Presentation
In this tutorial, I will explain how to link GLPI 10 with an Active Directory to allow users to log in with their domain account.
This link will allow you to synchronize users in GLPI, if you use an email collector, this allows you to provision user accounts and allows the import of emails as tickets.
To make this connection you need:
- From a domain controller accessible by the server where GLPI is hosted
- To have the php_ldap extension
- Create a user account dedicated to the connection with the AD directory
Configure the directory link
From the menu, expand Configuration 1 and click Authentication 2.
Click on LDAP Directory 1.
We arrive at the list of connections with LDAP, which is currently empty, click on Add 1.
Start by clicking on Active Directory 1 to pre-populate the fields.
The Connection Filter 1 field is configured.
Name the connection 1, indicate that it is the default server 2 then activate the connection 3. Indicate the FQDN name or IP address of the domain controller 4. Enter the BaseDN 5 which will be synchronized (here I take the whole domain but we can limit it to an OU), then enter the DN of the account 6 which will be used for the connection as well as the password 7 Finish by clicking on the Add button 8.
The Active Directory connection is added and we can see that in the notification that appears, the connection has been tested and is working.
If the connection does not work, change the configuration
By clicking on the AD link, we arrive at the page that allows us to modify it.
By going to the Test tab, you can test the connection with the directory.
The Replicas tab allows you to add more domain controllers for linking to ensure high availability.
Synchronize users
Now, you need to synchronize users in GLPI 10.
This feature has not evolved with version 10 of GLPI and it must still be done manually….
From the menu, go to Administration 1 and click on Users 2.
Depuis la liste des utilisateurs, cliquer sur Liaison annuaire LDAP 1.
On this page, you have two possibilities, synchronize the users already imported and import the users absent from the GLPI database, as the link with the directory has just been added, click on Import new users 1.
We arrive at a search form, click on Search 1 to display all users of the AD.
The list of users is displayed below, select the users to import 1 and click on Actions 2.
Choose Import 1 for the Action field and click the Send 2 button.
A notification displays the result of the action, here the import of users.
Back to the list of users in GLPI 10, we find the users from the Active Directory that were imported.
Login with a domain account
Now we will test the connection from a user who was imported into GLPI from the Active Directory.
For this test, I will use Iron MAN.
On the authentication page, enter the user’s samAccountName 1, password 2 and select the connection source 3 which corresponds to the link with the Active Directory and click Connect 4.
If everything works correctly, you arrive at the GLPI self-service portal.
In this tutorial, we saw how to link an Active Directory with GLPI 10.
If you have a Keycloak or ADFS type SSO portal and a GLPI Network subscription, I advise you to use the latter rather than the link with an Active Directory.