GLPI and LDAP
GLPI can rely on one or more directories for LDAP for:
- authenticating users
- retrieving their personal information (name, email, phone, etc)
It is possible, as we shall see below to import and synchronize users in 2 ways:
- Manually: On the inital connection, the user is created in GLPI. At each login, personal information is synchronized with the directory;
- Bulk Import: either via the web interface GLPI or by using scripts
GLPI is compatible with any LDAP v3 compliant directory. It is, therefore, also compatible with Microsoft Active Directory.
All configurations are available in GLPI in the “Configuration / Authentication” tab “LDAP: Configure LDAP authentication”
<note warning> If you do not see any LDAP information and/or a configuration error on this page you have either not installed or activated the LDAP module for PHP.
On Windows, you must:
- Uncomment in the php.ini file (this file is in the directory apache / bin) the line “extension = php_ldap.dll.
Under Debian Linux, you must:
- Install the package php5-ldap and add the line “extension = ldap.so” at the end of the file (Debian Lenny will do this automaticall upon install of the package).
<note> You can define multiple LDAP servers for authentication in GLPI. The authentication procedure is as follows:
- During the first connection of the user, GLPI will query all the directories until it finds one that contains the user.
- The user is created in GLPI and the ID of the LDAP server is stored.
- GLPI will login the user via the directory for which the identifier is stored in GLPI
- If authentication has fails, GLPI will retry of all possible authentication methods
Adding A New Directory
To add a new directory, click the ”+“ button in the menu bar above.
The configuration screen for a new directory appears.
|Host LDAP||IP Address / DNS Name of Your LDAP Server|
|Basedn||DN Search Base|
|rootdn (for non-anonymous connections)||Authorized LDAP Search user if anonymous binds are disabled|
|Pass (for non-anonymous connections)||Password for non-anonymous binds|
|Connection Filter||Filter to restrict the search for a person in the directory. For example, if only a restricted set of people in the directory have the right to connect to GLPI, create a condition to restrict the search to these people.|
|Use TLS||Indicates whether or not to create a encrypted connection to the LDAP server|
|TimeZone||Allows you to specify the timezone of the server|
You can connect to GLPI LDAP through an SSL connection (also known as LDAPS). Just add the hostname (or IP) to LDAP: / /. and change the port (default 636). For example: LDAPS access to local host use:
Host : ldaps://127.0.0.1 Port : 636
<note tip> If you have a large AD enterprise with multiple subdomains, you can query the Global Catalogue port listening on port number 3268 (or port 3269 if using SSL/TLS). This allows you to authenticate users who are in multiple subdomains without having to specify multiple LDAP servers </note>
It is possible to add a secondary LDAP server. They have the same settings as the master.
For addition of a secondary, simply enter the following information:
|Name||The name of the secondary, shown in GLPI|
|Server||DNS Name or IP of the Secondary Server|
|Port||DNS Name or IP of the Secondary Server|
There is no limit to the number of secondary servers
Base DN and authenticated users
Beware, the rootdn and basedn must be written without spaces after the commas. The path is case sensitive
|cn=Admin, ou=users, dc=mycompany||incorrect|
The parameters to enter are as follows, for example:
- host : ldap.mycompany.com
- basedn : dc=mycompany,dc=com
This should suffice if the anonymous search is allowed. Otherwise, if all users are not located within the same DN, you must specify the DN of an authorized user and password: rootdn / Pass. For Active Directory, it is mandatory to use an account that has the rights to authenticate to the domain.
You can test these settings by attempting to connect to your directory through an LDAP browser.
There are many, but include:
- LdapBrowser Editor (free software written in Java and therefore Multi-platform)
- ADSIedit for Active Directory. This tool is located in the support tools installation available on your Windows CD.
<note> If some of your users have connection restrictions on certain machines configured in AD, you will have the following error when attempting to login on the homepage of GLPI: User not found or multiple users found identical. The solution is to add the server hosting the AD to the list of PCs on which the user can connect. </note>
You need to set up a condition for your LDAP search. It allows you to filter the users to reduce the scope of the seach.
- Simple LDAP filter can be:
(objectclass = inetOrgPerson)
Active Directory use the following filter, which returns only users who are not disabled (because the machines are also considered to be users by AD):
<note>Note that this filter is automatically applied if the type of directory is set to Active Directory</note>
There is often a limit to the maximum number of records returned by a query (default 1000):
- On unix, it is necessary to check the configuration of LDAP client (eg on Debian / Ubuntu / etc / ldap / ldap.conf)
- In AD you can just change the MaxPageSize your directory.
This means typing the following commands:
C:> ntdsutil ntdsutil: ldap policies ldap policy: connections server connections: connect to server 192.168.1.1 ( Here a few messages regarding connectivity are displayed) server connections : q ldap policy : show values ( here we will see all the values including MaxPageSize which is 1000 currently) ldap policy : set maxpagesize to 5000 ldap policy : commit changes ldap policy : q ntdsutil : q
<note> The message “Test connection succeeded” indicates that GLPI was able to connect to the LDAP directory with the supplied information (host, port, user account). It now need to import your users. To do this, you must set the other parameters (connection filter, fields of login, etc). </note>
Connections between LDAP / GLPI
By default, they are initialized to standard values used by an LDAP-compliant (not Active Directory). The values given below are only examples; Your LDAP directory may vary.
|Setting||Meaning||LDAP standard Value||Value in Active Directory|
|login name||username||uid||samaccountname (write in lowercase)|
|user email address|
|phone||user telephone number||telephonenumber|
|firstname||First (given) name||givenname|
<note warning> The names of LDAP attributes must be in lowercase.
The simplest way is to navigate in your LDAP Directory or AD to determine the fields that correspond to this information as they can vary significantly depending on the system you are using. See the previous section for LDAP browser tools. </note>
From version 0.72, the following attributes have been added :
|Setting||Meaning||LDAP standard Value||Value in Active Directory|
|language||language to use||preferredlanguage||preferredlanguage|
The parameter “language” will synchronize the user's language with the directory. This feature may be useful in a multilingual environment.
The following language formats are accepted:
<note warning> When a user is deleted from the LDAP/AD directory, it is not removed from GLPI, it is only disabled. </note>
Users belonging to groups
GLPI can read the membership of a user from a group located in an LDAP directory. This allows the management of users from the directory.
The group membership is calculated when:
- The level of the user in GLPI is changed
- Logon of the user to the web interface
- When you force synchronization with the directory
It allows you to create a group of technicians in the directory, which GLPI can translate into rules and permissions for the technitions in GLPI
Groups can be:
- Imported automatically by GLPI (Administration → Groups → LDAP Link)
- Created manually into GLPI specifying LDAP settings
Depending on the directory, information on membership of a user group is available in different ways. GLPI can find this from:
- Searching an attribute of the user object
- Searching an attribute of an object group
Setting up a group
|Filter for the search in groups|
|Using the DN for search|
|Attribute indicating the user groups|
|Attribute groups containing users|
Examples of groups
In a classic LDAP, it will choose which of the 2 methods is appropriate depending on the items used:
- Search in a group (eg TechnitionGroup)
- Search in a user (if it uses its own object type, for example)
In an Active Directory, you can find the DN membership 2 ways:
- In a user via the attribute memberOf
- In a group via the attribute groupmembers
<note> The configuration parameter “Use DN for the search” is important. By default it is set to “Yes”, but there are cases where it should be “no.”. For example, when using an object posixGroup, it does not store the DN of the user but just the uid. </note>
<note> An object group must include a CN attribute, which will be used as group name in GLPI. </note>