LDAP / Active Directory
Starting from Version 3.1, Structr supports authentication and group synchronization using an LDAP / Active Directory server.
LDAP Synchronization can be activated by creating a Group with type LDAPGroup
and setting the distinguishedName
property of that group to the DN of the corresponding AD group. Structr will then connect to the LDAP server and create LDAPUser
objects for each member of the group, uniquely identified by the distinguishedName
property. The password for these users is not stored. Structr will instead make a bind attempt to the LDAP server with the given user’s distinguished name and the password, and authenticate the user if the bind attempt succeeds.
Group membership of individual users will be updated when a user tries to log in to Structr, but only once every x minutes, depending on the value of ldap.updateInterval
. Alternatively, the group memberships can be updated using a button in the Structr User Interface, or by modifying the LDAPGroup
object.
Configuration
The LDAP server that Structr uses for authentication and synchronization of users and group must be configured in structr.conf
like this:
Key | Description | Default |
---|---|---|
ldap.host | IP address or name of LDAP server | localhost |
ldap.port | Port number of the LDAP service on the above server | 389 |
ldap.connectTimeout | Connection timeout in milliseconds | 1000 |
ldap.bindDn | DN that is used to authenticate synchronization | |
ldap.secret | Password for the above bind DN | |
ldap.useSsl | Whether to use SSL for connecting to the LDAP server | false |
ldap.scope | The scope of the group synchronization search query | SUBTREE |
ldap.propertyMapping | Mapping from LDAP properties to Structr properties | { sn: name, email: eMail } |
ldap.updateInterval | Update interval for group synchronization in seconds | 600 |
Property mapping
The properties of an LDAP user on the server can be mapped to Structr properties using the ldap.propertyMapping
configuration setting. The setting accepts a JSON object with mappings from LDAP property to Structr property, e.g.
{ sn: name, cn: fullName, email: eMail }
Note
As of the first version of this implementation, LDAP users that have been created by an LDAP synchronization process will not be deleted in Structr.