Skip to main content

Overview

ITSM-NG supports authentication and data synchronization with LDAP directories, including Microsoft Active Directory, OpenLDAP, and other LDAP-compliant services.

Prerequisites

PHP LDAP Extension

The PHP LDAP extension must be installed: 
# Check if LDAP extension is loaded
php -m | grep ldap

# Install on Debian/Ubuntu
sudo apt-get install php-ldap

# Install on RHEL/CentOS
sudo yum install php-ldap
If the LDAP extension is not available, LDAP features will be disabled in ITSM-NG.

Adding LDAP Server

1

Navigate to LDAP configuration

Go to Setup > Authentication > LDAP directories.
2

Add directory

Click Add to create a new LDAP configuration.
3

Choose preconfiguration

Select a template for quick setup:
  • Active Directory: Microsoft AD with typical settings
  • Default values: Standard LDAP configuration
4

Enter connection details

Fill in the server information (see below).
5

Test connection

Use the Test button to verify connectivity.
6

Save configuration

Click Add to save the LDAP directory.

LDAP Server Configuration

Basic Connection Settings

Name: Descriptive name for the LDAP server
Server: LDAP server hostname or IP
Port: 389 (LDAP) or 636 (LDAPS)
BaseDN: Base Distinguished Name (e.g., dc=company,dc=com)
RootDN: Bind DN for connection (e.g., cn=admin,dc=company,dc=com)
Password: Password for RootDN
Active: Enable/disable this directory
Default server: Mark as default authentication source
If RootDN and password are not provided, ITSM-NG will attempt anonymous binding.

Active Directory Preconfiguration

When selecting Active Directory preset, these values are configured: 
Port: 389
Connection filter: (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Login field: samaccountname
Sync field: objectguid
Group field: memberof
Email field: mail
First name field: givenname
Surname field: sn
Phone field: telephonenumber
Mobile field: mobile
Employee number: employeenumber
See /inc/authldap.class.php:157-189 for AD preconfiguration details.

Connection Filter

The connection filter determines which LDAP objects are considered valid users:

Active Directory Example

(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
This excludes disabled accounts (userAccountControl bit 2).

OpenLDAP Example

(&(objectClass=inetOrgPerson)(!(accountStatus=disabled)))

Advanced Configuration

Connection Options

1

Use TLS

Enable Use TLS for encrypted communication (requires TLS support in PHP LDAP).
2

Time zone offset

Set the LDAP directory’s timezone offset from GMT (-12 to +13 hours).
3

Paged results

Enable for large directories:
  • Use paged results: Enable pagination
  • Page size: 100-100,000 results per page
  • Maximum results: Total limit (0 = unlimited)
4

Alias dereferencing

Configure how LDAP aliases are handled:
  • Never: Don’t follow aliases (default)
  • Always: Always follow aliases
  • During search: Follow when searching
  • When locating: Follow when locating objects

Field Mapping

Map LDAP attributes to ITSM-NG user fields: 
Login field: samaccountname / uid
Sync field: objectguid / entryuuid
First name: givenname / givenName
Surname: sn / sn
Email 1-4: mail, mail2, mail3, mail4
Phone: telephonenumber
Phone 2: othertelephone
Mobile: mobile
Title: title
Category: department
Employee number: employeenumber
Comments: info / description
Picture: jpegPhoto / thumbnailPhoto
Language: preferredLanguage
Location: physicalDeliveryOfficeName
Field names are automatically converted to lowercase by ITSM-NG.

Synchronization Field

The sync field uniquely identifies users:
  • Active Directory: Use objectguid (binary GUID)
  • OpenLDAP: Use entryuuid (UUID)
  • Other: Any unique, immutable attribute
Once users are imported, the synchronization field cannot be changed if it’s already in use.
See /inc/authldap.class.php:220-237 for sync field validation.

Group Configuration

Group Search Types

1

In users

Search for group membership in user objects:
  • User attribute contains group DNs or names
  • Example: memberOf in Active Directory
2

In groups

Search for members in group objects:
  • Group attribute contains user DNs
  • Example: member attribute in groups
3

In users and groups

Use both methods for comprehensive group detection.

