Enabling Authorization groups seems to block valid logins

jmzwiv
(@jmzwiv)

5 years, 3 months ago

If I enable the Authorization groups, no one can log in. Obviously even those that are a member of the required authorization group. Here is a doctored log;

[DEBUG] NextADInt_Ldap_Connection::authenticateUser [line 344] Trying to authenticate user with username ‘username’ and account suffix ‘@domain.local’
[DEBUG] NextADInt_Ldap_Connection::authenticateUser [line 348] Authentication successful for username ‘username’ and account suffix ‘@domain.local’.
[DEBUG] NextADInt_Ldap_Connection::findAttributesOfUser [line 386] UserInfo for user ‘username’: cn={JAMES WITHEROW}, sn={WITHEROW}, description={Network Manager}, givenname={JAMES}, displayname={JAMES WITHEROW}, objectguid={46aa55f3-50f2-46c0-bc71-13897a981631}, useraccountcontrol={512}, objectsid={ ¢Y–‘Mê¨À¸Ž¿; }, samaccountname={username}, userprincipalname={username@domain.local}, mail={username@domain.local}
[INFO] NextADInt_Adi_Authentication_LoginService::beforeCreateOrUpdateUser [line 835] Hook beforeCreateOrUpdateUser executed
[DEBUG] NextADInt_Adi_User_Manager::createAdiUser [line 178] Created new instance of User username={id=’43’, credentials=’Credentials={login=’username’,sAMAccountName=’username’,userPrincipalName=’username@domain.local’,netbios=”}’}
[DEBUG] NextADInt_Adi_Authentication_LoginService::updateUser [line 697] Checking preconditions for updating existing user User username={id=’43’, credentials=’Credentials={login=’username’,sAMAccountName=’username’,userPrincipalName=’username@domain.local’,netbios=”}’}
[INFO] NextADInt_Adi_User_Manager::updateSAMAccountName [line 411] Updating sAMAccountName of user ’43’ to ‘username’
[INFO] NextADInt_Adi_User_Manager::updateUserRoles [line 429] Updating user roles for 43 : Mapping 46aa55f3-50f2-46c0-bc71-13897a981631={ad_security_groups=’Administrators, Staff’,wordpress_roles=”}
[INFO] NextADInt_Adi_Role_Manager::synchronizeRoles [line 116] Synchronizing roles of WordPress user with ID 43
[INFO] NextADInt_Adi_Role_Manager::synchronizeRoles [line 146] Security groups [“administrator”,”Users”] are mapped to WordPress roles: [“administrator”]
[WARNING] NextADInt_Adi_Role_Manager::updateRoles [line 182] Cleaning existing roles false for user ‘username’ existing roles will stay untouched.
[INFO] NextADInt_Adi_Authentication_LoginService::afterCreateOrUpdateUser [line 846] Hook afterCreateOrUpdateUser executed, wpUser: ‘1’
[ERROR] NextADInt_Adi_Authentication_LoginService::isUserAuthorized [line 498] User with GUID: ” is not in an authorization group.
[DEBUG] NextADInt_Adi_Authentication_PasswordValidationService::overridePasswordCheck [line 108] User from AD and fallback to local (WordPress) password deactivated. Authentication failed.

I’m suspicious of the “User with GUID: ””, where as there is a GUID referenced earlier. The security group mapping seems to work and I’ve tried exactly the same group names in the Authorization Groups but then the logins fail.

Thanks

Viewing 3 replies - 1 through 3 (of 3 total)

Plugin Author schakko
(@schakko)

5 years, 3 months ago

Your user above belongs to the security groups “Administrators” and “Staff” but you are mapping the AD groups “administrator” (without ‘s'”) and “Users” to the WordPress role “administrator”.

Thread Starter jmzwiv
(@jmzwiv)

5 years, 3 months ago

Sorry that’s just a typo in my simplifying the log. The users are members of a number of groups and I’ve tried adding different, or all of them to the Authorized list.

bgibson135
(@bgibson135)

5 years, 2 months ago

Did anyone else report something like this? Our editors have been a part of our “WordPress” AD Group for several years and this has been working fine. But perhaps with a recent upgrade, users are not able to authenticate. I turned off the Authentication Group option and a user account authenticated, which had been failing.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Enabling Authorization groups seems to block valid logins’ is closed to new replies.