Today we start to configure LDAP authentication on GLPI v0.8
Depending on your LDAP directory structure you will have to choose one of the two methods on how to connect to your directory:
- You have a flat directory (which often is the case with Samba sites using LDAP as the authentication backend), i.e. all relevant users are placed within a single organizational unit. In this case authentication is simple, since you can just add the baseDN string to the user name and ask LDAP to authenticate the user with the password provided through the user login attempt.
- You have a hierarchic directory (which is pretty likely if you have an Active Directory site). Things are getting more complicated here, since LDAP requires a full distinguished name (like CN=John Doe,OU=Accounting,OU=Financial,DC=myAD,DC=example,DC=com) for authentication, but the user logon is only going to give us the user name.
In this case, authentication is performed in two stages:
- GLPI needs to start a LDAP search for the user object first, providing the user name and predefined filter strings as parameters
- In a second step it will try to ask the LDAP directory for authentication using the search result from the first step and the password provided by the user login attempt
The values in this section are initialized with defaults useful for a common LDAP directory, however, these defaults will not work with Active Directory setups. Below, you will get some examples on mappings:
- name: the logon user name (LDAP: uid, AD: samaccountmame)
- email: user email address (LDAP: mail, AD: userprincipalname)
- phone: the telephone number (LDAP & AD: telephonenumber)
- name: the surname (AD: sn)
- given name: user’s given name (AD: givenname)
Now take care of the data mappings. Set the fields as follows:
- Loginfield: samaccountname (write in low case)
- Surname: sn
- First name: givenname
- E-Mail: mail
- Phone: telephonenumber
Example Data For External Authentication (GLPI v0.8)
-> click on Authentication
-> To add a new directory, click LDAP directories then click the ”+” button in the menu bar above.
The configuration screen for a new directory appears.
Name: Common Name
Port: By default(389)
Server: ldap://your ip ldap
Connection filter: (&(samaccountname=*))
Base DN: see example
Root DN: see example
Login field: change to samaccountname
–> click Add.
You can also use this command to import Users in case you can’t import users on webpage:
cd /var/www/your glpi path/scripts && php -q -f ldap_mass_sync.php -- action=0 server_id=1