Next Active Directory Integration


Next Active Directory Integration allows WordPress to authenticate, authorize, create and update users against Microsoft Active Directory. NADI ist a complete rewrite of its predecessor Active Directory Integration and therefore an own plugin.
You can easily import users from your Active Directory into your WordPress instance and keep both synchronized through Next Active Directory Integration’s features.

Even if NADI is available for free we hope you purchase a plan to let us continue the work on Next Active Directory Integration.
You can purchase commercial support plans at The support plans give you access to our premium extensions and guarantee an ongoing development of the plug-in.


  • Authenticating WordPress users against one or multiple AD Server
  • Authorizing users by Active Directory group memberships
  • Managing Active Directory authentication for WordPress Multisite installations
  • Single Sign On with Kerberos sponsored by Colt Technology Services and Digital Elite
  • Automatically create and update WordPress users based upon their Active Directory membership
  • Mapping of Active Directory security groups to WordPress roles
  • Protection against brute force password hacking attacks
  • User and/or admin e-mail notification on failed login attempts
  • Multi-language support (at the moment only English is included)
  • Determining WordPress display name from Active Directory attributes
  • Synchronizing Active Directory attributes and WordPress user meta information in both ways
  • Embed customized Active Directory attributes in WordPress user’s profile
  • Enable/disable password changes for local (non-Active Directory) WordPress users
  • Disable user accounts in WordPress if they are disabled in Active Directory.
  • Set users local WordPress password on first and/or on every successful login
  • Option to disable fallback to local (WordPress) authentication.
  • Support for Active Directory forest environments.
  • and much much more

Premium Extensions

As an owner of a valid support plan you have access to the following premium extensions:

  • Profile Pictures: Synchronize profile photos from Active Directory to WordPress without a 3rd party plug-in
  • BuddyPress profile photo: Synchronize profile photos from Active Directory to BuddyPress
  • Buddy Press simple attributes: Synchronize attributes from Active Directory/NADI to BuddyPress’ custom profiles
  • Login with Ultimate Member: Let UM users log in by using NADI
  • Login with WooCommerce: Let WooCommerce users log in by using NADI
  • WP-CLI: Execute common NADI tasks (Sync to WordPress, Sync to AD) with help of WP-CLI
  • Active Directory Forest: Be able to use one WordPress instance with your whole Active Directory forest environment


  • WordPress since 5.6
  • PHP >= 8.1
  • LDAP support
  • OpenSSL Support for TLS (recommended)


  • Generic profile options
  • Environment options to connect to your Active Directory domain
  • User settings
  • Password settings
  • Permissions for authorization groups and role equivalent groups
  • Security
  • Attribute mapping from Active Directory to WordPress
  • Sync to Active Directory
  • Sync to WordPress
  • Logging
  • Extend WordPress’ user list with Active Directory information
  • Profile assignment in WordPress Multisite
  • Custom NADI profile in WordPress Multisite environment



To install Next Active Directory Integration you need at least WordPress 5.6 and PHP 8.1.

Although only tested with Apache 2.2 and 2.4 NADI should work with all other common web servers like nginx and IIS.

Next Active Directory Integration requires a few PHP modules to be enabled. Please verify in your php.ini that ldap and openssl are activated.

; required by *NADI*


NADI requires PHP 8.1 or later. The reason is that security support for PHP version prior 8.1 have been dropped by the maintainers as you can see in the official PHP documentation
For security reasons and in order to use NADI in 2024 we hereby politely encourage you to migrate your environments to at least PHP 8.1 until then.

Thank you all for your support and understanding.

Best regards,
your NADI team.


NADI can be easily installed from the WordPress Plugin Directory.

It is also possible to download the latest version from” and unpack the folder to your wordpress/wp-content/plugins directory.

Developers can clone the Git Repository inside their wordpress/wp-content/plugins directory and download the dependencies with composer.

