The LDAP integration enables you to unlock SMARTICKS’s potential for large businesses and provide high-powered support
functionality allows your LDAP individuals to authenticate into SMARTICKS. You can also import & synchronize LDAP individuals.
Features
LDAP authentication.
Supported LDAP servers:
Microsoft Active Directory,
OpenLDAP,
FreeIPA.
Automatic fallback to local database authentication if LDAP authentication fails.
Import and automatic synchronization of LDAP individuals. LDAP attributes mapping. Assigning imported individuals to mailboxes.
SSO authentication.
Detailed import logs.
Configuration
Keep in mind that “Bind DN” field must be exact DN of the Binding Username and it should NOT contain the admin username.
When clicking “Connect & Fetch Attributes” the functionality retrieves individuals’ attributes from individuals located in “Bind DN” and “DNs and Filters” fields.
If you want individuals to be automatically mapped to some mailboxes, configure LDAP Filter for corresponding mailboxes.
Example: (&(memberOf=cn=demo,dc=SMARTICKS,dc=net)) Importing individuals individuals can be imported manually or automatically in the background.
individuals are imported from “DNs and Filters” specified in “Import & Authentication” section. In “Manage > Logs > LDAP” importing logs can be found. SSO Authentication Domain individuals can authenticate into SMARTICKS automatically when they open application by the pre-populated $_SERVER[‘AUTH_USER’] (or any other) that is filled when SSO is enabled on your server.
When SSO authentication is configured when you visit your site, a user’s account will be created (if one does not exist already) accompanied by a random password and then automatically logged in. Microsoft Azure This functionality is compatible accompanied by Microsoft Azure. Instead of by utilizing the username (sAMAccountName) to do the login, use the CN to bind.
You can install Active Directory Explorer onto a joined machine and find the full DN of the user’s. The LDAP functionality sets the bind request by utilizing “CN={bind user’s},{Bind DN string}” CA cert Specify Encryption: SSL and “TLS_CACERT /etc/openldap/ca.pem” in ldap.conf and mount it to use it accompanied by Docker images: Volumes: – path/to/tls/ca.pem:/etc/openldap/ca.pem:ro – path/to/ldap.conf:/etc/openldap/ldap.conf:ro
Troubleshooting Credentials invalid The functionality does not provide LDAP connection logs. If you have access to the LDAP server you should be able to see what is being queried and what is wrong in the LDAP server logs. If you are receiving “Credentials invalid” error, make sure that “Bind DN” and “Bind Username”. “Bind DN” should NOT contain admin username. Admin username should be present ONLY in “Bind Username” – only username without “cn=” or “uid=”. In your LDAP the admin user’s must be located under “Bind DN”.
If you can’t log in and want to disable LDAP functionality, remove the functionality from /Features folder and clear app cache. ldap_connect(): Could not create session handle If you are receiving “ldap_connect(): Could not create session handle:
Bad parameter to an ldap routine” error make sure that you’ve specified a proper LDAP Host: it has to be host name or IP address without protocol or port (examples: ldap.forumsys.com, 192.168.152.3). In order to make sure that your PHP’s LDAP extension is working properly, you can try to connect to the test OpenLDAP server: LDAP Host: ldap.forumsys.com Port: 389 Encryption: none Base DN: dc=example,dc=com Bind Username: read-only-admin Bind Password: password How can I log in under an imported user’s To log in under one of the imported test individuals allow “LDAP Authentication” option and use password as the password to log in.
After clicking Connect & Fetch attributes some attributes are missing Set missing attributes for some user’s mentioned in parenthesis as a “(e.g.)” .
LDAP Filter has no effect – everyone in our LDAP system can log in LDAP functionality first tries to authenticate a user’s against “Bind DN”, if not successful – it tries all the “DNs and Filters”. If your Bind DN is dc=example,dc=org for example all, individuals located in groups and units below dc=example,dc=org will be able to authenticate (for example cn=SMARTICKS,dc=example,dc=org). To avoid this you need to change your Bind DN to something like cn=admins,dc=example,dc=org and move your admin user’s there. LDAP over SSL to Active Directory does not work Add/modify the following line (see this discussion): TLS_REQCERT never
