Skip to main content

LDAP/Active Directory sync setup

Martin Hartkopf
Updated

LDAP/Active Directory sync setup

i-doit can import and authenticate users from an LDAP directory (e.g. Microsoft Active Directory).

Prerequisites

  • PHP extension php-ldap installed (php -m | grep ldap)
  • The i-doit server must be able to reach the LDAP server (port 389 or 636)
  • SELinux systems: setsebool -P httpd_can_connect_ldap on

Step 1: Configure LDAP server

Path: Administration > Import & Interfaces > LDAP > Server

Parameter Description Example
Directory type Active Directory, OpenLDAP or eDirectory Active Directory
Host FQDN of the LDAP server (use hostname, not IP) dc01.company.local
Port 389 (standard) or 636 (LDAPS) 389
TLS Encrypted connection recommended Yes
Admin DN Bind user with read permissions CN=idoit,OU=Service,DC=company,DC=local

Important: Use the hostname (FQDN), not the IP address. TLS validates the certificate against the hostname.

Step 2: Configure directory

Path: Administration > Import & Interfaces > LDAP > Directories

Use the Test button to verify the connection and number of objects found.

Useful LDAP filters

Filter Description
(objectClass=user) All users
(&(objectClass=user)(userAccountControl=512)) Enabled accounts only

Step 3: Run synchronization

sudo -u www-data php console.php ldap-sync \
    --user admin --password admin \
    --tenantId 1 --ldapServerId 1 --verbose

Log files: <i-doit>/log/ldap_YYYY-MM-DD.log

Group-based assignment

  1. Open a Person Group in i-doit
  2. Set the "LDAP Group (Mapping)" field to the full DN of the AD group
  3. Users are automatically assigned during the next sync

TLS/LDAPS setup (Debian)

openssl x509 -inform der -outform pem \
    -in /tmp/dc-cert.cer \
    -out /usr/local/share/ca-certificates/dc-cert.crt
sudo update-ca-certificates
sudo service apache2 restart

File extension must be .crt.

Common issues

Problem Solution
TLS connection fails Re-export cert as DER, convert to PEM with .crt extension, run update-ca-certificates
Certificate validation fails Use FQDN hostname, not IP address
Login takes 30+ seconds Check DNS resolution, add hostname to /etc/hosts
Users are archived Set "Unique Identifier" to objectSID in the directory config
Groups not synchronized OpenLDAP: enable memberOf overlay
"Can't contact LDAP server" Check firewall: port 389 or 636

Diagnostic checklist

  1. Is php-ldap installed?
  2. Is the LDAP server reachable? (telnet dc01.company.local 389)
  3. Is the hostname (not IP) used in the config?
  4. Does DNS resolve the hostname?
  5. For TLS: Certificate in /usr/local/share/ca-certificates/ with .crt extension?
  6. Was update-ca-certificates run?
  7. Was Apache restarted?
  8. Does the connection test show "Connection OK"?
  9. Does the LDAP filter return results?
  10. Check logs: /var/log/apache2/error.log and <i-doit>/log/ldap_*.log

Detailed documentation: LDAP in the Knowledge Base | LDAP via TLS

Related articles

Comments

0 comments

Please sign in to leave a comment.