LDAP Authentication
You can use LDAP Authentication to authenticate (and automatically create) users against an Active Directory (AD) or LDAP server.
Note
Support for this functionality requires that your PHP installation has the ldap extension enabled.
You can choose to have classroombookings automatically create accounts upon successful authentication with the server, or only allow access to accounts that already exist.
When LDAP is enabled and a user successfully logs in, the password they supplied is hashed and stored in the classroombookings database, just like regular users. This enables those users to log in using their most recent password, even if the LDAP server is temporarily unavailable or the LDAP setting gets turned off.
Connection
Firewall
The AD/LDAP server must be accessible over the network from the server that classroombookings is running on. Depending on your setup, this may involve opening and/or forwarding ports on firewalls.
Hosted service
If you are using the hosted serviceopen in new window, you will need to allow access to your LDAP port from the following IP address:
94.237.60.222
Server
This is the hostname or IP address of the AD/LDAP server to authenticate with. Currently, only one server is supported.
Port
The port number that the AD/LDAP server is running on.
Protocol version
The protocol version number that the AD/LDAP connection should use.
Use TLS
Specify whether to use TLS for the connection.
Ignore certificate
Choose this option to ignore any certificate errors when using a TLS connection. If you do not use this option, you may need to install and/or accept your AD/LDAP server's certificate on the classroombookings server.
Bind DN Format
Specify the format that the authenticating user will use when attempting to connect to the LDAP server. This will vary depending on your AD/LDAP server configuration and version. The keyword :user will be replaced by the username entered by the user.
Common formats are:
EXAMPLE.LOCAL\:user:user@EXAMPLE.LOCALuid=:user,cn=users,dc=example,dc=com
Search
You can specify a search criteria to ensure that the authenticating user matches the given cirteria here.
If you don't use this, any user who successfully authenticates with your AD/LDAP server using the settings above can log in to classroombookings. Most organisations will want to enter a search criteria to ensure only a certain tree or group of users can log in to classroombookings, and deny others.
Base DN
This is the Base DN that the search will start at.
Search filter
This is the AD/LDAP search filter used to find the user. The keyword :user will be replaced by the authenticating username.
Examples:
Match user with a keyword in their description:
(&(uid=:user)(description=staff))
Match user that has an email address AD/LDAP field:
(&(uid=:user)(|(description=staff)(email=*)))
Match user that is a member of a given group:
(&(uid=:user)(memberof=CN=Teachers,OU=Users,DC=Example,DC=com))
You can read more about the LDAP query syntax here: Search Filter Syntaxopen in new window.
User attribute mapping
When you use a search filter to find the authenticating user, you can populate some classroombookings user profile fields with their attributes found in LDAP each time they log in.
You can combine multiple AD/LDAP attributes by adding a colon before the attribute name, for example - :givenName :sn. If you are just specifying a single field, you do not need to include the colon.
If you leave the field blank, classroombookings will not attempt to populate those user details.
Testing the settings
You can check if the AD/LDAP settings entered on this page will work by using the Test Settings box on the right side of the page.
This is useful to test that a connection can be made and only the desired user accounts can successfully authenticate.
The connection settings on the page are used every time you click Test credentials, so you don't need to click Save before testing.
Any error or success messages will be displayed under the box.
