do not add DISABLED user
-
Hi, first thanks for you great plugin. Im trying to not sync y bulk syncronizacion disabled user on AD, because they are showd on the user search and post. Its posible to not add disabled user, maybe modifying some php line?
Thanks in advance!https://www.ads-software.com/plugins/active-directory-integration/
-
I do not have any suggestion for you.
I just want to say that this is how I would like it to work, if the Imported user is disabled in the AD:
1. If the AD User already exist in WP, disable the WP account
2. If the AD User does not exist in WP, do not create a WP accountThat would make my life easier
I have a similar issue. The user search still finds persons that were disabled in the AD. How can this be solved?
First I thought it would be good if the WordPress account of disabled persons will be automatically deleted. But that could lead to problems if the person has created content for the page that shouldn’t get lost.
Deleting a User is NOT an option for us for all kinds of reasons.
So what I have done today is that I import the LDAP field ‘useraccountcontrol’ as a string. It will be set to 512 for an Active AD user and 514 for a Disabled AD user. Don’t ask me why, ask Microsoft or Google.
Based on that I have then created a simple Bash script that for a Disabled AD user:
– Set meta_key = ‘adi_user_disabled’ to meta_value = 1
– Set meta_key = ‘adi_user_disabled_reason’ to meta_value = [a suitable text]
– Set meta_key = ‘exclude’ to meta_value = ‘Yes’, and this is used by our WP Plugin “Simple Intranet”
– Automatically change the Role for the Disabled user to a new role called “Disabled”With all this done the WP User account is Disabled, we describe that is has been done automatically, we do not see it in “Simple Intranet” listing and we can also exclude the role “Disabled” for other reasons and listings.
However, we still have some strange issues when an AD User is enabled again but I’m pretty sure I can figure this out tomorrow.
Hi
thank you for sharing your solution with us. I’m not a coder so I don’t know how to write and use scripts. I wish the plugin author would provide a solution with next update.
I use BP Profile search and asked the author about his opinion. He answered:
I suggest you ask the author of Active Directory Integration for a way to hide disabled users in the Members directory, then we can use the same way to hide them in BP Profile Search results.
(See here the original support thread.)
Well, if you want to use our script below is basically what we do. I think all you’d need to change is the DBUSR, DBPWD and localip. I will not provide support on this script, but I am willing to answer questions. ??
#!/bin/bash SCRIPTTAG=$(basename "${0##*/}") SCRIPTTAG="${SCRIPTTAG%.*}" RUNTIME_LONG=<code>date +%Y-%m-%d_%H%M%S</code> # Setting DB parameters to be used in the script below DBNAME=wordpress DBUSR=XXX DBPWD=XXX FOLDERSCRIPTS=/root/scripts FOLDERRESULTS=$FOLDERSCRIPTS/$SCRIPTTAG # Create "Results" folder if it does not exist and clean the folder of to old logfiles if [ -e "/$FOLDERRESULTS" ]; then touch $FOLDERRESULTS; else mkdir $FOLDERRESULTS; chmod 754 $FOLDERRESULTS; fi if [ -e "$FOLDERRESULTS/." ]; then /usr/bin/find $FOLDERRESULTS/. -mtime +10 -delete; fi # Set a reference time to avoide updating image for not updated users if [ $# -eq 0 ] then timesinceupdate="30 minutes ago" else if [ $1="update" ] then timesinceupdate="20 years ago" else timesinceupdate="$1 minutes ago" fi fi lastupdate=$(date -u -d "$timesinceupdate minutes ago" "+%Y%m%d%H%M%S") # Get local ip address on eth0 to set correct address to photos # localip=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') localip=host.domain.org while read line do # first check if there is a adi_samaccountname, i.e user comes from adi # echo $line accntname=$(mysql -u$DBUSR -p$DBPWD -s -N $DBNAME -e "select meta_value from wp_usermeta where user_id = $line and meta_key = 'adi_samaccountname';") # echo $accntname # Create unique identifier for file, userid should be unique for each user and we should not be more than 10 000 employed... at least not while using this intranet # id=$(printf "%05d" $line) id=$(mysql -u$DBUSR -p$DBPWD -s -N $DBNAME -e "select meta_value from wp_usermeta where user_id = $line and meta_key = 'wp_user-settings-time'") echo "id:"$id # if [ -z $id ]; then id=$(printf "%05d" $line); fi if [ -z $id ]; then id=$(mysql -u$DBUSR -p$DBPWD -s -N $DBNAME -e "select unix_timestamp(user_registered) from wp_users where id = $line"); fi echo "id:"$id # extract the thumbnail from the database and decode it accntthmb=$(mysql -u$DBUSR -p$DBPWD -s -N $DBNAME -e "select meta_value from wp_usermeta where user_id = $line and meta_key = 'thumbnailphoto';") if [ -n "$accntthmb" ]; then echo $accntthmb | base64 --decode > /var/www/html/wp-content/uploads/avatars/${accntname}_avatar_$id.jpg chown apache:apache /var/www/html/wp-content/uploads/avatars/${accntname}_avatar_$id.jpg #create a database entry so wp can find the avatar insertentry="https://$localip/wp-content/uploads/avatars/${accntname}_avatar_$id.jpg" entrysize=${#insertentry} echo $insertentry $entrysize insertstring="a:1:{s:4:\"full\";s:$entrysize:\"$insertentry\";} " echo $insertstring; #check whether an existing avatar exists or not and: #either upgrade all existing and insert new #or #keep existing and only insert new exists=$(mysql -u$DBUSR -p$DBPWD -s -N $DBNAME -e "select meta_value from wp_usermeta where user_id = $line and meta_key = 'simple_local_avatar';") if [ -n "$exists" ]; then mysql -u$DBUSR -p$DBPWD -s -N $DBNAME -e "update wp_usermeta set meta_value = '$insertstring' where user_id = $line and meta_key = 'simple_local_avatar'" else mysql -u$DBUSR -p$DBPWD -s -N $DBNAME -e "insert into wp_usermeta (user_id,meta_key,meta_value ) values ($line,'simple_local_avatar','$insertstring')" fi echo $RUNTIME_LONG "- inserted" $accntname "as avatar" >> /$FOLDERRESULTS/fetchphoto.$RUNTIME_LONG.log fi done < <(mysql -u$DBUSR -p$DBPWD -s -N $DBNAME -e "select user_id from wp_usermeta where meta_key='adi_whenchanged' and meta_value > '$lastupdate';")Thank you so much for your effort. I’m not sure if I dare to implement big changes like these by myself. I fear that I could break someting in the WordPress installation or in the database.
But your script could help the plugin author to implement a solution.
@plugin author: Are you going to integrate this feature in near future? That would be awesome!
Silly me … I see now that I gave you the wrong script. ??
So there …
if [ $SHOW == 1 ]; then echo; echo <code>date +"%Y-%m-%d %H:%M:%S"</code> "- Updating the DISABLED users to be excluded from the SID searches"; fi while read theUserId theUsername do if [ $SHOW == 1 ]; then echo <code>date +"%Y-%m-%d %H:%M:%S"</code> "- Checking ADI Disable fields for" $theUsername "("$theUserId")" ; fi HaveDisable=$(mysql -u$DBUSR -p$DBPWD $DBNAME -s -N -e "select distinct user_id from wp_usermeta where meta_key = 'adi_user_disabled' and user_id = $theUserId") if [ -n "$HaveDisable" ] then if [ $SHOW == 1 ]; then echo <code>date +"%Y-%m-%d %H:%M:%S"</code> "- Checking ADI DISABLE fields for" $theUsername "("$theUserId"). Existing, updating the fields."; fi mysql -u$DBUSR -p$DBPWD $DBNAME -e "update wp_usermeta set meta_value = 1 where meta_key = 'adi_user_disabled' and user_id = $theUserId" mysql -u$DBUSR -p$DBPWD $DBNAME -e "update wp_usermeta set meta_value = 'User Automatically disabled by BulkImport' where meta_key = 'adi_user_disabled_reason' and user_id = $theUserId" else if [ $SHOW == 1 ]; then echo <code>date +"%Y-%m-%d %H:%M:%S"</code> "- Checking ADI DISABLE fields for" $theUsername "("$theUserId"). Missing, inserting fields."; fi mysql -u$DBUSR -p$DBPWD $DBNAME -e "insert ignore into wp_usermeta (user_id, meta_key, meta_value) values ($theUserId, 'adi_user_disabled', 1)" mysql -u$DBUSR -p$DBPWD $DBNAME -e "insert ignore into wp_usermeta (user_id, meta_key, meta_value) values ($theUserId, 'adi_user_disabled_reason', 'User Automatically disabled by BulkImport')" fi if [ $SHOW == 1 ]; then echo <code>date +"%Y-%m-%d %H:%M:%S"</code> "- Checking ADI Exclude fields for" $theUsername "("$theUserId")" ; fi HaveExclude=$(mysql -u$DBUSR -p$DBPWD $DBNAME -s -N -e "select distinct user_id from wp_usermeta where meta_key = 'exclude' and user_id = $theUserId") if [ -n "$HaveExclude" ] then if [ $SHOW == 1 ]; then echo <code>date +"%Y-%m-%d %H:%M:%S"</code> "- Checking ADI Exclude fields for" $theUsername "("$theUserId"). Existing, updating the field." ; fi mysql -u$DBUSR -p$DBPWD $DBNAME -e "update wp_usermeta set meta_value = 'Yes' where meta_key = 'exclude' and user_id = $theUserId" else if [ $SHOW == 1 ]; then echo <code>date +"%Y-%m-%d %H:%M:%S"</code> "- Checking ADI Exclude fields for" $theUsername "("$theUserId"). Missing, inserting the field." ; fi mysql -u$DBUSR -p$DBPWD $DBNAME -e "insert ignore into wp_usermeta (user_id, meta_key, meta_value) values ($theUserId, 'exclude', 'Yes')" fi if [ $SHOW == 1 ]; then echo <code>date +"%Y-%m-%d %H:%M:%S"</code> "- Adding Disabled user to the