LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and managing directory information over an IP network. Organizations use LDAP to centralize user management, enhance security, and simplify authentication processes. Integrating LDAP allows for consistent user data across systems, streamlines access control, and reduces administrative overhead by having a single, up-to-date point of reference for user credentials and permissions.
You can locate the LDAP configuration page in Settings -> Security -> Authentication -> LDAP
Enabled
This checkbox activates or deactivates the LDAP integration. When unchecked, the LDAP settings are not in effect.
Domain Controllers
Domain Controller: The address of the LDAP server.
Port: The network port used by the LDAP service. Port 636 is commonly used for LDAPS (LDAP over SSL), which is a secure version of LDAP.
Use encryption: Specifies if the connection to the LDAP server should be encrypted. LDAPS is typically chosen for secure communications.
Allow self-signed certificate: Determines if the application will accept a self-signed SSL certificate from the LDAP server. This is useful for internal or test environments.
Base DN
Base DN (Distinguished Name): The root location in the LDAP directory from which the search for users will begin. It's formatted in LDAP's distinguished name format, like
dc=domain,dc=com
.
Default Email Domain
This is the domain that will be appended to user accounts when the email attribute is not found in the LDAP directory.
Service Account Username
The username for a service account with read permissions in the LDAP directory, used to perform user lookups.
Attribute Mapping
Maps LDAP attributes to application attributes. For instance, the LDAP attribute that holds the user's display name would be mapped to the corresponding field in the application.
Next plus field name: The field name in the application.
Auth provider field: The corresponding field in the LDAP directory.
Role Mapping
Assigns roles within the application based on LDAP group memberships.
Next plus role name: The role name within the application.
Auth provider group: The corresponding group in the LDAP directory.
Group Mapping
Similar to Role Mapping, but for groups, which can be used for permissions, access controls, etc.
Next Plus Group: The group within the application.
Auth provider group: The corresponding group in the LDAP directory.
Synchronization Processes
The synchronization between the LDAP directory and the application can occur in three different scenarios:
Once a Day: The application will automatically sync with the LDAP directory once every 24 hours. This ensures that changes in the LDAP directory (like new users, role changes, etc.) are regularly updated in the application.
When Settings Saved on This Page: Each time an administrator makes changes to the LDAP settings and saves the configuration, a synchronization process will begin. This allows immediate application of changes without waiting for the scheduled daily sync.
User Sync - When Sign In: Every time a user signs in, the application will check the LDAP directory for updates to that user's information and apply any changes found. This ensures that each user's information is up-to-date at the time of login.
Additional Notes
It's essential to input correct details in all fields to ensure proper connectivity and functionality with the LDAP directory.
Synchronization ensures that user data is consistent between the application and LDAP, but it's vital to have a strategy for handling conflicts or discrepancies, such as what takes precedence: the LDAP information or the local application data.
Proper role and group mapping are critical for security and access control within the application, so these should be reviewed and tested thoroughly.