Trace: » GLPI and LDAP

GLPI and LDAP

Introduction

GLPI can rely on one or more directories for LDAP for:

  • authenticating users
  • retrieving their personal information (name, email, phone, etc)

It is possible, as we shall see below to import and synchronize users in 2 ways:

  • Manually: On the inital connection, the user is created in GLPI. At each login, personal information is synchronized with the directory;
  • Bulk Import: either via the web interface GLPI or by using scripts

GLPI is compatible with any LDAP v3 compliant directory. It is, therefore, also compatible with Microsoft Active Directory.

All configurations are available in GLPI in the “Configuration / Authentication” tab “LDAP: Configure LDAP authentication”

If you do not see any LDAP information and/or a configuration error on this page you have either not installed or activated the LDAP module for PHP.

On Windows, you must:

  • Uncomment in the php.ini file (this file is in the directory apache / bin) the line “extension = php_ldap.dll.

Under Debian Linux, you must:

  • Install the package php5-ldap and add the line “extension = ldap.so” at the end of the file (Debian Lenny will do this automaticall upon install of the package).

You can define multiple LDAP servers for authentication in GLPI. The authentication procedure is as follows:

  • During the first connection of the user, GLPI will query all the directories until it finds one that contains the user.
  • The user is created in GLPI and the ID of the LDAP server is stored.
  • GLPI will login the user via the directory for which the identifier is stored in GLPI
  • If authentication has fails, GLPI will retry of all possible authentication methods

Adding A New Directory

To add a new directory, click the ”+” button in the menu bar above.

The configuration screen for a new directory appears.

Paramater Meaning
Host LDAP IP Address / DNS Name of Your LDAP Server
Basedn DN Search Base
rootdn (for non-anonymous connections) Authorized LDAP Search user if anonymous binds are disabled
Pass (for non-anonymous connections) Password for non-anonymous binds
Connection Filter Filter to restrict the search for a person in the directory. For example, if only a restricted set of people in the directory have the right to connect to GLPI, create a condition to restrict the search to these people.
Use TLS Indicates whether or not to create a encrypted connection to the LDAP server
TimeZone Allows you to specify the timezone of the server

You can connect to GLPI LDAP through an SSL connection (also known as LDAPS). Just add the hostname (or IP) to LDAP: / /. and change the port (default 636). For example: LDAPS access to local host use:

 Host : ldaps://127.0.0.1 Port : 636 

If you have a large AD enterprise with multiple subdomains, you can query the Global Catalogue port listening on port number 3268 (or port 3269 if using SSL/TLS). This allows you to authenticate users who are in multiple subdomains without having to specify multiple LDAP servers

Secondary LDAP

It is possible to add a secondary LDAP server. They have the same settings as the master.

For addition of a secondary, simply enter the following information:

Setting Meaning
Name The name of the secondary, shown in GLPI
Server DNS Name or IP of the Secondary Server
Port DNS Name or IP of the Secondary Server

There is no limit to the number of secondary servers

Base DN and authenticated users

Beware, the rootdn and basedn must be written without spaces after the commas. The path is case sensitive

rootdn Example:

cn=Admin, ou=users, dc=mycompany incorrect
cn=Admin,ou=users,dc=mycompany correct

The parameters to enter are as follows, for example:

  • host : ldap.mycompany.com
  • basedn : dc=mycompany,dc=com

This should suffice if the anonymous search is allowed. Otherwise, if all users are not located within the same DN, you must specify the DN of an authorized user and password: rootdn / Pass. For Active Directory, it is mandatory to use an account that has the rights to authenticate to the domain.

You can test these settings by attempting to connect to your directory through an LDAP browser.

There are many, but include:

  • LdapBrowser Editor (free software written in Java and therefore Multi-platform)
  • ADSIedit for Active Directory. This tool is located in the support tools installation available on your Windows CD.

