The LDAP Organizational Identity Source Plugin is designed to integrate with an LDAP server.
|Org Identity Source Mode||Support|
|Manual Search and Linking||Supported|
|Enrollment, Authenticated||Not supported|
|Enrollment, Claim||Not supported|
|Org Identity Sync Mode||Support|
|Full||Supported, with restrictions|
This is a non-core plugin, see Installing and Enabling Registry Plugins for more information.
This plugin requires PHP 5.6 or later (for ldap_escape).
PHP 7.2 or later is recommended when integrating with Active Directory (for
The LDAP Source Plugin supports both anonymous and authenticated binds.
An attribute (the Key Attribute) containing a unique key is required. The value of this attribute should be persistent and not change under any circumstances. There should only ever be exactly one value for this attribute. While
dn can be used, many LDAP deployments allow DNs to be changed, for reasons such as being based on a name, or a structural change of the LDAP server itself. If DNs are not persistent, then a different attribute (such as
employeeNumber, if suitable) should be used.
By default, the Plugin will search for all records under the Base DN. However, under some circumstances it may be desirable to further filter searches, such as to exclude inactive entries. This is done by setting the Search Filter configuration. The Search Filter will be AND'd together with any search operation performed by the Plugin. Be sure to include the parentheses in the filter definition, and also to escape any special characters within the filter values.
An example search filter, to constrain searches against Active Directory to active users:
The LDAP Source Plugin can select an arbitrary attribute from the LDAP record to assign to the Org Identity as an Identifier of type UID. This is intended as an interim capability until a more general solution is implemented (CO-1346).
The following attributes are currently supported by LdapSource:
|LDAP Attribute||Org Identity Source Attribute|
|EmailAddress/mail, type=Official, verified|
Full syncs are dependent on the LDAP server having sufficiently high search limits to allow the full directory to be read, or for binding to be performed with a Bind DN with unlimited search permission.
Wildcards are not supported in searches (though they are supported in the Search Filter). All searches will be prefix searches (ie: foo*).