Single Site

  • Visit your WordPress blog and login into your WordPress dashboard as Administrator
  • Click on the Plugins in the left the navigation bar
  • Activate the Next Active Directory Integration plug-in

Network installation

  • Visit your WordPress network dashboard as Super Admin
  • Click on the Plugins link in the left the navigation bar
  • Activate the Next Active Directory Integration plug-in. In a WordPress network installation NADI should be Network activated.

You can enable/disable NADI for specific blogs by using the Profiles feature of NADI.
It is not possible to activate NADI for a site inside a network.


Please read the FAQ of our official documentation.


January 8, 2021 5 replies
Doesn’t work when using a Synology NAS as LDAP/AD server. Error: Creating adLDAP object failed. Bind to Active Directory failed. Check the login credentials and/or server details. [AD: Strong(er) authentication required] [AD error code: 8]. or error code -1, depending on which config is chosen. Probably a Synology problem, still: too bad!
November 22, 2019
Don’t look at any other plugin for Active Directory Integration, this is the only one worth considering by far! Easy setup, you just need to know the Base DN and stuff.. any decent IT person should be able to manage it easily.
November 13, 2019
I had some issues finding out how to configure it correctly. I usually login with “INTERN\john.doe”, but a format like this was not valid. I found out that I had to use “” and to add the two suffixes “” as well as “”. I activated the automatic user creation and all worked easily. Awesome work!
Read all 15 reviews

Contributors & Developers

“Next Active Directory Integration” is open source software. The following people have contributed to this plugin.



For detailed information you can visit the official GitHub repository of Next Active Directory Integration


  • CHANGED: WordPress 6.6 compatibility has been checked


  • CHANGED: WordPress 6.5 compatibility has been checked


  • CHANGED: Re-enable linter support (#189)
  • CHANGED: Drop PHP 8.0 support from CI (#189)


  • CHANGED: WordPress 6.4 compatibility has been checked


  • FIXED: Issue when Sync to WordPress disables non-existing WP user (#191)


  • FIXED: Do not map mismatched objectGUIDs (#188)
  • FIXED: Duplicate search for user by sAMAccountName during login (#187)


  • FIXED: Dreitier\Ldap\Connection::filterDomainMembers throws fatal error when invalid SID is returned (#186)
  • FIXED: Twig functions in default namespace conflict with other WordPress plug-ins (#185)
  • FIXED: Conversion of empty or string-based LDAP timestamp attributes (#184)
  • CHANGED: WordPress 6.3 compatibility has been checked


  • FIXED: WP_MS_Sites_List_Table not found when running in Multisite (#183)


  • CHANGED: WordPress 6.2 compatibility has been checked


  • FIXED: Postpone stub creation in favor of other autoloaders (#181)
  • FIXED: Check for availability of PHP 8.0 or deactivate plug-in (#179)
  • FIXED: Class Dreitier\Util\Logger\LogFacade not found (#178)
  • FIXED: Deprecation notice with PHP 8.x for null constructor parameters of WordPressErrorException


  • FIXED: Provide stub for Logger class (#177)


  • FIXED: Include PHP 8.2 into test suite (#175)
  • FIXED: class ShowSingleSignOnLink not found (#176)


  • FIXED: Usage of custom auto-loader and strauss to prevent conflicting namespaces (#165)
  • FIXED: Detect and use constant NEXT_ACTIVE_DIRECTORY_INTEGRATION_ENCRYPTION_KEY to be able to change WordPress’ AUTH_SALT (#173)
  • CHANGED: Upgraded monolog/monolog to 2.8.0 to make NADI working with WP-Rocket (#169)
  • CHANGED: PHP 8.0 runtime is now required (#170)


  • FIXED: Detect and use constant NEXT_ACTIVE_DIRECTORY_INTEGRATION_ENCRYPTION_KEY to be able to change WordPress’ AUTH_SALT (#173)


  • FIXED: ldap_search fails on PHP 7.4 (#171)


  • FIXED: With PHP 8.1, ldap_get_entries expects an LDAP\Result instance as second parameter (#166)
  • FIXED: Deprecation warning when Test Authentication is triggered with PHP 8.1 (#168)
  • ADDED: Notification in WordPress’ plug-in page for upcoming v3
  • ADDED: Compatibility with new Premium Extensions which are already using v3’s code


