[Plugin: Active Directory Authentication Integration] Active Directory Login works for one user

Very strange. Let me look into this tomorrow and I’ll see if I can reproduce the issue.

If you open class-active-directory-authentication-integration.php, you can change the protected $_loglevel = ADAI_LOG_NONE; line to protected $_loglevel = ADAI_LOG_DEBUG;, which will cause the plugin to spit out all kinds of information during use, but might cause some “Cannot modify headers” errors. I haven’t tested the debug properties thoroughly yet, and mostly relied on what was built into the plugin I based this on.

I changed that line and when I successfully log in I see lots of nice messages. But for the logins that fail there is nothing useful shown on the screen.

I think I’ve found the issue. It seems that, if a user existed before using this plugin, there will be an error similar to what you experienced when they try to login using their AD credentials if you have the account suffix feature turned on in the plugin. The issue centers around the fact that the original user account didn’t have the account suffix appended to its username, but the plugin searches the database for username . $user_account_suffix (and, if the account existed without the suffix, it won’t find it, obviously).

I am working on a fix for the issue right now, and should have it available in the dev version of the plugin later today. I will let you know once it’s there.

Thanks for the report.

sounds good. I’ll test when you get it ready. FYI. This is a fresh install with no users existing beforehand.

The new development version should be available, now. Please download it from https://www.ads-software.com/extend/plugins/active-directory-authentication-integration/download/ and give it a try.

I also changed the way you can enable the debug information. Instructions for enabling the debug information can be found in the FAQ section of the readme.txt file that’s included in the development version.

I am trying the new plugin but it’s still not working. I’ll paste the debug code below for each class of user. For domain admin accounts it says login successful but then “Error creating user!” for other users. just login failed.

DOMAIN ADMIN

[6] The port key exists in our options array.
[6] The secure_connection key exists in our options array.
[6] The bind_user key exists in our options array.
[6] The bind_user_password key exists in our options array.
[6] Preparing to decode the field from NXAxZGVybUBu
[6] The base_dn key exists in our options array.
[6] The auto_user_create key exists in our options array.
[6] The auto_user_update key exists in our options array.
[6] The default_email_domain key exists in our options array.
[6] The dup_account_handling key exists in our options array.
[6] The user_account_suffix key exists in our options array.
[6] The append_user_suffix key exists in our options array.
[6] The display_name key exists in our options array.
[6] The allow_local_password key exists in our options array.
[6] The auth_from_ad_grp key exists in our options array.
[6] The role_equiv_groups key exists in our options array.
[6] The max_login_attempts key exists in our options array.
[6] The blocking_time key exists in our options array.
[6] The notify_user key exists in our options array.
[6] The notify_admin key exists in our options array.
[6] The admin_email key exists in our options array.
[5] Options for adLDAP connection: - account_suffix: - base_dn: DC=coldstonecreamery,DC=com - domain_controllers: 192.168.0.19 - ad_username: CN=Administrator,CN=Users,DC=coldstonecreamery,DC=com - ad_password: XXXXXXXXX - ad_port: 389 - use_tls:
[4] adLDAP object created.
[5] object(adLDAP)#108 (12) {
["_account_suffix:protected"]=> string(0) ""
["_base_dn:protected"]=> string(27) "DC=coldstonecreamery,DC=com"
["_domain_controllers:protected"]=> array(1) {
[0]=> string(12) "XXXXXXX" }
["_ad_username:protected"]=> string(53) "CN=Administrator,CN=Users,DC=coldstonecreamery,DC=com"
["_ad_password:protected"]=> string(9) "XXXXXX"
["_real_primarygroup:protected"]=> bool(true)
["_use_ssl:protected"]=> bool(false)
["_recursive_groups:protected"]=> bool(true)
["_ad_port:protected"]=> int(389)
["_use_tls:protected"]=> bool(false)
["_conn:protected"]=> resource(103) of type (ldap link)
["_bind:protected"]=> bool(true) }
[5] max_login_attempts: 3
[5] users failed logins: 0
[4] Authentication successfull
[4] cleaning up failed logins for user "addc"
[5] user role:
[4] Creating user 'addc' with following data: - email: - first name: - last name: addc - display name: addc - role:
[2] This email address is already registered.
[4] - user_id:
[1] Error creating user.

