12.10. LDAP Login

The LDAP (Lightweight Directory Access Protocol) is a login option that authenticates users against an LDAP server instead of locally created users.

There are two steps to setting up a user to login via LDAP

  1. configure LDAP domain
  2. create a user and specify “LDAP Login”

After you have created a LDAP Domain , a checkbox called “LDAP Authentication” appears at the login screen.

The rules are

  1. if a user is created with the “LDAP login only” option checked at user creation
    1. he/she will not be allowed to login with a local password
  2. if a user is created without “LDAP login only”
    1. he/she can login with a local OR domain password depending on if the “LDAP authentication” is checked at the login screen

12.10.1 Configure LDAP Domain

The first step is to configure the LDAP domain against which the authentication will be done.

Login as admin and select Web Admin > Manage > LDAP Domain and Click the Configure button

Fill in the details as shown below.

Field Description
Domain Name LDAP server domain name
Port LDAP port number, usually 389
Base DN or Bind DN Base distinguished name used for Binding to the LDAP domain.
Password Bind Password
Object Context Object Context. This is the base DN that users are searched in when they login
Filter attribute The actual attribute name that is used to match the user. Examples : email/uid/dn/cn. If you specify email then the username would have to be the email ID eg tim@company.com

12.10.2 Create a LDAP enabled user

Next you need to create a new LDAP enabled user.

Login as admin and select Web Admin > Manage > Users > New User

Here there are two options

LDAP Only login The user can only login via LDAP auth and not have a local password
LDAP + Local auth The user can choose to login locally or via LDAP auth

As per your company policy you can choose to create any one of the two types of users.

12.10.3 Admin user is always local

The super admin user with login name = admin always uses a local login.

12.10.4 Login mode

After you create a LDAP Domain, the login screen will show a checkbox called “LDAP authentication”.

  1. for users with LDAP Only auth — they have no choice but to enter their LDAP password
  2. for users with LDAP or Local auth — if they do not check the “LDAP authentication” checkbox they will use the local login/password.

12.10.5 Troubleshooting

If you experience errors you can try the following.

  1. Logout
  2. Login using a LDAP enabled user and check the “LDAP Authentication” check box
  3. then check the Webtrisul log file for errors. The log file is at /usr/local/var/log/trisul-hub/webtrisul/production.log