Using LDAP as a Single Sign-On (Active Directory)

Allow users to authenticate against LDAP server in UseResponse (Microsoft's Active Directory Server, OpenLDAP, etc) of your choice, in addition to standard UseResponse authentication methods.


LDAP is not in the core of the system and is available in Enterprise package


Basic LDAP Settings

Go to Administration » Login Plus » Single Sign-On and enable LDAP method. 

If you are going to use system only internally within your company, set the option to use only SSO authentication. This would show up LDAP login form without option to register in community. 

Each time new user logs in against LDAP server, UseResponse internal account is created. To eliminate sending internal registration credentials, Disable Registration Email.

Other basic settings includes connection to your LDAP server:

  • LDAP (Host, Port, Connection Version) - state hostname or IP of your LDAP server. Default settings are localhost, port 389, connection version 3. When server has secure connection add ldaps:// to hostname;
  • BaseDN - Base Distinguished Name for your Active Directory with default value dc=localhost;
  • LDAP Admin / Password - if your LDAP server requires authentication to grab the data, enter administration credentials for connection.

You can always test connection to your LDAP server with saved settings. Click on "Test Connection" and enter username and password of any user on your LDAP server.

Self-Hosted Package

In order to use LDAP authentication method, you need PHP extention - "php_ldap" to be installed on the server

Advanced LDAP Settings

If you have specific configuration of your LDAP server, go to Advanced Settings where you can manage the following:

  • Username Mapping - field/container (cn, uid) to associate LDAP-UR users in between. If you use authentication against any field in LDAP structure, then you are required to specify LDAP Admin / Password.
  • Username in DN Form - some configurations require username to be provided in DN form;
  • Full Name Mapping - field/container (cn, displayname, givenname). Use "auto" for autodetect;
  • Email Mapping - field/container (mail, email, userprincipalname). Use "auto" for autodetect;
  • Email Domain Zone - if email is not detected, it will be combined from username@domainzone;
  • Additional Search Filter - you can define specific filter to allow only specific users from you LDAP server to login into UseResponse. Default value is (objectClass=*)

Any user that signs in UseResponse using LDAP server is assigned to "User" Role. If you want to define custom rules for specific users to be assigned to different role, use "Allow Role Mapping" setting.

Troubleshooting

While testing your connection or parsing user data on login, you can get errors on connection, user mapping, bind, etc.

Use any LDAP test tool before submitting any of the settings in UseResponse. By returned error code, you'll be able to define where the problem is. Standard LDAP error codes are available in public.

Is article helpful?