  • FIXED: Blank configuration page with PHP >= 8.0 and missing AUTH_SALT constant (#164)


  • CHANGED: twig/twig dependency updated to 3.4.3 (#162)
  • CHANGED: WordPress 6.1 compatibility has been checked
  • ADDED: deprecation warning for the PHP 7.x branch


  • CHANGED: “master” branch has been replaced with “main” branch.
  • ADDED: lifecycle hooks after the authentication has succeeded, so Wordfence can be used (#160)
  • CHANGED: WordPress 6.0 compatibility has been checked


  • FIXED: Critical WordPress error if a matching profile for SSO authentication can not be found (#152, NADISUP-7)
  • FIXED: Uncaught TypeError when checking userAccountControl attribute (#151)
  • FIXED: For specific Active Directory forest structures, the NETBIOS name can not be resolved during verification of the credentials (#153, NADISUP-8)
  • ADDED: Option for specifying a custom login page URI; special thanks to GitHub user czoIg for contributing this functionality (#154)


  • CHANGED: WordPress 5.9 compatibility has been checked
  • REMOVED: CI testing support for PHP 7.3 as mentioned in


  • FIXED: when a user can not be found by email address, findByProxyAddress returns false. Configured Sync to WordPress credentials are still required for logging in with email addresses. (#146)
  • FIXED: when using SSO-based logins, the “Exclude usernames from authentication” option still applies (#142)
  • ADDED: hooks for checking if NADI’s authentication applies for a given username (#142)
  • CHANGED: WordPress 5.8.1 compatibility has been checked
  • CHANGED: WordPress 5.8.2 compatibility has been checked
  • REMOVED: Parameter $useLocalWordPressUser in NextADInt_Adi_Mail_Notification (#135)
  • REMOVED: Option ‘Automatic user creation’. This option has been implicitly enabled for all installations and is no longer required (#134)
  • CHANGED: PHP 8.1 compatibility has been checked; Twig has to be updated with the next release (#148)


  • FIXED: Sync to WordPress fails if user is no longer present in Active Directory (#141)


  • FIXED: Boolean options can’t be persisted correctly with 2.2.1 (#140)


  • FIXED: Missing meta_key “domainsid” results in TypeError or NextADInt_ActiveDirectory_Context::isMember (#133)
  • FIXED: Warning: Trying to access array offset on value of type null (#139)


  • ADDED: Kerberos principals are no longer treated as userPrincipalNames (ADI-715)
  • ADDED: When using Kerberos SSO principals, you can map the Kerberos realm to multiple UPN suffixes (requires Active Directory Forest premium extension) (ADI-715)
  • ADDED: When using NADI in an AD forest, you can now specify all SIDs of the connected domains (requires Active Directory Forest premium extension) (ADI-715)
  • FIXED: When using a Global Catalog (GC), users with same sAMAccountName but different userPrincipalNames are not assigned correct during authentication (NADIS-133)
  • FIXED-SECURITY: Users with same UPN prefix and password but different UPN suffix would be logged in with the wrong account (ADI-716)
  • CHANGED: WordPress 5.6.1 compatibility has been checked
  • CHANGED: WordPress 5.7 compatibility has been checked
  • CHANGED: PHP 8.0 compatibility has been added (ADI-718, #132, #137)
  • FIXED: Deprecation warning when trying to send mail notification for blocked users (ADI-719)
  • FIXED: Option “Blog admin sets the option value.” had no effect in Multisite environments (#124)
  • DEPRECATION-WARNING: For the upcoming release 2.3.0 we will remove “Internal password migration” (#136), “Automatic user creation” (#134) and “Email address conflict handling” (#133)
  • DEV: Slightly transition new issues to GitHub instead of internal Jira


  • ADDED: allow self signed certificates (#107)
  • CHANGED: notices for minimum PHP version 7.2 due to EOL of PHP 7.1
  • FIXED: Test compatibility with latest stable PHPUnit version
  • FIXED: PHP 7.4 compatibility and deprecation of some ldap_* functions (#127)
  • FIXED: various typos and formatting errors in the administration user interface
  • ADDED: hook for triggering Sync To WordPress and Sync To AD (ADI-526)


