You can setup eFront to connect to an LDAP server (such as openLDAP or Active Directory) for performing Single Sign On. It is important however to understand how the SSO process works, in order to properly configure the LDAP settings:
In order to setup the LDAP connection, sign in as administrator and go to System Settings→integrations→LDAP. Tick the “Enable LDAP support” option and fill in the required information.
After you're done, you can click on “Check settings” to verify that the system can actually connect to the LDAP server. Please note that this operation will only verify that the server and port are properly set, but will not guarantee that the system is properly setup to perform the SSO.
Starting with version 4.4 of eFrontPro, you can configure a different LDAP server per branch. Sign in as administrator, go to Branches and click on the branch you want to setup a server for. Then click on Settings→LDAP and fill in the required information, as described earlier.
In such a setup, an incoming user that belongs to a specific branch will be authenticated against the branch's LDAP server. If the user belongs to a branch that doesn't have a configured LDAP server, then the system will search the branch's parents until it finds one with a configured LDAP server. If none is found, the global LDAP server (from the system settings) will be used.
It is possible the configure multiple LDAP servers to be checked against for authenticating an incoming user. In order to do this, simply specify the alternative LDAP servers' addresses to the “LDAP server” textbox (under System settings→Integrations→LDAP), separated by ; (semicolon). For example:
However, in order for this setup to work, it is imperative that the account used to bind to the LDAP server exists in all specified LDAP servers, with the same password.
LDAP Users are created on-the-fly, as they sign in for the first time. It is not uncommon however to need to pre-import some or all users that will be using the system, using the “Import from CSV” operation. In this case, in order to indicate that the imported users will be authenticating via LDAP, you must set their password to “ldap”. For example, the following CSV snippet will import a user that will be authenticating via LDAP:
You can configure eFront to only allow self-signup for users that have a valid LDAP account. To do this, sign in as administrator and go to System Settings→Users, and change the value of “Allow self signup” to “Enabled, but only for users having a valid LDAP account”
If you're interested in implementing code for the LDAP server integration (in a plugin for example), or are merely looking to verify that the connecting to an LDAP service is possible from your server, there is a public LDAP server that you can use. See here. for more information.