12.13. LDAP Login
The LDAP (Lightweight Directory Access Protocol) is a login option that authenticates users against an LDAP server.
There are two steps to setting up a user to login via LDAP
- configure LDAP domain
- create a user and specify he/she be authenticated against an LDAP domain
After you have created a LDAP Domain , a checkbox called “LDAP Authentication” appears at the login screen as shown below.
If you configure an LDAP domain, a checkbox will be shown on the login page
12.13.1 View LDAP domains
This page shows a list of LDAP domains configured in Trisul.
A list of configured domains is shown with the following details
- Domain name : the default domain which cannot be deleted is called Local authentication this is for normal users who will be able to login without LDAP
- Server / Port
- User name: : this is used to bind to the LDAP server
- Base DN : under which users are queried
- Filter : the username is taken from this attribute, usually the
LDAP Domain options
For each LDAP domain shown, the following options are shown at the right side of each row.
|Edit||Modify this LDAP domain entry|
|Delete||Delete the LDAP domain without deleting the users|
|Check authentication||Check if Trisul is able to successfully bind with the LDAP server|
|Sync||Synchronize Users – contact the LDAP domain server and query for users with the Sync Attribute then add all the users to Trisul with the username taken from the Filter attribute. At the end of the synchronize operation you should be able to see all the users added under Manage > Users|
|Delete Users Only||Only delete the users associated with this domain. You can then go back and synchronize or manually add LDAP users|
Synchronize users from LDAP
This feature allows Trisul to automatically query a LDAP directory using a particular attribute value then create users in Trisul based on its results. You do not have to manually create users and associate them to a LDAP domain.
12.13.2 Configure LDAP Domain
The first step is to configure the LDAP domain against which the authentication will be done.
Fill in the details as shown below.
|Domain Name||A descriptive name given to this LDAP domain|
|Domain Server||DNS name or IP address of the LDAP Domain Server|
|Port||LDAP port number, usually 389|
|User name||Base distinguished name used for Binding to the LDAP domain. This is used to bind to the LDAP domain|
|Password||Password for above user|
|Base DN||Base DN for the user|
|Sync Attributes||When LDAP is used to automatically synchronize use from the LDAP server, query users with this attribute and automatically add them to Trisul (only used if you want to automatically synchronize users from LDAP directory, if you want to add users manually leave this blank)|
|Filter attribute||The actual attribute name that is used to match the user. Examples :
|User Bind||If checked the LDAP authentication simply tries to BIND with the user name|
|Append to username||The following string will automatically appended to the user name. A features to help the user avoid typing the full login names. For example : if you set this to @unitedfederalbankname.com then the user who had to type firstname.lastname@example.org only has to type mike at the login screen|
12.13.3 Create a LDAP enabled user
Next you need to create a new LDAP user.
Here there are two options
|LDAP Only login||The user can only login via LDAP auth and not have a local password|
|LDAP + Local auth||The user can choose to login locally or via LDAP auth|
As per your company policy you can choose to create any one of the two types of users.
12.13.4 Admin user is always local
The super admin user with login name = admin always uses a local login.
12.13.5 Login mode
After you create a LDAP Domain, the login screen will show a checkbox called “LDAP authentication”.
- for users with LDAP Only auth — they have no choice but to enter their LDAP password
- for users with LDAP or Local auth — if they do not check the “LDAP authentication” checkbox they will use the local login/password.
If you experience errors you can try the following.
- Test the LDAP domain by clicking the Check Authentication like on the Options link
- Login using a LDAP enabled user and check the “LDAP Authentication” check box
- Then check the Webtrisul log file for errors using Manage > Web Server Logs > Web server logs