LDAP Integration

Page last modified 14:49, 21 Feb 2012 by kgirrard
    Table of contents
    1. 1. LDAP Configuration
    2. 2. Accounts
    3. 3. Services

    Version as of 10:49, 9 Aug 2020

    to this version.

    Return to Version archive.

    View current version

    Account information can be integrated with an external LDAP database to allow accounts defined within the SIS to provide authentication for e-mail, wi-fi, or other LDAP-aware services. This documentation describes the LDAP intergration support provided within the SIS.

    Integration with LDAP is not required for operation of the SIS. Some account management functions (e.g. deleting an account) can only be performed on the LDAP Account form, but this shouldn't be taken to imply that LDAP is required or in use.

    LDAP Configuration

    LDAPConfig.pngInformation for use of an LDAP server is configured on the Organization form.

    The Server URL should be formatted as required by the installed version of LDAP. It may be just a host name, or include a protocol specification such as ldap, ldaps, or ldapi.

    Base DN is the origin in the database where all information managed by the SIS will be created. The LDAP database must already contain this definition; it will not be created automatically.

    Group DN defines the origin for group data, which is managed using the posixGroup objectClass, with individual group members listed by memberUid.

    Auth CN must specify a distincguished name (dn) with full access to the database for inserting, updating, or deleting records. Auth Password is the password for the Auth CN specified. Often this will be the rootdn for the LDAP server, but can be any dn with sufficient privileges. This dn must be configured with the LDAP server with "size=unlimited" for queries, or some management tasks may not function!


    Each person defined in the database can have one or more accounts associated with them. Each account has a unique login name, and may be used for access to it's own combination of services.

    LDAPAccount.pngAlong with a login and password, account information includes UNIX-specific data like group and shell, as well as general information like title, office location, phone number, and campus. This information is used in different ways by the services that are associated with an account. Details of how services use each field are described next.


    Support for specific applications is organized around Services. The service definition includes an LDAP objectClass to define what type of information should be included in the associated LDAP record, but LDAPServiceSample.pngalso defines other characteristics such as what type of password should be used (called a Hash), and whether an e-mail address should be managed as part of the service.

    In addtion to the service code and description for an LDAP Service, these records include:

    The Organizational Unit where this data will appear in the LDAP database, with the configured Base DN appended; records in the example would be placed under ou=ITS,dc=comfsm,dc=fm
    The method used to encrypt passwords for this service; to use any Hash type it must be enabled on the LDAP Hash form.
    Indicates whether new accounts should have this service added by default, when they are created on the LDAP Account form
    The security level associated with this service; services with more restricted access have a numerically larger security level
    This controls the type of information gathered and added to the LDAP record when it's placed in the database; these are defined on the LDAP Object form but, more importantly, must be coded for in the server-side interface (LDAP.php)
    Address Type
    If an e-mail address should be automatically created and managed for the person when an account with this service is present, it's type should be specified here; these accounts appear on the Person form
    E-Mail Domain
    The domain name that should be used to construct an e-mail address, when an Address Type is specified
    Powered by MindTouch Core