Setup LDAP#
GLPI interfaces with LDAP directories in order to authenticate users, control their access, retrieve their personal information and import groups.
All LDAP v3 compatible directories are supported by GLPI. This is also applies for Microsoft Active Directory (AD). There is no limit for the number of directories filled: of course, the higher the number, the longer the search for a new user to authenticate.
LDAP (port 389)#
First, it is necessary to configure the directory in GLPI and test the connection:
- Hover over the "Configuration" menu located in the main menu of GLPI.
- Choose "Authentication".
- Several options of external authentication will be offered to you. Choose "LDAP Directories".
- To add an AD / LDAP directory to your list, click on the "+ Add" icon.
- You will access the configuration page of an AD / LDAP server.
Explanation of the fields:#
- Preconfiguration
These two clickable links will allow you to load or delete default values for other fields, in particular for configuring an Active Directory.
- Name
The name you enter here will be the one displayed in the list of your directories, it does not affect the configuration.
- Default server
This parameter allows you to define whether this directory should be used as a priority or not.
- Active
This parameter allows you to activate / deactivate this directory after its creation. This parameter will of course be modifiable at any time.
- Server
Here you will need to enter the FQDN of your server or its IP address.
- Port
Enter the port required for connection to your directory here. By default the port is preloaded in 389.
- Connection filter
We can set up a condition for the search. This allows you to filter the search for users by a reduced name of records.
For Active Directory use the following filter, which returns only users who are not deactivated (because machines are also considered as users by AD):
(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
- BaseDN
Attention, the basedn must be written without spaces after the commas. In addition, breakage is important.
The parameters to enter are very simple, for example:
If your server is = ldap.mycompany.fr
So your basedn = dc=mycompany,dc=fr
- Account DN (for non-anonymous connections)
Enter here the full DN of the service account that will authenticate with your directory
- Account password (for non-anonymous connections)
Enter the password for the service account that will authenticate your directory here. Note that when saving the configuration, this field will appear empty, this is normal, the password will be saved in the database.
- Identifier field
By default, for an LDAP directory, the value will be placed on the "uid" field
For an Active Directory, we will prefer the "samaccountname" field
- Comments
This field does not influence the configuration, it is only a text field allowing you to place an indication, remarks, etc.
- Synchronization field
In the diagrams provided by default we recommend for example to use:
- For Microsoft Active Directory: the attribute "objectGUID" (corresponding to the official unique identifier of an object);
- For a directory based on OpenLDAP: the attribute "entryUUID".
Pay attention to this field, once configured it cannot be modified.
LDAPS (port 636)#
If you want to use LDAPS, you have to modify some data:
Server: In front of FQDN of your LDAP server, add ldaps: //, ex: ldaps: //mon.ad.com
Port : The port becomes 636
Once your directory has been saved, return to it to edit its configuration.
In the Advanced Information tab, change Use TLS to Yes.
References#
GLPI documentation "LDAP Directories"