WordPress.org

Ready to get started?Download WordPress

Forums

Active Directory Integration
[resolved] Multiple Organizational Unit (30 posts)

  1. DonChino
    Member
    Posted 3 years ago #

    I noticed someone asked about Multiple Domains but I am more interested in Multiple Organization Units, although I will admit that I am not an Active Directory expert.

    Basically, under the tab - USER - there is a user-specific setting for "Account Suffix" and it only allows you to enter in one. So for example, I might have americas.company.com but I also have emea.company.com and asiapacific.company.com...

    So is there a way to check the username against other organization units? That way if the user is part of a single domain but instead part of a different organization unit and have this appended in the following option. If we so choose...

    Alternate Conversation:
    Multiple Domains

    http://wordpress.org/extend/plugins/active-directory-integration/

  2. glatze
    Member
    Plugin Author

    Posted 3 years ago #

    Leave "Account Suffic" empty and then login with "username@subdomain.domain.tld".

  3. glatze
    Member
    Plugin Author

    Posted 3 years ago #

    But this can be something for a future version. But what will happen, if there is john@emea.company.com and also john@asiapacific.company.com? These are two different users. So it is impossible to log them on with the samaccountname only.

    If you have any idea, how this Multi-OU-Feature should work, make a feature request on http://bt.ecw.de.

  4. DonChino
    Member
    Posted 3 years ago #

    You would think that but every username is UNIQUE so it does not matter what OU they belong to, so your example:

    john@emea.company.com
    and
    john@asiapacific.company.com

    would NEVER exist because our emails are john@aol.com for example, but john can belong to either emea or asiapacific and NEVER both, since the email address has to be UNIQUE.

    So that is why I asked if the plugin can be updated to check multiple OU's based on username because it will ALWAYS be unique. Thanks for replying though... :)

    I will throw up a request because the plugin is awesome and worked unlike problems I had with the other 3 I tried, but I won't name them here...

  5. glatze
    Member
    Plugin Author

    Posted 3 years ago #

    Hmm... what if you don't use any OU in your Base DN like "dc=mydomain,dc=tld" ?

  6. DonChino
    Member
    Posted 3 years ago #

    So to recap:

    John can belong to DOMAIN
    emea.company.com
    OR asiapacific.company.com

    His email is: John@company.com

    So any user can belong to any number of OUs but a unique email is shared worldwide.

    So in the form you have:
    Account Suffix [__________]
    Account Suffix (will be appended to all usernames in the Active Directory authentication process; e.g., "@domain.tld".)

    So if John is part of @emea.company.com
    and you put here @emea.company.com

    then it will work

    but what if you put here @emea.company.com
    and John belongs to @asiapacific.company.com

    Then it does NOT work
    and if you put @company.com then it still does NOT work.

    THE IDEAL would be to code the plugin to check MULTIPLE OU's because you do not know which OU your user will belong to, so you would put something like:

    @emea.company.com | @asiapacific.company.com

    This will try to log in with different OUs appended to the Username, because currently it only allows you to enter ONE. So this is the problem, since THIS is where it tries to do the validation to see if you exist in AD. Should be an easy fix to add logic to check multiple OUs and then your plugin will RULE all the others, since this one works for me in WordPress 3.1...

  7. glatze
    Member
    Plugin Author

    Posted 3 years ago #

    I have already understood what you mean. I will see if it's something for 1.1.

  8. glatze
    Member
    Plugin Author

    Posted 3 years ago #

    I have added this as a feature request here: http://bt.ecw.de/view.php?id=18

  9. DonChino
    Member
    Posted 3 years ago #

    Hahaha, sorry for repeating then... :)

    I just wanted to be sure all your fans understood...

  10. glatze
    Member
    Plugin Author

    Posted 3 years ago #

    I worked on this feature and think I got it running. It will be part of 1.1 which will be released the next days.

  11. DonChino
    Member
    Posted 3 years ago #

    So has version 1.0.1 been released or will it still be part of 1.1?

    :)

  12. glatze
    Member
    Plugin Author

    Posted 3 years ago #

    No, 1.0.1 is not released until now. But I will commit a development version today or tomorrow. 1.1 will be the next official release. Stay tuned.

  13. glatze
    Member
    Plugin Author

    Posted 3 years ago #

    I have committed the development version 1.0.1: http://downloads.wordpress.org/plugin/active-directory-integration.zip

    Give it a try.

