Introduction
You can setup eFront to connect to an LDAP server (such as OpenLDAP or Active Directory) for performing Single Sign-On. It is important however to understand how the SSO process works, in order to properly configure the LDAP settings:
-
The system administrator configures the LDAP server's details (address, port etc).
-
The system administrator stores the credentials of an LDAP account that will be used to connect to the LDAP server and perform searches.
-
A user visits the platform, enters his/her credentials and clicks on the “sign in” button.
-
The system first uses its stored LDAP account to search the LDAP tree for a user account with the given username. If found, it retrieves its full DN and uses the given password to authenticate the user.
-
If the user authenticates successfully, he/she is signed into eFront. If it's the first time he/she signs in, a user account will be created in eFront for him/her at the same time.
The key step in the procedure above is (2): You must supply an account that has search privileges throughout the whole LDAP tree (or at least the part that holds the users that will be signing in). This user account does not need any other privileges, however.
Heads up! For the rest of this guide, whenever we refer to LDAP, it also applies to Active Directory, unless specifically stated otherwise
Setting it up
In order, to set up the LDAP connection, sign in as administrator and go to System Settings→Single Sign On→LDAP. Tick the “Enable LDAP support” option and fill in the required information.
-
The values for LDAP Bind DN and LDAP bind password are for the account that will be used to search the LDAP tree for the user attempting to sign in, as explained earlier.
-
The LDAP Base DN is the default level where the searches will be performed (so it doesn't have to be the root)
-
The Login name, Full name and Email attributes will be used by eFront in order to discover the respective user properties when a new user signs in for the first time (and an account is created).
After you're done, you can click on “Check settings” to verify that the system can actually connect to the LDAP server. Please note that this operation will only verify that the server and port are properly set, but will not guarantee that the system is properly setup to perform the SSO.
Configuring a different LDAP server per branch
Starting with version 4.4 of eFront, you can configure a different LDAP server per branch. Sign in as administrator, go to Branches and click on the branch you want to set up a server for. Then click on Settings→LDAP and fill in the required information, as described earlier.
In such a setup, an incoming user that belongs to a specific branch will be authenticated against the branch's LDAP server. If the user belongs to a branch that doesn't have a configured LDAP server, then the system will search the branch's parents until it finds one with a configured LDAP server.
If none are found, the global LDAP server (from the system settings) will be used.
Using a pool of LDAP servers
It is possible the configure multiple LDAP servers to be checked against for authenticating an incoming user. In order to do this, simply specify the alternative LDAP servers' addresses to the “LDAP server” textbox (under System settings→Single Sign On→LDAP), separated by ; (semicolon). For example:
ldap://ldap1.example.com;ldap://ldap2.example.com;ldap://ldap3.example.com
However, in order for this setup to work, it is imperative that the account used to bind to the LDAP server exists in all specified LDAP servers, with the same password.
Importing users that will be authenticating via LDAP
LDAP Users are created on-the-fly, as they sign in for the first time. It is not uncommon however to need to pre-import some or all users that will be using the system, using the “Import from CSV” operation.
In this case, in order to indicate that the imported users will be authenticated via LDAP, you must add the field:is_ldap field and set it to 1. For example, the following CSV snippet will import a user that will be authenticated via LDAP:
login,name,surname,email,active,is_ldap sample_user,John,Doe,sample@example.com,1,1
Restricting self-signup to only allow LDAP users
You can configure eFront to only allow self-signup for users that have a valid LDAP account. To do this, sign in as administrator and go to System Settings→Users, and change the value of “Allow self-signup” to “Enabled, but only for users having a valid LDAP account”
Testing the LDAP integration
If you're interested in implementing code for the LDAP server integration (in a plugin for example), or are merely looking to verify that the connecting to an LDAP service is possible from your server, there is a public LDAP server that you can use. See here. for more information.