LDAP directories

GLPI can interface with one or more LDAP directories to authenticate users, control their access, retrieve their personal information, and import groups.

All LDAP v3 compatible directories are supported by GLPI. This is also the case for Microsoft's Active Directory. There is no limit to the number of directories configured. However, the higher this number, the longer it may take to search for a new user to authenticate.

It is possible to import and synchronize users in 2 ways:

Upon first connection, the user is created in GLPI. Each time they connect, their personal information is synchronized with the directory. If receivers are used and there is an email not associated with an existing user, the unknown email address will be searched for in the directory to create the associated user.
In bulk, either via the web interface or via the CLI command glpi:ldap:synchronize_users.

If no LDAP configuration is visible (or if you see an error message regarding this section), it means the LDAP module for PHP is not installed.

On Linux, install the ldap package for PHP (e.g., php-ldap on Debian), then restart the web server.

On Windows, you need to uncomment the line extension=php_ldap.dll in the php.ini file (located in the apache/bin directory) and then restart the web server.

The user authentication process is divided into 3 parts: authentication, access control, and finally, retrieval of personal data.

LDAP Authentication

Upon the user's first connection, GLPI will scan all configured directories until it finds one that contains the user. If the option to import users from an external source is active, the user is created, and the connection method identifier and LDAP server are stored in the database.

Subsequently, each time the user connects, they are authenticated against the directory whose identifier is stored in GLPI. Other directories are not used; if a user is disabled in the directory they previously used to connect, they will not be able to connect using another authentication source.

Access Control

Access control is the assignment of permissions to a user. Even if a user is authenticated against the directory, they are not necessarily authorized to log in to GLPI.

This mechanism relies on the use of Authorization Assignment Rules.

LDAP Directory

There is an Active Directory pre-configuration template that pre-fills a number of fields.

To load it, click on the Active Directory link when adding a directory. The Default Value(s) link will reset the values to their initial state.

Default Server: If you have multiple LDAP servers configured, you can only set one as the default. Choosing this setting will remove it from the server where it was previously defined.
Active: You can disable an LDAP without having to delete it.
Server and Port: Represent the address and port of the LDAP directory.
: GLPI can connect to an LDAP directory via an LDAPS connection. To enable it, prefix your server field with ldaps:// and change the port to that of your LDAP directory's LDAPS port (default is 636).
Comments: Add a note or comment to your LDAP directory.
Connection Filter: Allows restricting the search for users in the directory. For example, if only a specific set of users are allowed to log in to GLPI, you can create a condition to limit the search to this set of users.
Some filter examples:
- A classic LDAP filter: (objectclass=inetOrgPerson)
- An Active Directory filter to return only enabled users: (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
The Active Directory filter example is automatically populated when the Active Directory pre-configuration template is selected.
BaseDN: The location in the directory from which searches will be performed.
Use bind: Indicates whether a basic bind operation should be used when connecting to the LDAP server. Disabling this behavior may be required when an LDAPS bind operation is used.
RootDN: The distinguished name of the user account to authenticate to LDAP when anonymous binds are not used.

RootDN and BaseDN are case-sensitive and must not contain spaces between parts. Examples:

cn=Admin, ou=users, dc=mycompany : incorrect
cn=Admin,ou=users,dc=mycompany : correct

Password: The password for the account specified (if any) in the RootDN field.
Login Field: The name of the field in the LDAP directory corresponding to the user's identifier (e.g., uid in LDAP or samaccountname in Active Directory).
Synchronization Field: The name of the field in the LDAP directory used for synchronization. This field must be unique for each user (e.g., employeeuid in LDAP or objectguid in Active Directory).

The parameters to fill in are simple. For example:

Server: ldap.mycompany.fr
BaseDN: dc=mycompany,dc=fr

This should be sufficient if anonymous binds are allowed. Otherwise, and if not all users are located in the same DN, you will need to specify the DN of an authorized user and their password via the RootDN/Password parameters. For Active Directory, it is required to specify an account that has the right to authenticate to the domain.

If some users have restrictions on connecting to certain machines configured in their Active Directory profile, a "user not found" error may appear. The solution is to add the Active Directory server to the list of computers the user is allowed to connect to.

Don't forget to enable your directory and set it as default (if desired) if you have multiple directories.

Test

Allows testing the configuration defined in the LDAP directory tab.

The message Connection test successful indicates that GLPI was able to connect to the LDAP directory with the provided information (host, port, user account).

Now, it's time to import users. To do this, it is necessary to verify the other parameters (connection filter, login field, etc.).

Users

Allows configuring how the link between directory fields and GLPI fields will be established. Most fields are automatically mapped for you but can still be modified.

You can use a field name or an expression containing multiple %{fieldName} Example for location: %{city} > %{roomnumber}

Groups

Allows configuring the method for retrieving groups from the LDAP directory.

Search type: allows searching for groups within users, within groups (for nested groups, for example), or both.
User attribute containing its groups: Specify the attribute used for the search (e.g., memberof)
Filter to search in group: Filter the search to prevent certain groups from being returned (e.g., do not return groups created by default by Windows (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) )
Group attribute containing its users: Attribute used for user search (e.g., member)
Use DN in the search: If this option is enabled, GLPI will use the user's full DN (Distinguished Name) in the LDAP query to find the groups they are a member of. GLPI searches for groups where the member attribute (or equivalent) contains this full DN. If this option is disabled, GLPI uses a simple identifier instead (often the uid or sAMAccountName depending on the LDAP schema).

Advanced Information

Use TLS: use the TLS protocol for LDAP(S) synchronization
LDAP Directory Timezone: if the server hosting the LDAP directory is in a different timezone than GLPI, you need to modify the Timezone variable to account for the difference.

Limit on the number of records returned

There are often two limits on the number of records returned per query.

Client limit (defined for example on Debian/Ubuntu in /etc/ldap/ldap.conf)
Server limit: If the server limit is lower than the client limit, then the latter is the effective limit.

If the limit is reached, GLPI's optional behavior for deleting LDAP users will not work. Additionally, GLPI will display a warning message during import or synchronization.

It is possible to bypass the limitation by enabling Result Paging in the Advanced Information tab of the LDAP directory in GLPI. This will allow queries to be broken down into smaller queries that are below the configured limit.

Use paged results: Yes / No
Page size: select a number to limit the number of results per page
Maximum number of results: limit the total number of results to display

On an OpenLDAP directory, the default limit is 500, and on Active Directory, it is 1000.

On Active Directory, it is possible to modify the MaxPageSize value with the following commands (This modification is global for the entire directory):

C:> ntdsutil
ntdsutil: ldap policies
ldap policy: connections
  server connections: connect to server 192.168.1.1 (here some messages concerning connectivity are displayed)
server connections : q
ldap policy : show values (here we will see all values including MaxPageSize which is currently 1000)
ldap policy : set maxpagesize to 5000
ldap policy : commit changes
ldap policy : q
ntdsutil : q

How LDAP aliases should be handled: indicate how GLPI should behave when aliases are found. For example: uid=admin pointing to uid=jean.dupont,ou=Users,dc=company,dc=com.
- Never dereferenced (default): GLPI completely ignores aliases in searches.
- Always dereferenced: considers aliases as real entries.
- Dereferenced during the searchbut not when locating): only follows aliases pointing to other objects during the search.
- Dereferenced when locatin (not during the search): only follows aliases in the search base (the DN). Can be used when aliases exist in the same container.
Domain name used by the inventory tool to link the user:
TLS Certfile / TLS Keyfile: specify the paths to the certificates if necessary.
TLS Version: Specify the TLS protocol version (from 1.0 to 1.3).
Timeout: specify the timeout for connecting to your LDAP(S).

Replicates

If an LDAP directory is not accessible, users provided by it will not be able to log in to GLPI.

To help avoid this situation, replicas can be declared in GLPI. These are LDAP servers that hold the same data as the primary server but are available at a different address.

Replicas are only used when the connection to the primary server is lost. Adding replicas in GLPI is done by entering a Name that will be displayed in GLPI, as well as a Server, Port, and Timeout in the Replicas tab of the LDAP directory.

To enable LDAPS, prefix your server entry with ldaps:// and change the port to the LDAPS port of your LDAP directory (default 636). There is no limit to the number of replicas per LDAP directory.

History

The History tab allows you to view all modifications made to an item. The following information regarding modifications is available:

Modification ID.
Date and time of the modification.
User who made the modification. If this field is not populated, it means the action was performed automatically (Example: automatic inventory update).
Field that was modified.
Description of the modification that was made.

The modification description represents either the difference between the old and new value (Example with the location field: Change from HQ to Remote Office A), or the explanation of the action that was performed (Example: Software uninstallation: "Gimp 2.0").

For dropdown lists or objects with a parent/child relationship, modifying a child will appear in the parent item's history.

All

For an item, all information is displayed on a single page from the All tab. This allows you to view all tabs of an object's form in a single view, one below the other.

PreviousConfigure external authentication NextAuthenticate from IMAP

Last updated 2 months ago

Good night

LDAP Authentication

Access Control

LDAP Directory

Test

Users

Groups

Advanced Information

Replicates

History

All