[Plugin: Active Directory Authentication Integration] Can BIND to AD, but no log in?

  • Resolved tunamaxx

    (@tunamaxx)


    12 years, 10 months ago

    Brand new install of WordPress 3.3.1, with default Twenty Eleven theme. No plugins except for version 0.6 of Active Directory Authentication Integration.

    Native WordPress users can log in fine, but and Active Directory users can not login at all. I am pretty certain that I have the plugin setup right. I’ve done run the plugin with…

    $ADAuthIntObj->setLogLevel(ADAI_LOG_DEBUG);

    …enabled, as well as used the test.php file in the devel version.

    If I use the correct credentials etc, it appears everything succeeds except the user creation / authentication. If I purposely screw up the BIND user credentials, DC, or any of the basic setup options, debug and test.php show a failure to bind to Active Directory.

    I have successfully tested AdLdap connection and authorizing users via PHP from this server to the DC’s independently of the Active Directory Authentication Integration plugin.

    Here is the output from test.php, with sensitive detail sanitized:

    AD Integration Logon Test
openLDAP installed
[INFO] method authenticate() called
[INFO] WP version: 3.3.1
[NOTICE] username: USERNAME
[DEBUG] password: PASSWORDHASHEDALLTOSIMITHEREENS
[DEBUG] The domain_controllers key exists in our options array.
[DEBUG] The randomize_dc key exists in our options array.
[DEBUG] The port key exists in our options array.
[DEBUG] The use_ssl key exists in our options array.
[DEBUG] The secure_connection key exists in our options array.
[DEBUG] The bind_user key exists in our options array.
[DEBUG] The bind_user_password key exists in our options array.
[DEBUG] The base_dn key exists in our options array.
[DEBUG] The auto_user_create key exists in our options array.
[DEBUG] The auto_user_update key exists in our options array.
[DEBUG] The default_email_domain key exists in our options array.
[DEBUG] The dup_account_handling key exists in our options array.
[DEBUG] The append_user_suffix key exists in our options array.
[DEBUG] The user_account_suffix key exists in our options array.
[DEBUG] The append_ad_user_suffix key exists in our options array.
[DEBUG] The prepend_ad_user_prefix key exists in our options array.
[DEBUG] The ad_account_suffix key exists in our options array.
[DEBUG] The display_name key exists in our options array.
[DEBUG] The allow_local_password key exists in our options array.
[DEBUG] The _lost_password_message key exists in our options array.
[DEBUG] The randomize_password key exists in our options array.
[DEBUG] The auth_from_ad_grp key exists in our options array.
[DEBUG] The auth_groups key exists in our options array.
[DEBUG] The use_role_equiv key exists in our options array.
[DEBUG] The role_equiv_groups key exists in our options array.
[DEBUG] The auto_update_user_group key exists in our options array.
[DEBUG] The max_login_attempts key exists in our options array.
[DEBUG] The blocking_time key exists in our options array.
[DEBUG] The notify_user key exists in our options array.
[DEBUG] The notify_admin key exists in our options array.
[DEBUG] The admin_email key exists in our options array.
[NOTICE] adLDAP object created.
[INFO] array(1) {
	[0]=>
	object(adLDAPE)#175 (14) {
		["_last_query"]=>
		NULL
		["_ad_port"]=>
		int(389)
		["_account_prefix":protected]=>
		string(0) ""
		["_account_suffix":protected]=>
		string(0) ""
		["_base_dn":protected]=>
		string(18) "DC=domain,DC=local"
		["_domain_controllers":protected]=>
		array(1) {
			[0]=>
			string(20) "dc1.domain.local"
		}
		["_ad_username":protected]=>
		string(24) "[email protected]"
		["_ad_password":protected]=>
		string(8) "BINDPASSWORD"
		["_real_primarygroup":protected]=>
		bool(true)
		["_use_ssl":protected]=>
		bool(false)
		["_use_tls":protected]=>
		bool(false)
		["_recursive_groups":protected]=>
		bool(true)
		["_conn":protected]=>
		resource(100) of type (ldap link)
		["_bind":protected]=>
		bool(true)
	}
}

[INFO] max_login_attempts: 0
[ERROR] Authentication failed
[WARN] Storing failed login for "USERNAME"
[ADAI][0] Log Level set to 6
Logon failed

    The only thing I can think of is that Active Directory Authentication Integration is trying to authenticate against AD using a hashed version of the password instead of plaintext.

    What am I missing? Any help, please?

    https://www.ads-software.com/extend/plugins/active-directory-authentication-integration/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Curtiss Grymala

    (@cgrymala)

    Have you tried using “@domain.local” as the account suffix instead of including it in the bind username?

    Thread Starter tunamaxx

    (@tunamaxx)

    No! That’s probably I e of the only thi gs I haven’t tried. I will take another crack at when I am back at work.

    Thanks for the hint. I will let you know what results I get.

    Thread Starter tunamaxx

    (@tunamaxx)

    You nailed it. Removing the “@domain.local” from the bind username and appending it via the account suffix setting made all the difference.

    Thank you for the plugin!

    Thread Starter tunamaxx

    (@tunamaxx)

    Also, sorry about whatever was happening in my initial response to your post. I sent it from my phone and it looks as though it got fat-fingered a bit. ??

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘[Plugin: Active Directory Authentication Integration] Can BIND to AD, but no log in?’ is closed to new replies.