WordPress.org

Ready to get started?Download WordPress

Forums

Network Privacy
AD Authentication Integration & Network Privacy problem (7 posts)

  1. Phil Erb
    Member
    Posted 1 year ago #

    I am cross-posting this to the Active Directory Authentication Integration support and the Network Privacy support, as the problem exists only when both are active.

    I have a multisite installation of WordPress 3.4.2 with the Active Directory Authentication Integration plugin (v0.6) and the Network Privacy plugin (v0.1.3).

    The main site (which basically houses a list of sub-sites) (i.e. mysite.com) is set with ADAI to allow any AD user to login. The Network Privacy plugin is set to only show the site to site subscribers (or above). This works well to allow all faculty/staff/students to access the list of available sites.

    Each sub-site is locked down to a particular AD group (department, class, etc.). For example, site mysite.com/test1 is set to only allow logins from the group "ITsupport" (and maps that group to "editors" for the test1 sub-site) and Network Privacy is set to allow site subscribers (and above) to access the site.

    AD login works well, but I am having the following problem when I have Network Privacy installed:

    UserA is a member of ITSupport in AD. He has never logged in to mysite.com or the mysite.com/test1 sub-site. When he goes to mysite.com, Network Privacy kicks him to the login screen, where he is able to successfully login with his AD credentials, because he is a member of the "Domain Users" group that is allowed to mysite.com via ADAI. So now he is logged into the WordPress Network. However, if he now goes to mysite.com/test1, Network Privacy does not let him in. Looking at the back end, this attempt to access mysite.com/test1 has not triggered ADAI's function to create the user/role for this sub-site.

    If UserA logs out of mysite.com and goes directly to mysite.com/test, he is able to login (ADAI creates the user/role on the sub-site) and he doesn't have a problem with mysite.com/test1 in the future. He still has the same problem with any other sub-site that he has not DIRECTLY logged in to.

    http://wordpress.org/extend/plugins/network-privacy/

  2. Ron Rennick
    MultiSite Guru
    Plugin Author

    Posted 1 year ago #

    I have no experience with AD & WP so I'm not going to be able to assist you.

  3. Phil Erb
    Member
    Posted 1 year ago #

    Good evening Ron. This is probably outside of the scope of what you developed the plugin for, so I understand if it's not something that you want to support.

    In doing more testing and thinking through the workflows, it seems that Network Privacy is firing off and stopping the user before the AD plugin sees that the user is trying to access the site (if the AD plugin did see that, it would create the user entry in the WordPress database, which Network Privacy would see and then let the user through).

    Are you aware of any way that the plugin could be modified to specify that the AD plugin should do its job first ... or if it sees that the user is logged into a network site to call the AD plugin's functions? I'm certainly not asking you to modify the plugin to do so, as it's a very specific thing for those using an AD or similar LDAP plugin, more hoping for guidance in where I might start looking in the Network Privacy code.

    Thank you for your work on Network Privacy. In instances where I've manually added users to the sites and don't have to rely on the AD group membership, it works great! And if I have the user login directly to the site in question, it works great then too. It's just when they login to a different site in the network and try to traverse to a site which they've never logged in to.

  4. Ron Rennick
    MultiSite Guru
    Plugin Author

    Posted 1 year ago #

    You would have to change the priority or hook in use in one of the two plugins. Since I'm not familiar with the other one I can't offer any insight into which one(s) might need adjusting.

  5. Curtiss Grymala
    Member
    Plugin Author

    Posted 1 year ago #

    I'll try to do some testing on this when I have a chance. I haven't come across this issue on our site, yet; but I'll see if I can replicate it. Thanks.

    EDIT - I just did some preliminary testing. If the user is already a user within the WordPress installation somewhere (a user on another site in the network), they should be able to login and automatically be added to the site. I'll have to remove my AD user account from our system altogether before I can test to see what it does with a completely new user.

  6. Curtiss Grymala
    Member
    Plugin Author

    Posted 1 year ago #

    I just performed the following tasks, and was successfully able to login and view the site:

    1. Deleted my AD user account from our WordPress installation (to make sure I was starting fresh)
    2. Checked the privacy settings for one of my sites; made sure it was set to only allow contributors to view the site
    3. Modified my ADAI settings to map my AD security group to "contributor" when creating a new user account based on AD credentials
    4. Logged out of my Super Admin (non-AD) account
    5. Went to the home page of the private site
    6. Entered my AD credentials and logged in
    1. Deleted my AD user account again
    2. Modified my ADAI settings so that only members of my security group were allowed to login
    3. Logged out of my Super Admin account
    4. Went to the home page of the private site
    5. Entered my AD credentials and logged in

    As I said, in both instances, I was able to login & view the site. I then ran one more test, changing the ADAI settings so that only members of another security group (not one of which I'm a member) can login to the site. I was (as expected) stopped from being able to login and view the site.

    The final test I ran did come up with a less-than-satisfactory result, but it points to an issue in my ADAI plugin, rather than an issue in the Network Privacy plugin; and, honestly, I'm not sure how to effectively fix it.

    If the ADAI settings are not set up to automatically update a user's role every time that user logs in, the role won't be updated appropriately. Unfortunately, if you do enable that setting, that user's role will be updated every single time they login (natch), which means that any manual changes you've made to that user's role (promoting or demoting) will be lost. Thanks.

  7. Ron Rennick
    MultiSite Guru
    Plugin Author

    Posted 1 year ago #

    @cgrymala - thanks :) It sounds as though some of the AD changes are not being propagated correctly or are delayed, etc.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.