Using LDAP as a Single Sign-On (Active Directory)

Allow users to authenticate against the LDAP server in UseResponse (Microsoft's Active Directory Server, OpenLDAP, etc) of your choice, in addition to standard UseResponse authentication methods.


LDAP is not in the core of the system and is available in the Enterprise package


Basic LDAP Settings

Go to Administration » Applications and enable Single Sign-On. Then click Settings and select the LDAP method. 

If you are going to use the system only internally within your company, set the option to use only SSO authentication. This would show up LDAP login form without the option to register in the community. 

Each time a new user logs in against the LDAP server, UseResponse internal account is created. To eliminate sending internal registration credentials, Disable Registration Email.

Other basic settings include connection to your LDAP server:

  • LDAP (Host, Port, Connection Version) - state hostname or IP of your LDAP server. Default settings are localhost, port 389, connection version 3. When the server has secure connection add ldaps:// to hostname;
  • BaseDN - Base Distinguished Name for your Active Directory with default value dc=localhost;
  • LDAP Admin / Password - if your LDAP server requires authentication to grab the data, enter administration credentials for the connection.

You can always test the connection to your LDAP server with saved settings. Click "Test Connection" and enter the username and password of any user on your LDAP server.

Self-Hosted Package

In order to use LDAP authentication method, you need PHP extension - "php_ldap" to be installed on the server

Advanced LDAP Settings

If you have the specific configuration of your LDAP server, go to Advanced Settings where you can manage the following:

  • Username Mapping - field/container (cn, uid) to associate LDAP-UR users in between. If you use authentication against any field in the LDAP structure, then you are required to specify LDAP Admin / Password.

Note: default value is uid, but for old Windows active directory please state sAMAccountName


  • Username in DN Form - some configurations require username to be provided in DN form;
  • Full Name Mapping - field/container (cn, displayname, givenname). Use "auto" for autodetect;
  • Email Mapping - field/container (mail, email, userprincipalname). Use "auto" for autodetect;
  • Email Domain Zone - if the email is not detected, it will be combined from username@domainzone;
  • Additional Search Filter - you can define a specific filter to allow only specific users from your LDAP server to login to UseResponse. Default value is (objectClass=*)

Any user that signs in UseResponse using the LDAP server is assigned to the "User" team. If you want to define custom rules for specific users to be assigned to different teams, use the "Allow Team Mapping" setting.

Troubleshooting

While testing your connection or parsing user data on login, you can get errors on connection, user mapping, bind, etc.

Use any LDAP test tool before submitting any of the settings in UseResponse. By returned error code, you'll be able to define where the problem is. Standard LDAP error codes are available in public.

Is article helpful?