LDAP Authentication

Use your own AD or LDAP system server to authenticate users and automatically create accounts.

Cloud
Configuration
Rooms
Sessions
User Management
Bookings

Overview

You can use LDAP Authentication to authenticate users against an Active Directory (AD) or LDAP server.

You can choose to have classroombookings automatically create accounts upon successful authentication with the server, or only allow access to accounts that already exist.

When LDAP is enabled and a user successfully logs in, the password they supplied is hashed and stored in the classroombookings database, just like regular users. This enables those users to log in using their most recent password, even if the LDAP server is temporarily unavailable or the LDAP setting gets turned off.

Firewall

Your AD/LDAP server must be accessible over the internet from the classroombookings cloud service. Depending on your infrastructure, this is likely to mean opening and/or forwarding ports on firewalls. Please allow access to your AD/LDAP server from the following IP address:
94.237.60.222

Connection

Server

Hostname or IP address of the AD/LDAP server to authenticate with. Currently, only one server is supported.

Port

The port number that the AD/LDAP server is running on.

Protocol version

The protocol version number that the AD/LDAP connection should use.

Use TLS

Specify whether to use TLS for the connection.

Ignore certificate

Choose this option to ignore any certificate errors when using a TLS connection. If you do not use this option, you may need to install and/or accept your AD/LDAP server's certificate on the classroombookings server.

Bind DN Format

Specify the format that the authenticating user will use when attempting to connect to the LDAP server. This will vary depending on your AD/LDAP server configuration and version. The keyword :user will be replaced by the username entered by the user.

Common formats are:

  • EXAMPLE.LOCAL\:user
  • :user@EXAMPLE.LOCAL
  • uid=:user,cn=users,dc=example,dc=com

Search

You can specify a search criteria to ensure that the authenticating user matches the given criteria here.

If you don't use this, any user who successfully authenticates with your AD/LDAP server using the settings above can log in to classroombookings. Most organisations will want to enter a search criteria to ensure only a certain tree or group of users can log in to classroombookings, and deny others.

Base DN

This is the Base DN that the search will start at.

Search filter

This is the AD/LDAP search filter used to find the user. The keyword :user will be replaced by the authenticating username.

Examples

Match user with a keyword in their description:

(&(uid=:user)(description=staff))

Match user that has an email address AD/LDAP field:

(&(uid=:user)(|(description=staff)(email=*)))

Match user that is a member of a given group:

(&(uid=:user)(memberof=CN=Teachers,OU=Users,DC=Example,DC=com))

You can read more about the LDAP query syntax here: Search Filter Syntax.

User attribute mapping

When you use a search filter to find the authenticating user, you can populate some classroombookings user account fields with their attributes found in LDAP each time they log in.

You can combine multiple AD/LDAP attributes by adding a colon before the attribute name, for example - :givenName :sn. If you are just specifying a single field, you do not need to include the colon - just enter the main attribute name.

If you leave the field blank, classroombookings will not attempt to populate those user details.

Testing the settings

You can check if the AD/LDAP settings entered on this page will work by using the Test Settings box on the right side of the page.

This is useful to test that a connection can be made and only the desired user accounts can successfully authenticate.

The connection settings on the page are used every time you click Test credentials, so you don't need to click Save before testing.

Any error or success messages will be displayed under the box.