REGULAR USER

[5] method authenticate() called
[5] WP version: 3.1
[4] username: bwmyers
[6] password: XXXXXXXXX
[6] The domain_controllers key exists in our options array.
[6] The port key exists in our options array.
[6] The secure_connection key exists in our options array.
[6] The bind_user key exists in our options array.
[6] The bind_user_password key exists in our options array.
[6] Preparing to decode the field from XXXXXXXXX
[6] The base_dn key exists in our options array.
[6] The auto_user_create key exists in our options array.
[6] The auto_user_update key exists in our options array.
[6] The default_email_domain key exists in our options array.
[6] The dup_account_handling key exists in our options array.
[6] The user_account_suffix key exists in our options array.
[6] The append_user_suffix key exists in our options array.
[6] The display_name key exists in our options array.
[6] The allow_local_password key exists in our options array.
[6] The auth_from_ad_grp key exists in our options array.
[6] The role_equiv_groups key exists in our options array.
[6] The max_login_attempts key exists in our options array.
[6] The blocking_time key exists in our options array.
[6] The notify_user key exists in our options array.
[6] The notify_admin key exists in our options array.
[6] The admin_email key exists in our options array.
[5] Options for adLDAP connection: - account_suffix: - base_dn: DC=coldstonecreamery,DC=com - domain_controllers: 192.168.0.19 - ad_username: CN=Administrator,CN=Users,DC=coldstonecreamery,DC=com - ad_password: XXXXXXXXX - ad_port: 389 - use_tls:
[4] adLDAP object created.
[5] object(adLDAP)#108 (12) {
["_account_suffix:protected"]=> string(0) ""
["_base_dn:protected"]=> string(27) "DC=coldstonecreamery,DC=com"
["_domain_controllers:protected"]=> array(1) {
[0]=> string(12) "192.168.0.19" }
["_ad_username:protected"]=> string(53) "CN=Administrator,CN=Users,DC=coldstonecreamery,DC=com"
["_ad_password:protected"]=> string(9) "XXXXXXXXX"
["_real_primarygroup:protected"]=> bool(true)
["_use_ssl:protected"]=> bool(false)
["_recursive_groups:protected"]=> bool(true)
["_ad_port:protected"]=> int(389)
["_use_tls:protected"]=> bool(false)
["_conn:protected"]=> resource(103) of type (ldap link)
["_bind:protected"]=> bool(true) }
[5] max_login_attempts: 3
[5] users failed logins: 0
[2] Authentication failed
[3] storing failed login for user "bwmyers"

Based on the debug information, it looks like there are two issues:
1) It looks like the active directory server doesn’t contain any information about the users. There is no first name, no e-mail address, etc. returned by the AD server. I did find a minor issue in the original plugin code and have modified the development version to hopefully fix it. It should be ready for download and testing in a few minutes (it takes a little bit for the WordPress repo to zip up the new package).

2) The second user looks like it isn’t validating through the AD server at all. Are you certain you’re typing the username and password correctly for that user?

There is a file included in the development version that will help you test the connection/validation. If you go to https://example.com/wp-content/plugins/active-directory-authentication-integration/test.php in your browser (replacing https://example.com/ with the location of your WordPress installation – you can also use https instead of http as long as your server supports it), you should get a simple form looking for a username and password. If you type the user’s AD username and password into the form and hit submit, you should get a little more information about what’s happening between WordPress and the AD server. That form just tests the authentication, but doesn’t attempt to login to WordPress or create users.

I updated the dev version of the plugin again just in case you made any changes. When I try the url you listed I get an empty white page. I’m not seeing any errors in apache error logs.

this may be because of the following lines in the test file. It seems like it’s not going to help in my case.

// If the user is not logged in, die silently.
if(!$user_ID) {
        die();
}

// If the user is not an admin, die silently.
if (!current_user_can('level_10')) {
        die();
}

You’re correct. I forgot to mention that you need to be logged in as an administrator to use that tester (for security reasons). You can remove those lines while you’re testing the connection, but I’d recommend either adding them back in or deleting the test.php file from your Web server when you’ve finished testing (otherwise anyone will be able to visit your site and see your AD settings).

I commented out the die lines and will paste the output below for a working user vs a non working user. The output looks pretty much the same as from debug in the other pages.

WORKING LOGIN

AD Integration Logon Test
openLDAP installed
[INFO] method authenticate() called
[INFO] WP version: 3.1
[NOTICE] username: adjt
[DEBUG] password: xxxxxxxxxx
[DEBUG] The domain_controllers key exists in our options array.
[DEBUG] The port key exists in our options array.
[DEBUG] The secure_connection key exists in our options array.
[DEBUG] The bind_user key exists in our options array.
[DEBUG] The bind_user_password key exists in our options array.
[DEBUG] Preparing to decode the field from VG9kYXkwMzEx
[DEBUG] The base_dn key exists in our options array.
[DEBUG] The auto_user_create key exists in our options array.
[DEBUG] The auto_user_update key exists in our options array.
[DEBUG] The default_email_domain key exists in our options array.
[DEBUG] The dup_account_handling key exists in our options array.
[DEBUG] The user_account_suffix key exists in our options array.
[DEBUG] The append_user_suffix key exists in our options array.
[DEBUG] The display_name key exists in our options array.
[DEBUG] The allow_local_password key exists in our options array.
[DEBUG] The auth_from_ad_grp key exists in our options array.
[DEBUG] The role_equiv_groups key exists in our options array.
[DEBUG] The max_login_attempts key exists in our options array.
[DEBUG] The blocking_time key exists in our options array.
[DEBUG] The notify_user key exists in our options array.
[DEBUG] The notify_admin key exists in our options array.
[DEBUG] The admin_email key exists in our options array.
[INFO] Options for adLDAP connection:
- account_suffix:
- base_dn: DC=creamery,DC=com
- domain_controllers: 192.168.0.x
- ad_username: CN=adminuser,CN=Users,DC=creamery,DC=com
- ad_password: xxxxxxxxxxxxx
- ad_port: 389
- use_tls:
[NOTICE] adLDAP object created.
[INFO] max_login_attempts: 3
[INFO] users failed logins: 0
[NOTICE] Authentication successfull
[NOTICE] cleaning up failed logins for user "adjt"
[NOTICE] user_id: 4
[NOTICE] FINISHED
User logged on.