  • CHANGED: Tested compatibility with upcoming version 5.4 of WordPress


  • CHANGED: minimum PHP version to PHP 7.2 due to EOL of PHP 7.1
  • CHANGED: Twig version updated to 1.41.0 (ADI-707)
  • FIXED: When a non-existing user inside in WordPress authenticates in a multisite environment the first time, a warning is triggered (ADI-705)
  • FIXED: A deleted user from Active Directory is mapped to the wrong user in WordPress; thanks to T. Kowalchuk (ADI-702)
  • FIXED: PHP warning if user is deleted from Active Directory (ADI-701)
  • FIXED: PHP error if touching of log file failed
  • FIXED: “-DISABLED” suffix is added everytime a user is synchronized (ADI-697, NADIS-110)
  • ADDED: hook next_ad_int_user_before_disable (ADI-699)
  • FIXED: curly brace access (#119)


  • ADDED: Premium extension WP-CLI to execute “Sync to WordPress/AD” with wp-cli to circumvent webserver/proxy timeouts (NADIS-98)
  • ADDED: option to disable SSO when using XML-RPC (ADI-679, NADIS-92)
  • FIXED: when changing the sAMAccountName or userPrincipalName in the AD a new user would have been created in WordPress (ADI-688, NADIS-89)
  • FIXED: Ultimate Member premium plug-in no longer works with new NADI version (ADI-687, NADIS-96)
  • FIXED: bug in adLDAP library; when LDAPS is enabled a custom port would not have been applied (ADI-690, NADIS-94)
  • ADDED: hook next_ad_int_user_create_email which is executed when “Duplicate email prevention” is set to “Create” (ADI-691)
  • FIXED: various issues with “Duplicate email prevention”; refactored logic (ADI-691)
  • FIXED: NADI got disabled when using any WP-CLI command (ADI-692)
  • ADDED: logging configuration can be set with filters (ADI-693)


  • FIXED: compatibility issues when using the Woffice theme (ADI-659)
  • FIXED: missing email parameter when creating users; thanks to nefarius (#74, ADI-615)
  • FIXED: an issue with the ‘Prevent email change’ option,; thanks to mlipenk (ADI-670)
  • ADDED: new hook to hide the ‘Log in using SSO’ option,; thanks to vyatcheslav (ADI-672)
  • FIXED: refactored post authentication logic into separate services (ADI-671, ADI-673)


  • FIXED: the hooks auth_before_create_or_update_user and auth_after_create_or_update_user were not registered so the SSO authentication always failed silently (ADI-668)


  • FIXED: custom authentication filters were not registered properly and this fixes SSO related issues (ADI-665)
  • FIXED: test authentication will now properly check for authorization groups again


  • FIXED: replaced all references to the deprecated each-function with foreach (ADI-628)
  • FIXED: authorization groups will now properly prevent users from logging in,; thanks to shmew22, pokertour (ADI-664, #92)
  • FIXED: the menu-visibility options were missing inside the profile-tab,; thanks to 5tu (ADI-663);
  • ADDED: 2 new filters to allow for custom validation during the authentication process; thanks to Destabilizator (ADI-657, #89)


  • FIXED: isUserAuthorized() prevented login for users successfully authenticated via SSO at Active Directory due username was passed instead of guid
  • FIXED: HelperTabs not opening anymore due bootstrap css .hidden class overwrites WordPress css .hidden class
  • FIXED: verify connection input and button share the same element ID causing a DOM error in the browser console log
  • ADDED: SSO Username variable helper tab content now contains a table including all supported variables and their current $_SERVER values