Disabled WP Roles for" $theUsername "("$theUserId")"; fi mysql -u$DBUSR -p$DBPWD $DBNAME -e "update wp_usermeta set meta_value = 'a:1:{s:8:\"disabled\";b:1;}' where meta_key = 'wp_capabilities' and user_id = $theUserId" done < <(mysql -u$DBUSR -p$DBPWD $DBNAME -s -N -e "select distinct id, display_name from wp_users join wp_usermeta as usercontrol on wp_users.id = usercontrol.user_id and usercontrol.meta_key = 'adi_useraccountcontrol' and usercontrol.meta_value = 514 join wp_usermeta as userdisable on wp_users.id = userdisable.user_id and userdisable.meta_key = 'adi_user_disabled' and userdisable.meta_value != 1 join wp_usermeta as capabilities on wp_users.id = capabilities.user_id and capabilities.meta_key = 'wp_capabilities' and capabilities.meta_value not like '%disable%'")which requires you to first create a new Role/Group called “disabled”
and then we go back again …
if [ $SHOW == 1 ]; then echo; echo <code>date +"%Y-%m-%d %H:%M:%S"</code> "- Updating the ENABLED users to be included again in the SID searches"; fi while read theUserId theUsername do if [ $SHOW == 1 ]; then echo <code>date +"%Y-%m-%d %H:%M:%S"</code> "- Updating the ENABLED users to be included again in the SID searches for" $theUsername "("$theUserId")" ; fi mysql -u$DBUSR -p$DBPWD $DBNAME -e "update wp_usermeta set meta_value = 'No' where meta_key = 'exclude' and user_id = $theUserId" done < <(mysql -u$DBUSR -p$DBPWD $DBNAME -s -N -e "SELECT DISTINCT id, display_name FROM wp_users JOIN wp_usermeta AS userdisable ON wp_users.id = userdisable.user_id AND userdisable.meta_key = 'adi_user_disabled' AND userdisable.meta_value != 1 JOIN wp_usermeta AS capabilities ON wp_users.id = capabilities.user_id AND capabilities.meta_key = 'wp_capabilities' AND capabilities.meta_value NOT LIKE '%admin%' JOIN wp_usermeta AS excluded ON wp_users.id = excluded.user_id AND excluded.meta_key = 'exclude' AND excluded.meta_value = 'Yes' JOIN wp_usermeta AS usercontrol ON wp_users.id = usercontrol.user_id AND usercontrol.meta_key = 'adi_useraccountcontrol' AND usercontrol.meta_value = 512")The key is the meta_values 512 vs 514 and some of the above is done to fit our SID plugin.
Same as before, I can explain the script but I will not support it.
Thank you again for your effort. As I said before, I don’t know coding good enough to implement this solution by myself.
So it would be awesome if the plugin author would include this feature with next update.
Hi again,
I did some research and found this thread:
https://buddypress.org/support/topic/hide-deactivated-users-from-members-loop/But this code doesn’t work (added directly after
bp_the_member()in members-loop.php):<?php while ( bp_members() ) : bp_the_member(); $user = new WP_User( bp_get_member_user_id() ); if ( ($user->roles[0] == 'blocked') ) continue; ?>My assumption is that the Active Directory integration plugin does not set the (BuddyPress?) role to “blocked” but that it deactivates users in some other way (the checkbox “User deactivated” is checked in the user’s profile in the back end). How can I refer to that to filter deactivated users in the members loop?
After more research and trying I found a solution that works for my case.
I added the following code in the members-loop.php directly after
bp_the_member():$user_id = bp_get_member_user_id(); if (get_user_meta($user_id,'adi_user_disabled', true)) continue;I have an update to this, so please follow the link below to read it:
https://www.ads-software.com/support/topic/disabled-users-not-showing-up-in-disabled-column?replies=9#post-8293125Hey guys,
a lot is going on in this thread ??1. With ADI 2 the current behavior is still used. Every AD user is synchronized to WordPress. After the initial synchronization his account gets disabled in WordPress – if disabled in Active Directory. I filled an issue in our backlog but will not promise that we eventually change this behavior.
2. As mrasker already said, we will never delete anything. Deletion is evil.
3. @cityfox this seems to be an issue of BuddyPress. “blocked” is not an official WordPress role. I filled an issue in our backlog. The much cleaner solution would be that we – as the ADI team – provide a hook which is called after disabling a WordPress user. You can listen to this hook and update the WordPress role.
4. @mrasker thank you for the Kerberos hint in https://www.ads-software.com/support/topic/disabled-users-not-showing-up-in-disabled-column?replies=9#post-8293125. I added this to our backlog.
- The topic ‘do not add DISABLED user’ is closed to new replies.
