i-doit offers an interface for the authentication/ authorization and synchronization of data from a LDAP folder or an active directory (AD).
i-doit supports the following directory services:
php_ldap has to be installed and activated for the communication with an active directory (AD) / LDAP folder. If you have installed i-doit according to our , then the module will already be available.
Dont't forget to allow LDAP if you are using SELinux with
setsebool -P httpd_can_connect_ldap on. The -P is for Permanent
Verify it via
getsebool -a | grep httpd
Subsequent Installation under Debian GNU/Linux
Subsequent Installation under Windows
php.ini (usually at
C:\xampp\php\php.ini) has to be modified. Activate loading of the
php_ldap extension in a text editor.
From the line
the ";" is deleted, resulting in
Sometimes it may also be necessary to copy the files
libeay32.dll (in most cases they are located at
C:\xampp\apache\bin\, however, this varies from version to version) to the
php\ folder. The Apache web server has to be restarted afterwards.
In i-doit the configuration is located at
Administration → . Under
Interfaces / external Data → LDAP
you can both configure one or more instances and also assign fields to attributes.
Administration → Interfaces / external Data → LDAP → Server you can configure one or more instances. All servers are queried during the login process until a login has been found. In case there are multiple tenants, they are all queried one after another. The databases that produced a positive result in the query are offered for the login.
LDAP Connection for Look ups (Reading)
Do you want to query the server during login?
Mandatory field: Which type of directory is queried?
In which version does the directory exist? (Default:
Should the maximum number of search results be activated/overridden?
In an LDAP search process, it must always be taken into account that the LDAP server has an upper limit on the number of results returned per search query. For example, you search for all user objects in an entire OU structure, but only 500 users are returned as results, even though there must be well over 2000 users on the server.
|How many results should be returned per "packet"?|
Mandatory field: The IP or the host name of the server.
Mandatory field: Via which port is the query carried out? (Default:
Do you want to encrypt the login query? Attention: The authentication will fail in case of self-signed certificates or certificates whose root CA are not known to the operating system on which i-doit is installed. The respective manual of the oprating system explains how the certificate can be accepted. In Debian-based operating systems the certificate of the root CA is copied to the
Mandatory field: The path to the user object which has reading permissions for the directory.
Mandatory field: The password of the user stated above.
|If the option "Use admin user for all read requests" is activated, each LDAP server query is checked with the administrator account from the LDAP server configuration|
Limit for the maximum duration of the query. (Default:
LDAP Parameters for the i-doit Login
The parameters stated here determine where users are to be searched in the directory.
|AD synchronization often results in changed records not being synchronized due to a changed name (marriage or similar).|
The "old" record is archived here and a new one is imported.
Therefore a different attribute can be selected as unique identifier. See category extension
The filter is filled automatically with the values defined in the lower area and cannot be changed directly via the user interface.
Mandatory field: The path to the organizational unit in which the users are stored in the directory.
When activating the recursive search, also the folders beneath the stated organizational units are searched. This is not recommended for large directories and should be bypassed by the creation of multiple servers.
In addition to this the filter can be further defined. The options behind this have no effect yet for a single filter line. Once the query is extended using “Add filter”, the additional options come into effect.
Append to last filter:
Append as new filter:
Create new term:
You can then test the configuration specified above in the bottom section. Optimally, the following notification is displayed:
If the error message is not clear enough in the event of a failure, the debug level can be increased so that further outputs are written into the Apache error log. In Debian-based operating systems the error log can be found at
Without any further setting, e.g. Unique identifier, is identified using the login attribute from the category Persons → Login.
Afterwards you can set up the mapping via
Administration → Interfaces / external Data → LDAP →
Directories. It is used to query basic information during the login process about the user who is logging in and to save it for the user that is going to be created in i-doit. After choosing the applicable directory the assignment can be carried out. However, the fields are filled by default and generally do not need any changes.
Import of Custom LDAP Attributes
It is also possible to save custom attributes from the LDAP in the master data via the import of persons. At
Administration → CMDB Settings → Category extensions further fields can be configured for this category. A field with the corresponding name is shown once the name has been set. The filling is carried out through the corresponding key.
The required configuration for this has already been made in the previous steps. Now you only have to set up an appropriate command line interface for the synchronization. Additional fields can also be configured for synchronization.
The configuration must be done in the handler configuration. An example can be found here (i-doit < 1.15. This file can be extended and customized with login data, tenant and attributes. The configuration file is then moved to /src/handler/config/.
So that this file is considered e.g. with the ldap-sync Command, this must be indicated with the sync over a further parameter (-c /path/) also (further information to the Console).
When set to “true”, also rooms are created with the synchronization.(Default:
Through this the users added by the LDAP synchronization are assigned automatically to the configured organization. (Default:
Can be set to
Or you just deactivate the login for the users.
Can be set to
Or you just deactivate the login for the users.
As seen in the example, an assignment of an user to a
The respective fields from the directory are linked with attributes in i-doit using the “Attributes”. These complement the assigned attributes described in the above mentioned part of the guide.
This is only relevant for Novel Directory Services (NDS) and OpenLDAP. During synchronization all users are activated again with this and deactivated according to the common principle, if applicable.
This function helps to prevent synchronization of unwanted directory objects.
The user will not be synchronized if the
This can be any function name which can be called through call_user_func or the defined functions.
If values were deleted/emptied from fields in AD, they are transferred to i-doit.
In order to use the console correctly, the article should be familiar with it. A simple synchronization without the advanced configuration is provided by the option ldap-sync. A description of the parameters as well as a corresponding example can be found in the corresponding chapter.
Automated Assignment of Persons to Person Groups
The automated assignment makes sure that the specified permissions of the person group are assigned automatically upon log in. The attribute
LDAP group (Mapping) in the
master data of a
person group has to be filled with a valid group from your directory in order for the assignment to happen. The groups assigned to the user object in the directory are queried and compared to the attribute
LDAP group (Mapping) of the i-doit person groups once a user is logging in or the synchronization is initiated. If there is a match, the group is assigned and the other groups are queried.
memberOf with OpenLDAP
The automatical assignment is based on LDAP querying in which groups there is a user. The
memberOf attribute plays an important role in this connection. This attribute has to be available as an overlay. However, in many default installations of OpenLDAP this is not the case. Useful information about the required configurations can be found in this and this article.
Synchronize persons and groups of persons
Since version 1.15 persons and groups of persons can be synchronized from LDAP/AD. Thereby the persons become members of the group assigned to them in Directory. As long as the group is also found with the configured filter.
Prerequisite is that the user with whom the command is executed also has supervisor rights on the categories ("Group memberships" and "Person groups > Members") and supervisor rights on the object types ("Persons" and "Person groups").
A logfile named
ldap_debug.txt can be found within
log/ in the i-doit installation folder. The logging can be activated or deactivated under
Administration → System Settings → Logging → LDAP Debug
Running the ldap-sync
The ldap-sync can only be executed via the console of the server. To be able to use the console properly, you should know the article about it. A simple synchronization without the advanced configuration serves the option
ldap-sync. A description of the parameters can be found in the corresponding chapter.