Skip to content

LDAP(s)#

How do I connect my Entra LDAPS to GLPI?#

To connect an LDAPS, you must make sure you have a sufficient license allowing you to create an LDAPS. The domain services service is required to create your LDAPS. Please refer to Microsoft's official documentation. Once your LDAPS has been created, simply follow the instructions from setup > authentication > LDAP directory.

Why do I get an error message informing me that I don't have rights to access the application?#

This happens when the authorisation rules have not been set up. In fact, once authentication has been successful, GLPI checks that you have an assigned authorisation. GLPI also checks that a rule has been set up to assign you one automatically. If this is not the case, access to GLPI will be denied. To set up these authorisation rules, go to this article for help with setup.

Why are my users deleted from GLPI when they are deactivated?#

From setup > authentication > setup you can choose the GLPI behaviour when a user is deactivated from your LDAP(s)

  • Preserve
  • Disable
  • Disable + withdraw groups
  • Disable + withdraw dynamic authorisations and groups
  • Put in trashbin
  • Withdraw dynamic authorisations and groups

I'm having trouble synchronising my LDAP(s). How can I get a debug?#

For on-premise instances, you can check in files/_log (or wherever you have stored your logs) You can also download the [LDAP Tools] plugin (https://glpi-plugins.readthedocs.io/en/latest/ldaptools/index.html) to help you understand what the problem is.

What information is sent back by LDAP(s)?#

You can manage the information retrieved by your LDAP(s) from setup > authentication > LDAP directory, users tab Alt text

How do I synchronise groups?#

From setup > authentication > LDAP directory, tab groups, you can choose how GLPI will behave when synchronising your groups.

GLPI can :

  • Check the groups belonging to the user (user search)
  • Check the users present in the groups (group search)
  • The 2

Remember to indicate the user attribute (usually memberof) so that GLPI can use this attribute to synchronise the groups belonging to the user. Remember to indicate the groups attribute (usually member) so that GLPI can use this attribute to synchronise the users in the groups.

What is the purpose of the group search filter?#

The filter allows you to find only certain groups, based on their name for example. If you only wanted to find the accounting group, for example, you could have a syntax such as (&(objectCategory=group)(SAMAcCOUNTNAME=*accounting*)). You can use this documentation to help you build your filter.

My LDAPS requires a certificate, how do I set it up?#

On-premise :

  • Import your certificate into your GLPI server (they must be readable by the user using the web server)

Cloud instance:

  • use the form to send you your certificate

On-premise and instance Cloud :

  • From setup > authentication > LDAP directory, advanced information tab, enter the path to your certificate in the TLS certfile and TLS Keyfile tabs. For Cloud instances, this will be communicated to you by return of your ticket.

How do I add replicas for my LDAP server(s)?#

From setup > authentication > LDAP directory, tab replicates, enter the information required for replicates.

Why aren't my users imported?#

Check that your LDAP(s) can be reached and is correctly configured on the GLPI side. If your LDAP(s) is correctly set up on the GLPI side, check that the automatically add users from an external authentication source option has been selected. Check that automatic authorisations have been set up. If you do not have automatic authorisation, check that the otpion add a user without accreditation from a LDAP directory (from setup > authentication > setup) is set to yes.

How can I automatically synchronise my LDAP users?#

In order to automatically synchronise your users from an LDAP, you can add a line to your crontab (the one for the user who reads the web files, Apache, www-data, etc.)

0 * * * * www-data cd /var/www/glpi/ && /usr/bin/php bin/console glpi:ldap:synchronize_users --no-interaction >/dev/null 2>&1

You can add options to this command to synchronise disabled accounts as well, for example:

0 * * * * www-data cd /var/www/glpi/ && /usr/bin/php bin/console glpi:ldap:synchronize_users --no-interaction -d 3 >/dev/null 2>&1

If you want to perform several actions, we advise you to add as many LDAP commands to your cron as you need (one command for synchronising accounts, another for deactivating accounts, etc.).

Does the command php /var/www/html/glpi/bin/console glpi:ldap:synchronize_users, set up in the cron, make the LDAP connection filter set up in Setup > Authentication > LDAP directories ?#

Yes, if you don't specify --ldap-filter in your command line, GLPI takes the sync field + the condition specified in the connection filter to perform the search.

Example

  • Synchronisation field configured = entryuuid
  • Connection filter configured = (objectClass=inetOrgPerson)
  • Resulting LDAP filter on command line = (& (entryuuid=*) (objectClass=inetOrgPerson))

Can I restore a GLPI user when it is also reactivated in LDAP?#

From setup > authentication > setup you can choose the behaviour of the action when a user is restored in the LDAP directory. You can choose to :

  • Enable
  • Do nothing
  • Restore (move out of trashbin)

Information

If it has been permanently deleted, it will be recreated as a new user.

When should the TLS Certfile and TLS Keyfile fields be filled in?#

The TLS Certfile and TLS Keyfile fields must be populated when authentication (Bind) ( setup > authentication > LDAP directory > Use Bind) is activated via a certificate and its private key (like LDAPS on Google Worspace, for example): it therefore replaces (or complements) a user/password.

Certificates

If you are using LDAPS, the certificates must be stored on your server so that GLPI can access them (in the GLPI config folder, for example).

Is it possible to use nested groups?#

Yes, GLPI can handle nested groups.

You need to synchronize the groups in GLPI:

In Setup > Authentication > LDAP directories > Directory concerned :

  • Main tab** :

    • Connection filter : Use Active Directory preconfiguration "(&(objectClass=user)(objectCategory=person)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))"
    • Base DN : must be a subtree containing AD users and groups.
  • Group tab** :

    • Search type : 'In groups' or 'Users and groups' (both work)
    • User attribute indicating groups: memberof
    • Filter to search in groups: Empty
    • Group attribute containing its users:member:1.2.840.113556.1.4.1941:
    • Use DN in the search: Yes

Explanation

For an explanation of the member:1.2.840.113556.1.4.1941: value, read this article

Next, we need to import the groups into GLPI (groups on which authorization rules will be based).

  • Administration > Groups > :ti-users-cog:LDAP directory link
  • Finally, adapt the authorization rules to use the Group - is criterion rather than MemberOf - contains.
  • Then force the synchronization of a user so that GLPI links the imported groups to the user and gives the correct authorizations based on these groups.

!!! Warning "Caution Managing authorization rules on the user's memberOf field is not a good practice, as this field does not contain nested groups.