 1.1.6.

  7. I ran into an issue today when anyone trying to log into the site they were getting the message:
    Account blocked for X seconds. (where X is a countdown timer).

    I found that a blank username was being presented to the function _get_failed_logins_within_block_time causing every unauthenticated user to fail.

    I fixed the issue by adding:
    if (empty($username)) {
    return 0;
    }
    to the top of that function. Could you incorporate this fix into future releases?

  8. Hi Waheed,
    your BaseDN looks wrong. Please try “dc=avascent,dc=local” without CN. And you have to set an empty (no whitespaces) account suffix or set a proper one. Let me know if it works.

    Best regards
    Christoph

  9. Hi christoph plugin is not working on our site
    have tried all possible ways here is logon result
    openLDAP installed

    [INFO] method authenticate() called
    [INFO] ——————————————
    PHP version: 5.4.14
    WP version: 4.0
    ADI version: 1.1.5dev
    OS Info : Windows NT TAZ 6.1 build 7601 (Windows Server 2008 R2 Standard Edition Service Pack 1) i586
    Web Server : cgi-fcgi
    adLDAP ver.: 3.3.2 EXTENDED (201302271401)
    ——————————————
    [INFO] LDAP paging: enabled
    [NOTICE] username:
    [NOTICE] password: **not shown**
    [INFO] Options for adLDAP connection:
    – account_suffix:
    – base_dn: cn=users,dc=,dc=local
    – domain_controllers: 172.16.66.1
    – ad_port: 389
    – use_tls: 1
    – network timeout: 5
    [NOTICE] adLDAP object created.
    [INFO] max_login_attempts: 3
    [INFO] users failed logins: 0
    [NOTICE] trying account suffix “ “
    [ERROR] Authentication failed
    [WARN] storing failed login for user „“

    Logon failed

  10. Hi Christoph,
    Thanks for this great plugin. Works out of the box and is easy to install and to configure.
    Here’s my question: when a user logs into our wordpress page with his AD logon/password, then authentification against AD works great. But as soon as he changes his password in AD on his PC, he is still able to log in with his former password for approx. 5 minutes (along with his new password. so, old and new password work). After 5 minutes, only the new password works.
    My settings (sorry, its in german)
    – Lokales Kennwort änderbar: unchecked
    – Rückfall auf lokales Kennwort: unchecked
    – Setze lokales Kennwort bei erster erfolgreicher Anmeldung: unchecked
    – Automatisches Update des Kennworts: unchecked.

    Danke schonmal für deine Hilfe!

  11. Thank you for a great plugin. I am yet to get it working, hence my leaving this message. Is your plugin tested to work well with AD running on Windows Server 2012 R2?

    I ask because when I try to test the connection, it’s failing each time. I’ve checked the firewall along the traffic path and I’m seeing the ACL hit count increased whenever I do the test – signifying that the traffic is making it to my firewall.

    I’ve then setup port forwarding to send that traffic to the AD server. So I’d like to know if you’ve tested this with Windows Server 2012 R2 running on a LAN behind a firewall.

    Please advise, thanks.

  12. Hi Waheed,
    the password in AD is never changed by ADI for security reasons. This behavior is described on ADIs User Tab:

    Enable local password changes
    Allow users to change their local (non AD) WordPress password
    If activated, a password change will update the local WordPress database only. No changes in Active Directory will be made.

  13. Hi christoph
    i got a problem we have created a user
    I created a waheed on AD
    I logged into a Terminal server as waheed
    I logged out
    I logged into wordpress using the same password
    I select my profile and changed the password and hit update
    the new password for WP works fine
    but terminal server that runs off AD will not take new password
    only the original password
    need urgent help

    Thanks

  14. Hi Chris,
    I don’t know whats wrong. Send me the output of the BulkImport and if possible screenshots of the configuration pages to christoph@steindorff.de. Don’t forget to blank out confidential data. I’ll will a have a look.

  15. Hello-

    I’m scratching my head on this. Using wordpress 4.0 and ADI v1.1.5, everything is working fine except for the Bulk Import. I keep getting this error – ** [ERROR] adLDAP exception: Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Server is unavailable **. I’ve checked the credentials and server info, even the Security Group, but I keep getting this message. Any ideas?