  14. DonChino
    Member
    Posted 3 years ago #

    Dude, it works but I did find a minor "bug"... Spaces!!!

    So if I put
    americas.company.local; emea.company.local

    it FAILS so you have to put:
    americas.company.local;emea.company.local

    So really minor but you should be able to "fix" to handle SPACES because most people would input it that way. :)

    I believe I found TWO NEW enhancement requests, since your AD Plugin is RULING... :)

  15. glatze
    Member
    Plugin Author

    Posted 3 years ago #

    Thanks for your bug report. I have fixed it in the development version: http://downloads.wordpress.org/plugin/active-directory-integration.zip

  16. greg.fenton
    Member
    Posted 2 years ago #

    Hi glatze,

    What about allowing having the suffix set (e.g. @corp-extern.local), but if a user logs in with a domain (e.g. me@corp-internal.local) then you pass that thru without appending the set suffix?

    Thoughts?

    Thanks.

  17. glatze
    Member
    Plugin Author

    Posted 2 years ago #

    Hi Greg,
    looks like a good idea. It should be easy to implement. I'll have a look at the code.

  18. glatze
    Member
    Plugin Author

    Posted 2 years ago #

    Hi Greg,
    we have a little problem here. Let's assume the following:

    paul@corp-internal.local logs on as "paul" the first time. User "paul" is created. Now paul@corp-external.local logs on as "paul@corp-external.local". What should happen now? Should the user created be named "paul"? That won't work, because we already have that user. The only option seems to be, that we create the user " paul@corp-external.local". Is this what you want?

  19. greg.fenton
    Member
    Posted 2 years ago #

    Yes, I have no problem telling the @corp-internal.local folks to log in with their full domain name. Many apps already force the users to do that just to do RDC or map network drives, especially in organizations with multiple domains.

    If someone signs on with "paul", then they would indeed authenticate as "paul@corp-external.local". If they really are internal, they need to log in as "paul@corp-internal.local".

    Thanks.

  20. greg.fenton
    Member
    Posted 2 years ago #

    BTW: is this a big change? Would it take long to implement?

  21. glatze
    Member
    Plugin Author

    Posted 2 years ago #

    No, it is not. Only a few lines. I'll commit a development version soon, so you can do some tests before I release a new version.

  22. greg.fenton
    Member
    Posted 2 years ago #

    Awesome! I'm ready to test right about......now!

    :)

    Thanks!

  23. glatze
    Member
    Plugin Author

    Posted 2 years ago #

    Ok. I have committed a new development version. The latest development version can be found here: http://downloads.wordpress.org/plugin/active-directory-integration.zip

    Give it try to see if it works as you aspected. And don't forget to give me some feedback. If all works fine, I'll release 1.1.2.

  24. glatze
    Member
    Plugin Author

    Posted 2 years ago #

    Hi Greg,
    have you tested the development version? Please send me some feedback.

    Greetings from Germamy
    Christoph

  25. greg.fenton
    Member
    Posted 2 years ago #

    Hi Christoph,

    Yes, I have tested just this morning and it works great. Thank you!

    ...except...

    So now I can log in with @corp-internal.local, but the call to get_userinfo() is coming back empty. I am not sure if this is an AD configuration where corp-external.local should be automatically passing thru the request to corp-internal.local, or if the plugin needs to be smart enough to fetch details from one AD for @corp-external and a different AD for @corp-internal.

    Thoughts?

  26. glatze
    Member
    Plugin Author

    Posted 2 years ago #

    Could you please send me the output of the test tool for both types of users? (Don't forget to remove security relevant information.)

  27. greg.fenton
    Member
    Posted 2 years ago #

    You want it here or via email? If email, what address?

    Thanks,

  28. greg.fenton
    Member
    Posted 2 years ago #

    Another interesting feature would be an option to fail the user creation if the email address does not exist in the AD record. Currently I see that I have a few test users in AD that don't have mail values. Right now, ADI creates a user account if the email is blank (though subsequent users fails with "This email address is already registered.").

  29. glatze
    Member
    Plugin Author

    Posted 2 years ago #

    Sorry Greg, I forgot to give you my address: cst@ecw.de

  30. glatze
    Member
    Plugin Author

    Posted 2 years ago #

    ADI creates a user account if the email is blank (though subsequent users fails with "This email address is already registered.").

    This seems to be a bug. ADI should try to give every user a unique email address if none exists. But the feature you request sounds good. Please leave a feature request on http://bt.ecw.de.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic