# LDAP(s)

***

### How do I connect my Entra LDAPS to GLPI?

To connect an LDAPS[^1], you must make sure you have a sufficient license allowing you to create an LDAPS. The [domain services](https://learn.microsoft.com/fr-fr/entra/identity/domain-services/overview) service is required to create your LDAPS[^1]. Please refer to Microsoft's [official documentation](https://azure.microsoft.com/fr-fr/products/microsoft-entra-ds). Once your LDAPS has been created, simply follow the instructions from **`Setup`** > **`Authentication`** > **`LDAP directory`**.

***

### Why do I get an error message informing me that I don't have rights to access the application?

This happens when the authorisation rules have not been set up. In fact, once authentication has been successful, GLPI checks that you have an assigned authorisation. GLPI also checks that a rule has been set up to assign you one automatically. If this is not the case, access to GLPI will be denied. To set up these authorisation rules, go to this [article](https://app.gitbook.com/s/sGALtnzA2IROeldmXKt5/authentication/setup_ldap) for help with setup.

***

### Why are my users deleted from GLPI when they are deactivated?

From **`Setup`** > **`Authentication`** > **`Setup`** you can choose the GLPI behaviour when a user is deactivated from your LDAP(s)

* Preserve
* Disable
* Disable + withdraw groups
* Disable + withdraw dynamic authorisations and groups
* Put in trashbin
* Withdraw dynamic authorisations and groups

***

### I'm having trouble synchronising my LDAP(s). How can I get a debug?

For on-premise instances, you can check in **`files/_log`** (or wherever you have stored your logs) You can also download the [LDAP Tools](https://glpi-plugins.readthedocs.io/en/latest/ldaptools/index.html) plugin to help you understand what the problem is.

***

### What information is sent back by LDAP(s)?

You can manage the information retrieved by your LDAP(s) from **`Setup`** > **`Authentication`** > **`LDAP directory`**, **`Users`** tab

<figure><img src="https://3250947132-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSvoJ3lioglS2UZLcWWyP%2Fuploads%2Fgit-blob-4cba380c8f81936b1dcc6e443ea21e9217aa4f64%2Fldap-1.png?alt=media" alt=""><figcaption></figcaption></figure>

***

### How do I synchronise groups?

From **`Setup`** > **`Authentication`** > **`LDAP directory`**, tab **`Groups`**, you can choose how GLPI will behave when synchronising your groups.

GLPI can :

* Check the groups belonging to the user (user search)
* Check the users present in the groups (group search)
* The 2

Remember to indicate the user attribute (usually **`memberof`**) so that GLPI can use this attribute to synchronise the groups belonging to the user. Remember to indicate the groups attribute (usually **`member`**) so that GLPI can use this attribute to synchronise the users in the groups.

***

### What is the purpose of the group search filter?

The filter allows you to find only certain groups, based on their name for example. If you only wanted to find the accounting group, for example, you could have a syntax such as **`(&(objectCategory=group)(SAMAcCOUNTNAME=*accounting*))`**. You can use this [documentation](https://learn.microsoft.com/fr-fr/windows/win32/adsi/search-filter-syntax) to help you build your filter.

***

### How do I add replicas for my LDAP server(s)?

From **`Setup`** > **`Authentication`** > **`LDAP directory`**, tab **`Replicates`**, enter the information required for replicates.

***

### Why aren't my users imported?

Check that your LDAP(s) can be reached and is correctly configured on the GLPI side. If your LDAP(s) is correctly set up on the GLPI side, check that the **`automatically add users from an external authentication source`** option has been selected. Check that automatic authorisations have been set up. If you do not have automatic authorisation, check that the otpion **`add a user without accreditation from a LDAP directory`** (from **`Setup`** > **`Authentication`** > **`Setup`**) is set to **`Yes`**.

***

### How can I automatically synchronise my LDAP users?

In order to automatically synchronise your users from an LDAP[^2], you can add a line to your crontab (the one for the user who reads the web files, Apache, www-data, etc.)

**`0 * * * * www-data cd /var/www/glpi/ && /usr/bin/php bin/console glpi:ldap:synchronize_users --no-interaction >/dev/null 2>&1`**

You can add options to this command. For example, to force the policy of disabling users when they are deleted from LDAP(S):

**`0 * * * * www-data cd /var/www/glpi/ && /usr/bin/php bin/console glpi:ldap:synchronize_users --no-interaction -d 3 >/dev/null 2>&1`**

See the list of actions with:

**`php bin/console ldap:synchronize_users --help`**

If you want to perform several actions, we advise you to add as many LDAP commands to your cron as you need (one command for synchronising accounts, another for deactivating accounts, etc.).

***

### Does the command **`php /var/www/html/glpi/bin/console glpi:ldap:synchronize_users`**, set up in the cron, make the LDAP connection filter set up in **`Setup`** > **`Authentication`** > **`LDAP directories`** ?

Yes, if you don't specify **`--ldap-filter`** in your command line, GLPI takes the sync field **+** the condition specified in the connection filter to perform the search.

{% hint style="success" %}
**Example**

* Synchronisation field configured = **`entryuuid`**
* Connection filter configured = **`(objectClass=inetOrgPerson)`**
* Resulting LDAP filter on command line = **`(& (entryuuid=*) (objectClass=inetOrgPerson))`**
  {% endhint %}

***

### Can I restore a GLPI user when it is also reactivated in LDAP?

From **`Setup`** > **`Authentication`** > **`Setup`** you can choose the behaviour of the **`Action when a user is restored in the LDAP directory`**. You can choose to :

* Enable
* Do nothing
* Restore (move out of trashbin)

{% hint style="info" %}
**Information**

If it has been permanently deleted, it will be recreated as a new user.
{% endhint %}

***

### When should the `TLS Certfile` and `TLS Keyfile` fields be filled in?

The `TLS Certfile` and `TLS Keyfile` fields must be populated when authentication (Bind) (**`Setup`** > **`Authentication`** > **`LDAP directory`** > **`Use Bind`**) is activated via a certificate and its private key (like LDAPS on Google Worspace, for example): it therefore replaces (or complements) a user/password.

{% hint style="warning" %}
**Certificates**

If you are using LDAPS, the certificates must be stored on your server so that GLPI can access them (in the GLPI config folder, for example).
{% endhint %}

***

### Is it possible to use nested groups?

Yes, GLPI can handle nested groups.

You need to synchronize the groups in GLPI:

In **`Setup`** > **`Authentication`** > **`LDAP directories`** > *Directory concerned* :

* **Main tab**:
  * ***Connection filter*** : Use Active Directory preconfiguration **`"(&(objectClass=user)(objectCategory=person)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))"`**
  * ***Base DN*** : must be a subtree containing AD users and groups
* **Group tab**:
  * ***Search type*** : 'In groups' or 'Users and groups' (both work)
  * User attribute indicating groups: **`memberof`**
  * Filter to search in groups: **`Empty`**
  * Group attribute containing its users: **`member:1.2.840.113556.1.4.1941:`**
  * Use DN in the search: **`Yes`**

{% hint style="info" %}
**Explanation**

For an explanation of the **`member:1.2.840.113556.1.4.1941:`** value, [read this article](https://learn.microsoft.com/fr-fr/windows/win32/adsi/search-filter-syntax?redirectedfrom=MSDN)
{% endhint %}

Next, we need to import the groups into GLPI (groups on which authorization rules will be based).

* **`Administration`** > **`Groups`** > **`LDAP directory link`**
* Finally, adapt the authorization rules to use the **`Group - is`** criterion rather than **`MemberOf - contains`**.
* Then force the synchronization of a user so that GLPI links the imported groups to the user and gives the correct authorizations based on these groups.

{% hint style="warning" %}
Caution Managing authorization rules on the user's **`memberOf`** field is not a good practice, as this field does not contain nested groups.
{% endhint %}

[^1]: Lightweight Directory Access Protocol (SSL/TLS)

[^2]: Lightweight Directory Access Protocol


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.glpi-project.org/faq/glpi/ldap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.