LDAP Accounts

By default LDAP is disabled and hidden from the system settings. To enable LDAP authentication for operators, you should enable it via the User General Settings.

SupportPal currently supports LDAP v2, also known as "simple bind", as an additional method of authentication for operators.

Configuration

LDAP configuration is managed from a single page with separate tabs for servers and accounts. When you go to Settings -> Users -> LDAP Accounts, the Accounts tab is selected by default.

Servers

LDAP servers are reusable records that you can associate with LDAP accounts. Configure at least one LDAP server before creating LDAP accounts.

LDAP Server

Setting Name	Description
Hostname	The server hostname. Alternatively, you can specify the full LDAP URI. For example: ldaps://ldap.server:1234/ will connect via SSL to port 1234.
Start TLS	Whether to connect insecurely and upgrade the connection using StartTLS. If you're using the LDAPS protocol, this option should not be used.
CA Certificate	Optionally upload the LDAP server's CA certificate file. This is only necessary when using self-signed certificates.

Accounts

After creating an LDAP server, switch to the Accounts tab to add LDAP accounts.

LDAP Account

Setting Name	Description
LDAP Server	Select the LDAP Server from the list.
LDAP Username	The username that the operator will use to login to the help desk (their LDAP username.)
LDAP RDN or DN	The distinguished name for the LDAP username, for example: cn=Sample User,ou=people,dc=example,dc=com

Operator Details

Each LDAP account must be associated with a help desk operator account in order to inherit, and configure, operator settings. Here you can associate the LDAP account with an existing operator account or create a new operator account.

Basic Usage

Operators with an associated LDAP account can now login using their LDAP account username and password.

By default, when an LDAP account is set up, the normal operator account email/password will no longer be accepted when logging in. You can disable this functionality by setting the LDAP_DUAL_LOGIN environment variable to true, which will allow operators to use either option.

Common Issues

ldap_bind(): Unable to bind to server: Can't contact LDAP server

	Description
Possible Cause	Self-signed SSL certificate (ldaps://my.server/)
Resolution	Windows: Create the following directory: "C:\OpenLDAP\sysconf" In "C:\OpenLDAP\sysconf" create a file called "ldap.conf" Add "TLS_REQCERT never" (without quotes) at the end of the file Restart your web server. Ubuntu: Navigate to "/etc/ldap/" Open the file "ldap.conf" Add "TLS_REQCERT never" (without quotes) at the end of the file Restart your web server.

Description

Possible Cause

Self-signed SSL certificate (ldaps://my.server/)

Resolution

Windows:

Create the following directory: "C:\OpenLDAP\sysconf"
In "C:\OpenLDAP\sysconf" create a file called "ldap.conf"
Add "TLS_REQCERT never" (without quotes) at the end of the file
Restart your web server.

Ubuntu:

Navigate to "/etc/ldap/"
Open the file "ldap.conf"
Add "TLS_REQCERT never" (without quotes) at the end of the file
Restart your web server.