schakko
Forum Replies Created
-
At least the PHP mcrypt extension is missing in your installation. Check the php.ini. I am not sure why the class “RequirementException” could not be found as it resides in the same file.
See my links above, the message “Warning: received token seems to be NTLM, which isn’t supported by the Kerberos module. Check your IE configuration.” is not expected, at least we did not experience this in our test environments.
Hey there,
Active Directory Integration > Configuration > tab “Environment” > Verify Credentials– There must be two service accounts configured: one for SSO, one for Sync to WordPress. You can use the same AD account. If the S-0 SID is returned, this can mean that the service account itself has no valid userPrincipalName and/or UPN suffix. Authentication will nevertheless work. Let the network guys check that the userPrincipalName is defined for the account and *not only* the sAMAccountName.
– Synchronization does not work because authentication works but not valid domain SID has been returned previously.
– Kerberos Log: not sure about the NULL value. Full log required.Forum: Plugins
In reply to: [Next Active Directory Integration] Pages when Logged OutI had the time to take look into this because we had implemented NADI support for UM yesterday. I tried the settings you described with NADI 2.0 enabled:
– SSO disabled
– NADI UM extension disabled
– A non-logged in user can access a UM page/blog post with UM access set to “Everyone” or “Public”
– A logged in user can access a UM page/blog post with UM access set to “Everyone” or “Public”
– A non-logged in user can *not* access a UM page/blog post with UM access set to “Content accessible to Logged In Users*In addition to that NADI does not interfer with the permission of pages. It does only handles the authentication, authorization and role assignment during login. Finer grained access settings are not the scope of our plug-in.
What NADI does is to infer with the authentication. This is the cause we developed the UM extension. As already written – and seen in the last days – at least UM does a lot of magic during authentication which makes it impossible to be compatible with “vanilla” NADI.
We will release NADI 2.0.11 in the next weeks and along to this the UM extension.
Forum: Plugins
In reply to: [Next Active Directory Integration] I need assistance with Single-Sign-OnHi Malte,
feel free to work through the documentation: http://active-directory-wp.com/docs/Networking/Single_Sign_On/index.html.Forum: Plugins
In reply to: [Next Active Directory Integration] Pages when Logged OutWe had already looked into getting ADI to work with Ultimate Member plug-in. As far as I can see from our issue tracker Ultimate Members returns internal data from the “authenticate” filter not in an WordPress-expected way.
I am not sure when and if we can fix this. If you really need it, please feel free to contribute a PR or receive a quote from us.I am afraid there is no other solution. At least from NADI’s/WordPress’ point of view this can not be solved. Theoretically speaking, you could set up a second domain and domain controller for intranet.company.com, configure Kerberos ticket delegation and work with Split-brain DNS…
It could be if you have accessed your site over HTTPS. The old version did work flawlessly in our environment but without HTTPS.
The latest loginUser function is
[code]
protected function loginUser($user, $exit = true)
{
// ADI-418: Accessing un-protected URLs directly with SSO enabled redirect does not work
$redirectTo = (isset($_SERVER['REDIRECT_URL']) && !empty($_SERVER['REDIRECT_URL'])) ? $_SERVER['REDIRECT_URL'] : null;
// default redirect if WordPress forces itself a login, e.g. when accessing /wp-admin
$redirectTo = (!empty($_REQUEST['redirect_to'])) ? $_REQUEST['redirect_to'] : $redirectTo;
// if not set, fall back to the home url
$redirectTo = empty($redirectTo) ? home_url('/') : $redirectTo;$secure_cookie = is_ssl();
wp_set_current_user($user->ID, $user->user_login);
wp_set_auth_cookie($user->ID, true, $secure_cookie);do_action('wp_login', $user->user_login, $user);
wp_safe_redirect($redirectTo);if ($exit) {
exit;
}
}
[/code]I have tested the SSO link and could not reproduce your issue. Does the debug.log contain any errors?
Forum: Plugins
In reply to: [Next Active Directory Integration] Pages when Logged OutIf you have SSO enabled then the authentication is done on every page. Can you please explain the issue in more detail? What do you mean with “logged out pages”?
* Enabling DES (not recommended): http://stackoverflow.com/questions/16537867/kerberos-sso-with-mod-auth-kerb-verification-code-589824-and-token-seems-to-be
* Wrong principal: http://plosquare.blogspot.de/2013/02/solution-for-gss-api_8.html
* Website not in local intranet: http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-debian-and-windows-server-2008-r2/Forum: Plugins
In reply to: [Next Active Directory Integration] Change Redirect after SSO?Thank you for the feedback! Fix has been merged into master.
This seems to be a problem of your Kerberos set up and is not related to NADI itself.
Forum: Plugins
In reply to: [Next Active Directory Integration] Change Redirect after SSO?Thank you for the hint, we have tracked this ticket in ADI-418 and will publish a fix with 2.0.11.
In the meantime you can try to adapt the loginUser method like this[code]
protected function loginUser($user, $exit = true)
{
// ADI-418: Accessing un-protected URLs directly with SSO enabled redirect does not work
$redirectTo = (isset($_SERVER['REDIRECT_URL']) && !empty($_SERVER['REDIRECT_URL'])) ? $_SERVER['REDIRECT_URL'] : null;
// default redirect if WordPress forces itself a login, e.g. when accessing /wp-admin
$redirectTo = (!empty($_REQUEST['redirect_to'])) ? $_REQUEST['redirect_to'] : $redirectTo;
// if not set, fall back to the home url
$redirectTo = empty($redirectTo) ? home_url('/') : $redirectTo;do_action('wp_login', $user->user_login, $user);
wp_set_current_user($user->ID);
[/code]I’d really appreciate your feedback!