  • ADDED: added message on the profile configuration page to inform customers about end of PHP version <7.1 support
  • ADDED: json response for “Sync to WordPress” triggered via powershell
  • ADDED: improved logging in within the Connection.php class
  • ADDED: missing German translations
  • ADDED: PHP_AUTH_USER to SSO username variables
  • FIXED: app.config and password.controller.config being flagged by customer firewalls / security plugins which resulted in them not being loaded properly (renamed them)
  • FIXED: redirect to target site not working properly after being authenticated via NADI SSO
  • FIXED: isUserAuthorized() not working properly with UPNs
  • FIXED: “Set local Password” not working if “Automatic user update” was enabled at the same time
  • FIXED: “Overwrite with empty value” not working anymore


  • FIXED: NTLM authentication not working if samAccountName of a user does not match the part of the UPN in front of the suffix
  • REMOVED: NADI support license nag message on WordPress plug-in page


  • ADDED: proxy address login; special thanks to nedwidek for contributing this functionality (#59)
  • ADDED: profile picture ad attributes to the ad attributes dropdown at the ad attributes configuration page
  • ADDED: claims based authentication; special thanks to rgottsch for contributing this functionality (#44)
  • ADDED: new option to decide if you want to grant smart card users access to the WordPress environment
  • ADDED: links to the specific documentation pages for each configuration page
  • ADDED: powershell script to trigger “Sync to WordPress” and “Sync to AD”; special thanks to nemchik for contributing this (#64)
  • FIXED: it is now possible to enter an empty base dn (#49)
  • FIXED: adjusted base DN description
  • FIXED: typo in LoginService.php (#59)
  • REMOVED: whitespaces inside the rendered curl and wget tags
  • REMOVED: old code that caused an warning with PHP 7.2.0 changes to count() and sizeOf()


  • ADDED: NADI is now using Monolog for everything related to logs
  • ADDED: added a button to manually persist “Logging” configurations
  • FIXED: user attributes are now correctly logged
  • FIXED: fixed a problem where the port configuration for LDAPS was not used
  • FIXED: updated twig to the latest 1.x version. (2.x requires >= PHP 7.0.0)
  • ADDED: debug logs messages will be not displayed in the frontend log anymore in order to prevent an overflow
  • ADDED: dummy logger in order to prevent outdated premium extensions from crashing
  • REMOVED: removed log4php from NADI


  • ADDED: added frontend information banners for NADI premium extensions
  • ADDED: added frontend information about why “Sync to WordPress” can not be started
  • FIXED: members of not mapped security groups will now receive the default role “Subscriber”
  • FIXED: “Clean existing Roles” is now default set to false
  • ADDED: added new style for configuration page
  • FIXED: fixed some style issues
  • ADDED: added logic to determine if a NADI option already exists in the DB to prevent the problem saving options with default value true
  • ADDED: added detailed log on which UAC flag is responsible for users not being imported
  • FIXED: fixed logs destroying the user profile while trying to update a user profile / also caught exception
  • FIXED: fixed template conditions causing problems in Microsoft Edge


  • FIXED: switched from mcrypt to defuse/php-encryption
  • FIXED: decoupled password update from user update to allow for automatic password updates without ‘auto update user’ set to true
  • FIXED: marked brute force protection deprecated
  • FIXED: minor bugs when using ldap over ssl
  • ADDED: sync to ad now uses the GUID for synchronization
  • FIXED: verify domain controller connectivity before incrementing brute force protection counter
  • FIXED: custom attributes inside the user profile will prioritize the custom description; thanks to mzemann
  • FIXED: changed the look of Sync to AD, Sync to WordPress and Test authentication
  • ADDED: added row to users list for premium extension (custom user role management)
  • FIXED: added the complete dirname when using require_once inside index.php (#47)


  • ADDED: internationalization for all plugin strings, see (ADI-432, ADI-436)
  • FIXED: roles are now mapped using the GUID instead of sAMAccountName (ADI-428)
  • ADDED: option for preventing disabled users to be synchronized to WordPress (ADI-223)
  • ADDED: validation for Base DN
  • FIXED: problem when sending brute force protection notifications via email (ADI-464)
  • FIXED: non NADI users being blocked by the brute force protection
  • FIXED: brute force protection now checks for the whole username (ADI-424)
  • FIXED: updating user profiles without bind user (ADI-439)
  • FIXED: countdown for brute force protection (ADI-456)


