LDAP Authentication Setup on GLPI v0.8

Today we start to configure LDAP authentication on GLPI v0.8

Depending on your LDAP directory structure you will have to choose one of the two methods on how to connect to your directory:

  • You have a flat directory (which often is the case with Samba sites using LDAP as the authentication backend), i.e. all relevant users are placed within a single organizational unit. In this case authentication is simple, since you can just add the baseDN string to the user name and ask LDAP to authenticate the user with the password provided through the user login attempt.
  • You have a hierarchic directory (which is pretty likely if you have an Active Directory site). Things are getting more complicated here, since LDAP requires a full distinguished name (like CN=John Doe,OU=Accounting,OU=Financial,DC=myAD,DC=example,DC=com) for authentication, but the user logon is only going to give us the user name.

In this case, authentication is performed in two stages:

  • GLPI needs to start a LDAP search for the user object first, providing the user name and predefined filter strings as parameters
  • In a second step it will try to ask the LDAP directory for authentication using the search result from the first step and the password provided by the user login attempt
GLPI/LDAP Links

The values in this section are initialized with defaults useful for a common LDAP directory, however, these defaults will not work with Active Directory setups. Below, you will get some examples on mappings:

  • name: the logon user name (LDAP: uid, AD: samaccountmame)
  • email: user email address (LDAP: mail, AD: userprincipalname)
  • phone: the telephone number (LDAP & AD: telephonenumber)
  • name: the surname (AD: sn)
  • given name: user’s given name (AD: givenname)

Now take care of the data mappings. Set the fields as follows:

  • Loginfield: samaccountname (write in low case)
  • Surname: sn
  • First name: givenname
  • E-Mail: mail
  • Phone: telephonenumber
Example Data For External Authentication (GLPI v0.8)

-> click on Authentication

1

-> To add a new directory, click LDAP directories then click the ”+” button in the menu bar above.

2

The configuration screen for a new directory appears.

Name: Common Name

Port: By default(389)

Server: ldap://your ip ldap

Connection filter: (&(samaccountname=*))

Base DN: see example

Root DN: see example

Login field: change to samaccountname

4

–> click Add.

You can also use this command to import Users in case you can’t import users on webpage:

2 Comments

  1. Mình đã authenticate được với AD, nhưng không import được user, tác giả hướng dẫn chi tiết làm sao để import user vào được không? Mình có xem hướng dẫn trên mạng nhưng làm theo vẫn không syn được user với AD

    • Hi Tona San,

      In order to Import user from Active Directory by follow:

      Administration => Users => Ldap Link directory => Import new users => click Search button

      Then you will be able to import new user.

      Any help please comments. 🙂

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.