Site Tools

 
 
 

how_to_connect_to_an_ldap_or_active_directory_server

How to connect to an LDAP or Active Directory server

Introduction

You can setup eFront to connect to an LDAP server (such as openLDAP or Active Directory) for performing Single Sign On. It is important however to understand how the SSO process works, in order to properly configure the LDAP settings:

  1. The system administrator configures the LDAP server's details (address, port etc).
  2. The system administrator stores the credentials of an LDAP account that will be used to connect to the LDAP server and perform searches.
  3. A user visits the platform, enters his/her credentials and clicks on the “sign in” button.
  4. The system first uses its stored LDAP account to search the LDAP tree for a user account with the given username. If found, it retrieves its full DN and uses the given password to authenticate the user.
  5. If the user authenticates successfully, he/she is signed into eFront. If it's the first time he/she signs in, a user account will be created in eFront for him/her at the same time.

The key step in the procedure above is (2): You must supply an account that has search privileges throughout the whole LDAP tree (or at least the part that holds the users that will be signing in). This user account does not need any other privileges however.

Heads up! For the rest of this guide, whenever we refer to LDAP, it also applies to Active Directory, unless specifically stated otherwise

Setting it up

In order to setup the LDAP connection, sign in as administrator and go to System Settings→integrations→LDAP. Tick the “Enable LDAP support” option and fill in the required information.

  • The values for LDAP Bind DN and LDAP bind password are for the account that will be used to search the LDAP tree for the user attempting to sign in, as explained earlier.
  • The LDAP Base DN is the default level where the searches will be performed (so it doesn't have to be the root)
  • The Login name, Full name and Email attributes will be used by eFrontPro in order to discover the respective user properties, when a new user signs in for the first time (and an account is created).

Heads up! The default value for Login name is uid for openLDAP and samaccountname for Active Directory. However, older versions of Active Directory where using sAMAccountName, so make sure you use the correct case

After you're done, you can click on “Check settings” to verify that the system can actually connect to the LDAP server. Please note that this operation will only verify that the server and port are properly set, but will not guarantee that the system is properly setup to perform the SSO.

Configuring a different LDAP server per branch

Starting with version 4.4 of eFrontPro, you can configure a different LDAP server per branch. Sign in as administrator, go to Branches and click on the branch you want to setup a server for. Then click on Settings→LDAP and fill in the required information, as described earlier.

In such a setup, an incoming user that belongs to a specific branch will be authenticated against the branch's LDAP server. If the user belongs to a branch that doesn't have a configured LDAP server, then the system will search the branch's parents until it finds one with a configured LDAP server. If none is found, the global LDAP server (from the system settings) will be used.

Using a pool of LDAP servers

It is possible the configure multiple LDAP servers to be checked against for authenticating an incoming user. In order to do this, simply specify the alternative LDAP servers' addresses to the “LDAP server” textbox (under System settings→Integrations→LDAP), separated by ; (semicolon). For example:

ldap://ldap1.example.com;ldap://ldap2.example.com;ldap://ldap3.example.com

However, in order for this setup to work, it is imperative that the account used to bind to the LDAP server exists in all specified LDAP servers, with the same password.

Importing users that will be authenticating via LDAP

LDAP Users are created on-the-fly, as they sign in for the first time. It is not uncommon however to need to pre-import some or all users that will be using the system, using the “Import from CSV” operation. In this case, in order to indicate that the imported users will be authenticating via LDAP, you must set their password to “ldap”. For example, the following CSV snippet will import a user that will be authenticating via LDAP:

login,name,surname,password,email,active
sample_user,John,Doe,ldap,sample@example.com,1

Restricting self-signup to only allow LDAP users

You can configure eFront to only allow self-signup for users that have a valid LDAP account. To do this, sign in as administrator and go to System Settings→Users, and change the value of “Allow self signup” to “Enabled, but only for users having a valid LDAP account”

Testing the LDAP integration

If you're interested in implementing code for the LDAP server integration (in a plugin for example), or are merely looking to verify that the connecting to an LDAP service is possible from your server, there is a public LDAP server that you can use. See here. for more information.