LDAP / Active Directory

Starting from Version 3.1, Structr supports authentication and group synchronization using an LDAP / Active Directory server.

LDAP Synchronization can be activated by creating a Group with type LDAPGroup and setting the distinguishedName property of that group to the DN of the corresponding AD group. Structr will then connect to the LDAP server and create LDAPUser objects for each member of the group, uniquely identified by the distinguishedName property. The password for these users is not stored. Structr will instead make a bind attempt to the LDAP server with the given user’s distinguished name and the password, and authenticate the user if the bind attempt succeeds.

Group membership of individual users will be updated when a user tries to log in to Structr, but only once every x minutes, depending on the value of ldap.updateInterval. Alternatively, the group memberships can be updated using a button in the Structr User Interface, or by modifying the LDAPGroup object.

The LDAP server that Structr uses for authentication and synchronization of users and group must be configured in structr.conf like this:

Key Description Default
ldap.host IP address or name of LDAP server localhost
ldap.port Port number of the LDAP service on the above server 389
ldap.connectTimeout Connection timeout in milliseconds 1000
ldap.bindDn DN that is used to authenticate synchronization
ldap.secret Password for the above bind DN
ldap.useSsl Whether to use SSL for connecting to the LDAP server false
ldap.scope The scope of the group synchronization search query SUBTREE
ldap.propertyMapping Mapping from LDAP properties to Structr properties { sn: name, email: eMail }
ldap.updateInterval Update interval for group synchronization in seconds 600

Property mapping
The properties of an LDAP user on the server can be mapped to Structr properties using the ldap.propertyMapping configuration setting. The setting accepts a JSON object with mappings from LDAP property to Structr property, e.g.

{ sn: name, cn: fullName, email: eMail }

As of the first version of this implementation, LDAP users that have been created by an LDAP synchronization process will not be deleted in Structr.

About this article
Last change 2018-12-06
Topics SecurityServerStructr 3.1