LDAP Source

The LDAP Organizational Identity Source Plugin is designed to integrate with an LDAP server.

Modes

Installation

This is a non-core plugin, see Installing and Enabling Registry Plugins for more information.

This plugin requires PHP 5.6 or later (for ldap_escape).

Configuration

The LDAP Source Plugin supports both anonymous and authenticated binds.

An attribute (the Key Attribute) containing a unique key is required. The value of this attribute should be persistent and not change under any circumstances. There should only ever be exactly one value for this attribute. While dn can be used, many LDAP deployments allow DNs to be changed, for reasons such as being based on a name, or a structural change of the LDAP server itself. If DNs are not persistent, then a different attribute (such as employeeNumber, if suitable) should be used.

By default, the Plugin will search for all records under the Base DN. However, under some circumstances it may be desirable to further filter searches, such as to exclude inactive entries. This is done by setting the Search Filter configuration. The Search Filter will be AND'd together with any search operation performed by the Plugin. Be sure to include the parentheses in the filter definition, and also to escape any special characters within the filter values.

An example search filter, to constrain searches against Active Directory to active users: (!(userAccountControl=514))

Constraints

Full syncs are dependent on the LDAP server having sufficiently high search limits to allow the full directory to be read, or for binding to be performed with a Bind DN with unlimited search permission.

Wildcards are not supported in searches (though they are supported in the Search Filter). All searches will be prefix searches (ie: foo*).

See Also

• cm_ldap_sources