Group Field Configuration

User attribute with groups: memberof / groupMembership
Group search filter: (objectClass=group)
Group attribute with users: member / uniqueMember
Use DN in search: Yes (for DN-based membership)

Active Directory Groups

Group search type: In users
User group attribute: memberof
Group filter: (&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))
Use DN: Yes

User Import and Synchronization

Manual Import

1

Access LDAP import

Go to Administration > Users > LDAP directory link.
2

Select directory

Choose the LDAP server to search.
3

Search for users

Enter search criteria:
  • Login: Search by username
  • Email: Search by email address
  • Advanced filter: Custom LDAP filter
4

Select users

Check users to import from search results.
5

Set import options

Configure:
  • Entity: Target entity
  • Recursive: Include child entities
  • Import type: User or contact
6

Import

Click Actions > Import to create user accounts.

Automatic Synchronization

Enable automatic import and sync:
1

Configure in Setup > Authentication

  • Automatically add users: Import on first login
  • Add without accreditation: Create account without profile
  • Action when deleted from LDAP:
    • Preserve (0): Keep account unchanged
    • Delete (1): Move to trashbin
    • Withdraw rights (2): Remove dynamic authorizations
    • Disable (3): Deactivate account
    • Disable and withdraw (4): Combine both
See /inc/authldap.class.php:64-88 for action constants.

Group Synchronization

Groups are synchronized automatically:
  • On user creation (if _groups is set in input)
  • On user update (if authentication type is LDAP)
  • Dynamic groups are marked as is_dynamic = 1
  • Manual group memberships coexist with dynamic ones
  • Groups not in LDAP are removed (if dynamic)
See /inc/user.class.php:1199-1264 for group sync implementation.

LDAP Replication

Adding Replicas

For high availability, configure LDAP replicas:
1

Access replicates tab

Edit the LDAP directory and go to Replicates tab.
2

Add replica

Click Add a replicate:
  • Name: Replica identifier
  • Server: Replica hostname
  • Port: Replica port
3

Test replica

Use the Test button to verify connectivity.
ITSM-NG will automatically fail over to replicas if the primary server is unavailable.

Entity Mapping

LDAP to Entity Mapping

Map LDAP organizational units to ITSM-NG entities: 
Entity field: ou / organizationalUnit
Entity condition: (objectclass=organizationalUnit)
This allows automatic entity assignment based on LDAP structure.

Testing LDAP Configuration

Connection Test

1

Basic test

Click Test button on the LDAP configuration form to verify:
  • Server connectivity
  • Authentication with RootDN
  • BaseDN accessibility
2

User search test

Use the import interface to test:
  • User search queries
  • Attribute mapping
  • Filter correctness
3

Group test

Import a test user and verify:
  • Group memberships are detected
  • Group names are correct
  • Dynamic groups are marked

Troubleshooting

Cannot Connect to LDAP

Check:
  • Server hostname is correct and reachable
  • Port is open (use telnet server 389)
  • Firewall allows LDAP traffic
  • RootDN and password are correct
  • BaseDN exists in directory

Users Not Found

Verify:
  • Connection filter includes the users
  • BaseDN encompasses user objects
  • Login field matches LDAP attribute
  • Attribute names are lowercase

Groups Not Synchronized

Confirm:
  • Group search type is correct
  • Group field attribute exists on users/groups
  • Group filter matches group objects
  • “Use DN” setting matches attribute format

Slow LDAP Searches

Optimize:
  • Enable paged results
  • Reduce page size
  • Set maximum result limit
  • Add indexes on LDAP server
  • Use more specific filters

Security Best Practices

LDAP Security

  • Use TLS: Encrypt LDAP traffic when possible
  • Bind credentials: Use dedicated service account with minimal rights
  • Read-only access: Bind account only needs read permission
  • Filter users: Exclude service accounts and system users
  • Monitor access: Log LDAP authentication attempts
  • Regular audits: Review LDAP configuration periodically
  • Test replicas: Ensure failover works correctly

Advanced Topics

Custom Attribute Expressions

For location field and others, use expressions: 
Location: %{city} > %{roomnumber}
Comment: %{department} - %{title}
Multiple fields can be combined with separators.

Picture Synchronization

If picture_field is configured:
  • User photo is synchronized from LDAP
  • Stored as JPEG in GLPI_PICTURE_DIR
  • Thumbnail generated automatically
  • Updated when photo changes in LDAP
See /inc/user.class.php:1274-1352 for picture sync implementation.

Inventory Domain

Set Domain name used by inventory tool to link LDAP users with inventory data from tools like GLPI Agent.

Build docs developers (and LLMs) love

Get started for freeTalk to us