Configuring LDAP Authentication

In order to configure your LDAP connectivity, you will need to set the LDAP parameters in const.php. This article will show you how to set them properly using the UI for Config Variables

1. Access Config Variables from the Admin Menu > Utilities > Config Variables

Access Config Variables from the Admin Menu > Utilities > Config Variables

2. Establishing a connection to your LDAP server

Establishing a connection to your LDAP server

You will need to know the type of directory server you are using; i.e., OpenLDAP or Windows ActiveDirectory

The minimum parameters needed to be set in the config variables are:

  1. URL of LDAP Server
  2. LDAP Server username and password if required
  3. LDAP_BIND_REQUIRES_DN for OpenLDAP only
  4. BaseDN

These settings may be edited by clicking on the edit icon (gear) for each item.

By setting these parameters correctly, you will be able to authenticate against LDAP. The remaining parameters are to synchcronize user information and are explained in Step 3.

2.1. LDAP Server

LDAP Server

2.2. LDAP Username and Password

LDAP Username and Password

If your LDAP server requires a username and password to query the directory, set LDAP_USER and LDAP_PASSWORD accordingly.

2.3. LDAP Bind Requires DN

LDAP Bind Requires DN

If you are using an OpenLDAP server, sometimes you can't authenticate as user@domain, but instead, need to authenticate as uid=user,dc=example,dc=com. If this is the case, set LDAP_BIND_REQUIRES_DN to 'true'. Otherwise, leave this as false.

2.4. LDAP Base DN

LDAP Base DN

Base DN needed to query to login to.  For example, if your username is uid=user,ou=useraccounts,dc=metricinsights,dc=com, then the BaseDN would be ou=useraccounts,dc=metricinsights,dc=com. Use this value for LDAP_BASE_DN.

3. Synchronizing User data

Synchronizing User data

After you have successfully authenticated, Metric Insights needs to know a few more things about your LDAP user schema so we can properly sync information with the corresponding Metric Insights user. This can be done by setting the following parameters:

  1. LDAP_USER_CN_FIELD
  2. LDAP_EMAIL_FIELD
  3. LDAP_FNAME_FIELD
  4. LDAP_LNAME_FIELD

These should point to the corresponding LDAP field names.

Finally, if you have a failover LDAP server, you will need to repeat these steps and setup the corresponding LDAP*_SECONDARY parameters to work for your failover LDAP server.

Be certain to Save Changes to update the file.

4. OpenLDAP Example

  • dn: uid=testuser,ou=people,dc=metricinsights,dc=com
  • uid: testuser
  • uidNumber: 1001
  • gidNumber: 1000
  • cn: testuser
  • sn: Test
  • objectClass: top
  • objectClass: person
  • objectClass: inetOrgPerson
  • objectClass: posixAccount
  • objectClass: shadowAccount
  • loginShell: /bin/bash
  • homeDirectory: /home/testuser
  • givenName: Foopie
  • mail: foopie@foo.com

In this case,

  1. LDAP_USER_CN_FIELD = 'uid'
  2. LDAP_EMAIL_FIELD = 'mail'
  3. LDAP_FNAME_FIELD = 'givenName'
  4. LDAP_LNAME_FIELD = 'sn'

5. Active Directory example

Active Directory example