If some of your users have connection restrictions on certain machines configured in AD, you will have the following error when attempting to login on the homepage of GLPI: User not found or multiple users found identical. The solution is to add the server hosting the AD to the list of PCs on which the user can connect.

Connection filter

You need to set up a condition for your LDAP search. It allows you to filter the users to reduce the scope of the seach.

  • Simple LDAP filter can be:
(objectclass = inetOrgPerson)

Active Directory use the following filter, which returns only users who are not disabled (because the machines are also considered to be users by AD):

  (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 

Note that this filter is automatically applied if the type of directory is set to Active Directory

There is often a limit to the maximum number of records returned by a query (default 1000):

  • On unix, it is necessary to check the configuration of LDAP client (eg on Debian / Ubuntu / etc / ldap / ldap.conf)
  • In AD you can just change the MaxPageSize your directory.

This means typing the following commands:

 C:> ntdsutil
 ntdsutil: ldap policies 
 ldap policy: connections
   server connections: connect to server 192.168.1.1 ( Here a few messages regarding connectivity are displayed)  
 server connections : q  
 ldap policy : show values ( here we will see all the values including MaxPageSize which is 1000 currently) 
 ldap policy : set maxpagesize to 5000
 ldap policy : commit changes 
 ldap policy : q
 ntdsutil : q 

The message “Test connection succeeded” indicates that GLPI was able to connect to the LDAP directory with the supplied information (host, port, user account). It now need to import your users. To do this, you must set the other parameters (connection filter, fields of login, etc).

Connections between LDAP / GLPI

By default, they are initialized to standard values used by an LDAP-compliant (not Active Directory). The values given below are only examples; Your LDAP directory may vary.

Setting Meaning LDAP standard Value Value in Active Directory
login name username uid samaccountname (write in lowercase)
email user email address mail
phone user telephone number telephonenumber
realname surname cn sn
firstname First (given) name givenname

The names of LDAP attributes must be in lowercase.

The simplest way is to navigate in your LDAP Directory or AD to determine the fields that correspond to this information as they can vary significantly depending on the system you are using. See the previous section for LDAP browser tools.

From version 0.72, the following attributes have been added :

Setting Meaning LDAP standard Value Value in Active Directory
title Users Title title title
type User Type employeetype employeetype
language language to use preferredlanguage preferredlanguage

The parameter “language” will synchronize the user's language with the directory. This feature may be useful in a multilingual environment.

The following language formats are accepted:

  • en_US
  • US
  • English

When a user is deleted from the LDAP/AD directory, it is not removed from GLPI, it is only disabled.

Users belonging to groups

GLPI can read the membership of a user from a group located in an LDAP directory. This allows the management of users from the directory.

The group membership is calculated when:

  • The level of the user in GLPI is changed
  • Logon of the user to the web interface
  • When you force synchronization with the directory

It allows you to create a group of technicians in the directory, which GLPI can translate into rules and permissions for the technitions in GLPI

Groups can be:

  • Imported automatically by GLPI (Administration → Groups → LDAP Link)
  • Created manually into GLPI specifying LDAP settings

Depending on the directory, information on membership of a user group is available in different ways. GLPI can find this from:

  • Searching an attribute of the user object
  • Searching an attribute of an object group

Setting up a group

Settings
Search Type
Filter for the search in groups
Using the DN for search
Attribute indicating the user groups
Attribute groups containing users

Examples of groups

In a classic LDAP, it will choose which of the 2 methods is appropriate depending on the items used:

  • Search in a group (eg TechnitionGroup)
  • Search in a user (if it uses its own object type, for example)

In an Active Directory, you can find the DN membership 2 ways:

  • In a user via the attribute memberOf
  • In a group via the attribute groupmembers

The configuration parameter “Use DN for the search” is important. By default it is set to “Yes”, but there are cases where it should be “no.”. For example, when using an object posixGroup, it does not store the DN of the user but just the uid.

An object group must include a CN attribute, which will be used as group name in GLPI.