failed login

AD Integration Logon Test
openLDAP installed
[INFO] method authenticate() called
[INFO] WP version: 3.1
[NOTICE] username: jtmoree
[DEBUG] password: XXXXXXXXX
[DEBUG] The domain_controllers key exists in our options array.
[DEBUG] The port key exists in our options array.
[DEBUG] The secure_connection key exists in our options array.
[DEBUG] The bind_user key exists in our options array.
[DEBUG] The bind_user_password key exists in our options array.
[DEBUG] Preparing to decode the field from VG9kYXkwMzEx
[DEBUG] The base_dn key exists in our options array.
[DEBUG] The auto_user_create key exists in our options array.
[DEBUG] The auto_user_update key exists in our options array.
[DEBUG] The default_email_domain key exists in our options array.
[DEBUG] The dup_account_handling key exists in our options array.
[DEBUG] The user_account_suffix key exists in our options array.
[DEBUG] The append_user_suffix key exists in our options array.
[DEBUG] The display_name key exists in our options array.
[DEBUG] The allow_local_password key exists in our options array.
[DEBUG] The auth_from_ad_grp key exists in our options array.
[DEBUG] The role_equiv_groups key exists in our options array.
[DEBUG] The max_login_attempts key exists in our options array.
[DEBUG] The blocking_time key exists in our options array.
[DEBUG] The notify_user key exists in our options array.
[DEBUG] The notify_admin key exists in our options array.
[DEBUG] The admin_email key exists in our options array.
[INFO] Options for adLDAP connection:
- account_suffix:
- base_dn: DC=creamery,DC=com
- domain_controllers: 192.168.0.X
- ad_username: CN=adminuser,CN=Users,DC=creamery,DC=com
- ad_password: XXXXXXXXXXXX
- ad_port: 389
- use_tls:
[NOTICE] adLDAP object created.
[INFO] max_login_attempts: 3
[INFO] users failed logins: 0
[ERROR] Authentication failed
[WARN] storing failed login for user "jtmoree"
Logon failed

Can you edit these posts? I’d like to remove the domain name and IP address for our domain controller in some of the debug output above. I missed it when sanitizing the data for posting. I can edit today’s posts but not earlier ones.

I can’t edit the posts, but you should be able to edit at least your most recent one. You should have an “Edit” link underneath your avatar.

I’m looking into the authentication error you’re experiencing. It still seems as though either the username or password is not correct; but I’m checking to see if there’s any more debug info I can have the script output for you.

There are 3 results for various types of users. The two posted above are fully working and fully failed. Here is the output from the case where the user logs in but fails to get a created account in WP. It says the account is already registered but this account has never successfully logged in. I’ll get another domain admin who has never logged in to try it and see what it looks like.

PS. I can’t edit the posts from the other day.

[NOTICE] adLDAP object created.
[INFO] max_login_attempts: 3
[INFO] users failed logins: 0
[NOTICE] Authentication successfull
[NOTICE] cleaning up failed logins for user "addc"
[INFO] user role:
[NOTICE] Creating user 'addc' with following data:
- email:
- first name:
- last name: addc
- display name: addc
- role:
[ERROR] This email address is already registered.
[NOTICE] - user_id:
[FATAL] Error creating user.

Error creating user!

As a test, can you please try setting the “Default email domain” field under the “User” options in the plugin settings?

Since the e-mail address is not being returned by the Active Directory server, this plugin tries to generate one based on the user’s username and the default email domain; but if the default e-mail domain is empty and the user’s e-mail address is empty, it simply tries to create a new WordPress user with no e-mail address.

Looking at the WordPress code, it looks as though WordPress might only allow one user to have a blank e-mail address. That might be why your second admin user is throwing an “Error creating user” message.

When I got into wordpress I noticed the plugin was not active. when I tried to activate it, it failed but it may have been because I was moving around files.