    Thanks – Chris

  16. Thanks Christoph –

    I think that did the trick. It’s pulling in my data just fine now. Sorry to bother with something so trivial.
    Regards,
    Jim

  17. Hi Jim,
    the reason for the most problems is a wrong BaseDN. Try to set it only to your domain like „dc=domain,dc=tld“ and do not use Organizational Units or things like that. If it works you can then try to be more specific and add some additional information to your BaseDN.

  18. Hello –

    I am very new to WordPress (1 week only) so I apologize if I’ve missed something obvious.

    I have installed WordPress 4.0 and was able to get your plugin working. However a lot of the meta data isn’t coming from my AD servers (Server 2008 R2). I am getting the display name only. No first, last, email, etc.

    I know this hasn’t been tested on 4.0 and I am wondering of you were working on an update or if there may something simple I can do for working this out.

    Thanks again for your time.
    Jim

  19. This is a possible feature. BUT… this will slow down your website. Perhaps we can use a timer. The update_user function is called on new page load but only if the last update is – let’s say – 10 minutes ago. Would that be ok?

  20. Hi,

    Thank you very much for this wonderful plugin. Is it possible to update user roles according to real time active directory group membership changes. For example: is it possible to call the _update_user function in functions.php so that the user roles are updated every time a new page loads? My users stay logged in for a long time and I want to be able to change their system wide roles on the fly.

    If so how do I call the function? if not, how can we accomplish that?

    Currently, in order for my active directory changes to take effect I have to delete the user and ask them to re-login every time I change a users roles; otherwise the changes do not append. I am running wordpress version 4.0.

    Any hint would highly appreciated…

  21. Hi

    I have the plug-in working, but it seems like I can’t turn on SSL. I have a pretty vanilla DC, running Server 2012R2.

    I added the line as specified to wp-config, and restarted IIS. I can get it to work if I turn off SSL. The server is ‚inside‘ the firewall, so it’s not as risky as a public webserver, but would still prefer to leave it on.

    Do I have to install something on the DC?

    Any thoughts?

    == John ==

  22. I don’t exactly understand your problem. Nevertheless I try to answer 😉

    Create security groups in AD like „WordPress-Admins“, „WordPress-Editors“, „WordPress-Contributors“ and assign your user to these groups. Then set the „Role Equivalent Groups“ in ADI like this „WordPress-Admins=administrator;WordPress-Editors=editor;WordPress-Contributers=contributor;WordPress-Users=subscriber“. The order is important because the first matching group/role is assign to the WordPress user on login. The first math, from left to right, is used, so you should obviously put the more powerful groups first.

    If you want to change the role of a user in WP you only have to update his membership to the equivalent groups in AD.

  23. 1. I’m still working on ADI.
    2. No, there are only some preparations.
    3. Don’t know exactly what you mean. ADI is build to work with AD Servers (usually Windows Servers) but should also work with samba. But I haven’t tested that so far.

  24. This looks like a problem with the base dn. Only for testing try to set it to something like „dc=mydomain,dc=mytld“ and let me know if it works.

  25. Hi John,
    to change the password in AD from WordPress/ADI is not implemented. I’ll think about that.

    The other frustrating problem can be solved by Single Sign On, which will come with one of the next ADI releases. But if the users are not logged on to the domain it won’t help.

  26. It is possible to use SSO with ADI but not yet fully supported. It’s on my agenda for one of the next versions.

  27. Multisite will be supported in the future. I need the time to do that. Hopefully within the next months.

  28. What do you mean by „trusts“? For me ADI works with WordPress 3.8 and 3.9.

  29. Under WordPress 3.8, the plugin no longer seems to work with trusts.

  30. Hi … I installed your plugin and really like it – seems to do everything that’s needed.

    HOWEVER I ran into one frustration. If people are logged into WP, and I pass them to a link in the same AD scheme, the web browsers asks them to log in … again.

    I realize this may be a fundamental limitation of WordPress, but users are really frustrated. „I already logged in … why do I have to log in again?“

    Any ideas on how we could solve that?

