12.13. LDAP Login

The LDAP (Lightweight Directory Access Protocol) is a login option that authenticates users against an LDAP server.

There are two steps to setting up a user to login via LDAP

  1. configure LDAP domain
  2. create a user and specify he/she be authenticated against an LDAP domain

After you have created a LDAP Domain , a checkbox called “LDAP Authentication” appears at the login screen as shown below.

If you configure an LDAP domain, a checkbox will be shown on the login page

12.13.1 View LDAP domains

This page shows a list of LDAP domains configured in Trisul.

Login as admin and select Web Admin > Manage > LDAP Domain

A list of configured domains is shown with the following details

  1. Domain name : the default domain which cannot be deleted is called Local authentication this is for normal users who will be able to login without LDAP
  2. Server / Port
  3. User name: : this is used to bind to the LDAP server
  4. Base DN : under which users are queried
  5. Filter : the username is taken from this attribute, usually the mail

LDAP Domain options

For each LDAP domain shown, the following options are shown at the right side of each row.

Edit Modify this LDAP domain entry
Delete Delete the LDAP domain without deleting the users
Check authentication Check if Trisul is able to successfully bind with the LDAP server
Sync Synchronize Users – contact the LDAP domain server and query for users with the Sync Attribute then add all the users to Trisul with the username taken from the Filter attribute. At the end of the synchronize operation you should be able to see all the users added under Manage > Users
Delete Users Only Only delete the users associated with this domain. You can then go back and synchronize or manually add LDAP users

Synchronize users from LDAP

This feature allows Trisul to automatically query a LDAP directory using a particular attribute value then create users in Trisul based on its results. You do not have to manually create users and associate them to a LDAP domain.

12.13.2 Configure LDAP Domain

The first step is to configure the LDAP domain against which the authentication will be done.

Login as admin and select Web Admin > Manage > LDAP Domain and Click the Configure button

Fill in the details as shown below.

Field Description
Domain Name A descriptive name given to this LDAP domain
Domain Server DNS name or IP address of the LDAP Domain Server
Port LDAP port number, usually 389
User name Base distinguished name used for Binding to the LDAP domain. This is used to bind to the LDAP domain
Password Password for above user
Base DN Base DN for the user
Sync Attributes When LDAP is used to automatically synchronize use from the LDAP server, query users with this attribute and automatically add them to Trisul (only used if you want to automatically synchronize users from LDAP directory, if you want to add users manually leave this blank)
Filter attribute The actual attribute name that is used to match the user. Examples : email/uid/dn/cn. If you specify email then the username would have to be the email ID eg tim@company.com
User Bind If checked the LDAP authentication simply tries to BIND with the user name
Append to username The following string will automatically appended to the user name. A features to help the user avoid typing the full login names. For example : if you set this to @unitedfederalbankname.com then the user who had to type mike@unitedfederalbankname.com only has to type mike at the login screen

12.13.3 Create a LDAP enabled user

Next you need to create a new LDAP user.

Login as admin and select Web Admin > Manage > Users > New User

Here there are two options

LDAP Only login The user can only login via LDAP auth and not have a local password
LDAP + Local auth The user can choose to login locally or via LDAP auth

As per your company policy you can choose to create any one of the two types of users.

12.13.4 Admin user is always local

The super admin user with login name = admin always uses a local login.

12.13.5 Login mode

After you create a LDAP Domain, the login screen will show a checkbox called “LDAP authentication”.

  1. for users with LDAP Only auth — they have no choice but to enter their LDAP password
  2. for users with LDAP or Local auth — if they do not check the “LDAP authentication” checkbox they will use the local login/password.

12.13.6 Troubleshooting

If you experience errors you can try the following.

  1. Test the LDAP domain by clicking the Check Authentication like on the Options link
  2. Login using a LDAP enabled user and check the “LDAP Authentication” check box
  3. Then check the Webtrisul log file for errors using Manage > Web Server Logs > Web server logs