When working on an internal website recently, we needed to have “transparent sign on” capability (otherwise known as Single Sign On). This is where the website automatically picks up the user’s domain credentials and logs them in, at the same time knowing their full name and email address. It turns out that the simplest way of doing this is to run WordPress on IIS (beware if this is external as careful configuration is needed to make PHP safe). Below is what we found worked well for us. This provided a transparent and easily manageable method of controlling users who could access WordPress. You will need to adapt to your environment of course, but the instructions below should get you up and running.

Plugins & Deleting Accounts
Once WordPress is set up and working, the first step is to use the plugin found here. Once this is installed and activated, go to the WordPress site and it should auto-detect and create an account with your domain username. This is best tested with a user logged into another host and not on your WordPress machine. After this is working, the next step is to delete the accounts it has created and disable the auto-account creation. This is done by finding the section below and commenting out the line to create the user (Line 78 or so).

$user = get_userdatabylogin($username);
               if (!is_a($user, 'WP_User')) {
                               // Create the user
                               $newUserId = iisauth_create_wp_user($username);
                               if (!is_a($newUserId, 'WP_Error')) {
                                               $user = get_userdatabylogin($username);
                               }
               }

Change this to…

                $user = get_userdatabylogin($username);
               if (!is_a($user, 'WP_User')) {
                               // Create the user
                               //$newUserId = iisauth_create_wp_user($username);
                               if (!is_a($newUserId, 'WP_Error')) {
                                              $user = get_userdatabylogin($username);
                               }
               }

Once this is done, if you try to access the site and an account exists you will be logged in, but crucially, new accounts will not be created. This is what we want for now.

Active Directory Integration
Now, in WordPress, search for and install the “Active Directory Integration” plugin by Christoph Steindorff. Before you do activate this plugin though, we need to create a few security groups in Active Directory:

  • wp_sync – This is the group that contains the list of all accounts that we want to sync to WordPress. This can contain nested groups and, for our example, all the other groups we create will be a member of this group. Default members of this group will get subscriber privileges if nothing else is defined.
  • wp_admins – This is a list of all users to be administrators in WordPress
  • wp_management – This is a list of all users to be given higher access. For the example here we have given them author level.

Make wp_admins and wp_management members of wp_sync along with a test user. Now, after activating the plugin go to settings => Active Directory Integration Settings. Configure the Server settings for your AD environment. On the User settings make sure that:

  • “Append account suffix to new created usernames” is unticked.
  • Automatic User Creation can be ticked if you want to use this function. If not then leave this unticked and move onto the bulk import tab ignoring the rest of the settings on this and the Authorization tab. You will also need to edit the AdIntegration.php file as detailed below.
  • Automatic User Update is ticked.
  • Auto update user description is ticked.
  • Prevent email change is ticked.

Save the changes and move to the Authorization tab. On this screen:

  • Make sure that “Users are authorized for login only when they are members of a specific AD group” is ticked
  • Add wp_sync to the groups box.
  • In the Role equivalent groups put : wp_admin=administrator;wp_management=author;wp_sync=subscriber
  • Save these changes and then move to the bulk import tab. On this screen
  • Make sure “Enable Bulk Import & Update” is ticked
  • Import members of security groups contains wp_sync
  • Fill in the username and password. For the username remember this is user@domain.local type format
  • Make sure that “Auto Disable Users” is ticked

Save these changes and then click on the test import to make sure all is working.

Encountering Problems
If all the AD settings have been entered correctly you’ll have a user created in WordPress with their login name matching their AD login and their name field correctly populated. However, if you then visit the site as that user from a remote machine you may find that the login doesn’t work. A little inspection shows why...

The AD Integration module creates the user exactly as they are in AD. So if their username is Firstname.Lastname with the underlined letters in capitals then they will be like this in WordPress. However, the IIS authentication module converts all the usernames to lower case. This means there won’t be an exact match in the PHP (which is case sensitive).

How to Fix it
To fix this, look in the Active Directory Integration plugin folder and edit bulkimport.php. Then, look for the following section (about line 290):

// get display name
$display_name = $this->_get_display_name_from_AD($username, $userinfo);
               // create new users or update them
               if (!$user OR ($user->user_login != $username)) {
                               $user_id = $this->_create_user($ad_username, $userinfo, $display_name, $user_role, '', true);
                               $added_users++;
               } else {
                               $user_id = $this->_update_user($ad_username, $userinfo, $display_name, $user_role, '', true);
                               $updated_users++;
               }

And change it to...

// get display name
               $display_name = $this->_get_display_name_from_AD($username, $userinfo);
               // create new users or update them
               if (!$user OR (strtolower($user->user_login) != strtolower($username))) { // use strtolower!!!
                               $user_id = $this->_create_user(strtolower($ad_username), $userinfo, $display_name, $user_role, '', true);
                              $added_users++;
               } else {
                               $user_id = $this->_update_user(strtolower($ad_username), $userinfo, $display_name, $user_role, '', true);
                               $updated_users++;
               }

If you have enabled the auto-user creation option then you’ll also want to search in the adintegration.php file for the create_user function there and add strtolower round the username in that function call.

Finishing Up
Once this is done, all users will be created in lower case and your permitted users can sign on automatically without having to enter any credentials and WordPress will know who they are. Add any domain users (yourself probably) to the wp_admins group and once the sync is run you’ll have a domain admin account created. One note here is that each admin account must have a unique email address. If the user you want to sync as an admin has an email address that matches up to an existing WordPress user then the import will fail for that user.

When you update your list of permitted users, run the link on the bulkimport tab. If you want to automate this then just schedule a task to start the browser using that link. You will also need to get the script to wait and kill the browser for 20 seconds or so later, otherwise you’ll have lots of processes of your browser running and it will eventually stop updating. Use a ping of a non-existent host on your network with a long timeout specified and then taskkill to kill off the process.

 

Post By: Jason Ede

Comment