    Mind you, MOST users probably won’t log in unless they want to leave a comment and few do, but was hoping I could use WP to do a ‚change your password‘ dialog as 300 of our users are never in the office and have no decent way to reset their password.

    Danke,

    == John ==
    P.S. I speak almost no German – a few semesters in High School only and it’s all gone now 🙂 … your English is much better 🙂

  31. Thanks for a usefull plugin!
    How far away (approximately) is support for multisite?

  32. Multisite Support is not finished yet. I’m still working on this feature.

  33. Having difficulty using this plugin with a WP Multisite installation, and trying to sort out what is happening. It was working, and then has stopped.

  34. I got to this website trought the WordPress forum. Over there you mentioned that you would in a future version enable the auto-login from windows authentication.

    I have some questions:

    1. How is the development status from this plugin. Are you still working on it? (Latest update was already a while ago)
    2. The feature for windows login has already been build in into this plugin?
    3. I see that for automated login windows server would be required. Would I be able somehow to do this on a Apache (Linux) server?

    Thanks for your replies. Would be great to have them also by mail!

    Best regards,
    Guido Peters

  35. Hi,

    We are using the plugin. We have a specific requirement not sure if it is an available option. We have our intranet WordPress that is integrated with AD through this plugin.
    We configured it to have the group contributor for all the user ids that is getting created. Some times we might required to change user group. Our requirement is such manual override of groups shouldnot be modified by the plugin on user’s next login.
    That functionality would really help us a lot.

    Thanks,
    Kannan.

  36. I seem to be having an issue with user metadata that I can figure out. It’s not pulling in any of the information from Active Directory (displayName, sn, etc.). When running the test tool, it returns that those fields are „empty“, even through they are not.

  37. I am trying to run a bulk import of the users and it seems as if it is not updating. I have supplied the correct credentials and then when I run the bulk-import url. It does not update.

  38. when new users tries to login this error occurs

    Warning: ldap_search() [function.ldap-search]: Search: No such object in /home/intranet/public_html/wp-content/plugins/active-directory-integration/ad_ldap/adLDAP.php on line 1154

    Warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in /home/intranet/public_html/wp-content/plugins/active-directory-integration/ad_ldap/adLDAP.php on line 1155

    but using the test tool also displays this along with the debug logs and Authentication is successfull but the new user can’t login

  39. Please can somebody help me with my problem with missmach passwords when import users from AD???
    Thanks…

  40. I having error logging in my site using a test user.

    Warning: ldap_search() [function.ldap-search]: Search: No such object in /home/intranet/public_html/wp-content/plugins/active-directory-integration/ad_ldap/adLDAP.php on line 1154

    Warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in /home/intranet/public_html/wp-content/plugins/active-directory-integration/ad_ldap/adLDAP.php on line 1155

    Warning: Cannot modify header information – headers already sent by (output started at /home/intranet/public_html/wp-content/plugins/active-directory-integration/ad_ldap/adLDAP.php:1154) in /home/intranet/public_html/wp-includes/pluggable.php on line 680

    Warning: Cannot modify header information – headers already sent by (output started at /home/intranet/public_html/wp-content/plugins/active-directory-integration/ad_ldap/adLDAP.php:1154) in /home/intranet/public_html/wp-includes/pluggable.php on line 681

    Warning: Cannot modify header information – headers already sent by (output started at /home/intranet/public_html/wp-content/plugins/active-directory-integration/ad_ldap/adLDAP.php:1154) in /home/intranet/public_html/wp-includes/pluggable.php on line 682

    Warning: Cannot modify header information – headers already sent by (output started at /home/intranet/public_html/wp-content/plugins/active-directory-integration/ad_ldap/adLDAP.php:1154) in /home/intranet/public_html/wp-includes/pluggable.php on line 876

  41. Hi Anthony,
    I’m not shure if this is a default behavior of WordPress. I’ll test this.

  42. Sounds wierd. Please send me (christoph@steindorff.de) the output of the test tool. I’ll have a look.

Kommentare sind geschlossen.