Using LDAP as a Single Sign-On (Active Directory)

Allow users to authenticate against the LDAP server in OnsiteSupport (Microsoft's Active Directory Server, OpenLDAP, etc) of your choice, in addition to standard OnsiteSupport authentication methods.

Basic LDAP Settings

Go to Administration ¬Ľ Applications and enable Single Sign-On. Then click Settings and select the LDAP method. 

If you are going to use the system only internally within your company, set the option to use only SSO authentication. This would show up LDAP login form without the option to register in the community. 

Each time a new user logs in against the LDAP server, OnsiteSupport internal account is created. To eliminate sending internal registration credentials, Disable Registration Email.

Other basic settings include connection to your LDAP server:

  • LDAP (Host, Port, Connection Version) - state hostname or IP of your LDAP server. Default settings are localhost, port 389, connection version 3. When the server has secure connection add ldaps:// to hostname;
  • BaseDN - Base Distinguished Name for your Active Directory with default value dc=localhost;
  • LDAP Admin / Password - if your LDAP server requires authentication to grab the data, enter administration credentials for the connection.

You can always test the connection to your LDAP server with saved settings. Click "Test Connection" and enter the username and password of any user on your LDAP server.

Self-Hosted Package

In order to use LDAP authentication method, you need PHP extension - "php_ldap" to be installed on the server

Advanced LDAP Settings

If you have the specific configuration of your LDAP server, go to Advanced Settings where you can manage the following:

  • Username Mapping - field/container (cn, uid) to associate LDAP-UR users in between. If you use authentication against any field in the LDAP structure, then you are required to specify LDAP Admin / Password.

Note: default value is uid, but for old Windows active directory please state sAMAccountName

  • Username in DN Form - some configurations require username to be provided in DN form;
  • Full Name Mapping - field/container (cn, displayname, givenname). Use "auto" for autodetect;
  • Email Mapping - field/container (mail, email, userprincipalname). Use "auto" for autodetect;
  • Email Domain Zone - if the email is not detected, it will be combined from username@domainzone;
  • Additional Search Filter - you can define a specific filter to allow only specific users from your LDAP server to login to OnsiteSupport. Default value is (objectClass=*)

Any user that signs in OnsiteSupport using the LDAP server is assigned to the "User" team. If you want to define custom rules for specific users to be assigned to different teams, use the "Allow Team Mapping" setting.


While testing your connection or parsing user data on login, you can get errors on connection, user mapping, bind, etc.

Use any LDAP test tool before submitting any of the settings in OnsiteSupport. By returned error code, you'll be able to define where the problem is. Standard LDAP error codes are available in public.

Is this article helpful?
2 0 0