  • ADDED: NTLM support for SSO (sponsored by Vogels –
  • ADDED: implementation of hooks to provide an API (ADI-145)
  • ADDED: premium extensions available for support license subscribers
  • ADDED: log reason for not being able to increase max_execution_time (ADI-396)
  • ADDED: log message that AD security group could not be found (ADI-397)
  • ADDED: improve logging number of users to import from AD to WordPress (ADI-414)
  • FIXED: synchronization does not work b/c getDomainSid returns “S-0” (ADI-412)
  • FIXED: “Test authentication” does not allow characters like a backward slash (ADI-421)
  • FIXED: permanent redirects after successful authentication (ADI-422)
  • FIXED: error “the current user is being initialized without using $wp->init()” when using BuddyPress (ADI-416)
  • FIXED: blocking of users with long user names (ADI-330)
  • FIXED: get_blog_details replaced with get_site to maintain compatibility with WordPress 4.7+ (ADI-419)
  • FIXED: restrict output of debug LDAP user information to only an amount of characters (ADI-420)
  • FIXED: Sync to WordPress: default WordPress role “Subscriber” is not assigned (ADI-401)
  • FIXED: Users with admin role granted by WordPress lose their role when logging into the site for the first time (ADI-380)


  • ADDED: option to enable/disable authentication using XML-RPC
  • FIXED: reworked user interface
  • FIXED: sync ends after deleted account is no longer present in Active Directory
  • FIXED: integration tests
  • FIXED: emails will not be sent to administrators; thanks to kyleflan (#27)
  • FIXED: users can now be disabled from WordPress
  • ADDED: HTTP_X_REMOTE_USER is now an option in the SSO configuration; thanks to laughtonsm (#29)


  • FIXED: add missing default value for method parameter


  • FIXED: remove PHP 5.6 code; thanks to requincreative (#22)


  • ADDED: custom user roles can be used in “Role equivalent groups”
  • ADDED: the logger is disabled by default (and can be enabled inside the configuration)
  • ADDED: log file path can be configured (default is wp-content/plugins/next-active-directory-integration/logs/debug.log)


  • FIXED: show activation notice only after activating this plugin (; thanks to bobchou9
  • FIXED: SSO/verify-password errors by un-quoting values in $_GET/$_POST/$_SERVER. WordPress quotes all entries in $_GET/$_POST/$_SERVER automatically; thanks to plantjes (#20)


  • FIXED: check if AD result is not empty before accessing distinguished name; thanks to petterannerwall (#16)
  • ADDED: optional support for Down-Level User Name (like TEST\klammer) (#18)


  • ADDED: make log pattern configurable (; Thanks to tmuikku


  • FIXED: brute force protection is now be disabled; thanks to Munnday (David Munn) (#14)
  • FIXED: the max count of login tries and the block time are now editable


  • FIXED: SSO caused a PHP error during login; thanks to Jason Taylor and Munnday (David Munn) (#13)


  • FIXED: missing german translation


  • ADDED: support for WordPress Multisite through profiles
  • ADDED: Profiles can be customized, including the permission of every option
  • ADDED: support for PHP7
  • ADDED: detailed documentation at
  • ADDED: experimental support for multiple Active Directory domains; see FAQ
  • ADDED: easier handling and description of encryption methods for LDAP
  • ADDED: additional columns in Multisite overview for networks and users
  • ADDED: user names can be explicitly excluded from authentication
  • ADDED: menu entries of Next ADI can be hidden
  • ADDED: Next ADI can be disabled per Multisite site environment
  • CHANGED: large user interface improvements
  • CHANGED: complete rewrite of the PHP backend
  • CHANGED: userPrincipalName is leading attribute for user identification instead of sAMAccountName
  • FIXED: Role Equivalent Groups can be mapped to multiple WordPress roles instead of only one
  • and much much more we can not list here. Please take the time and read the official documentation 🙂

1.x (Active Directory Integration)

  • deprecated and no further development