LDAP Integration Module

The LDAP integration enables you to unlock FreeScout’s potential for large businesses and provide high-powered support. Module allows your LDAP users to authenticate into FreeScout. You can also import & synchronize LDAP users.

Features

  • LDAP authentication.
  • Supported LDAP servers: Microsoft Active Directory, OpenLDAP, FreeIPA.
  • Automatic fallback to local database authentication if LDAP authentication fails.
  • Import and automatic synchronization of LDAP users.
  • LDAP attributes mapping.
  • Assigning imported users to mailboxes.
  • SSO authentication.
  • Detailed import logs.

Requirements

  • PHP LDAP extension.
  • LDAP integration is possible only if users in your LDAP database have email attribute.
  • To import LDAP users they must have “person” or “inetOrgPerson” object class.

SSO Authentication

Domain users can authenticate into FreeScout automatically when they open application by the pre-populated $_SERVER[‘AUTH_USER’] (or any other) that is filled when SSO is enabled on your server. When SSO authentication is configured when you visit your site, a user account will be created (if one does not exist already) with a random password and then automatically logged in.

Screenshots

Microsoft Azure

This module is compatible with Microsoft Azure. Instead of using the username (sAMAccountName) to do the login, use the CN to bind. You can install Active Directory Explorer onto a joined machine and find the full DN of the user. The LDAP module sets the bind request using “CN={bind user},{Bind DN string}”

CA cert

Specify Encryption: SSL and “TLS_CACERT /etc/openldap/ca.pem” in ldap.conf and mount it to use it with Docker images:

Volumes:
– path/to/tls/ca.pem:/etc/openldap/ca.pem:ro
– path/to/ldap.conf:/etc/openldap/ldap.conf:ro

Troubleshooting

Credentials invalid

The module does not provide LDAP connection logs. If you have access to the LDAP server you should be able to see what is being queried and what is wrong in the LDAP server logs.

If you are receiving “Credentials invalid” error, double check “Bind DN” and “Bind Username” are invalid. Admin user must be located in “Bind DN”.

I can’t log in anymore

If you can’t log in and want to disable LDAP module, remove the module from /Modules folder and clear app cache.

ldap_connect(): Could not create session handle

If you are receiving “ldap_connect(): Could not create session handle: Bad parameter to an ldap routine” error make sure that you’ve specified a proper LDAP Host: it has to be host name or IP address without protocol or port (examples: ldap.forumsys.com, 192.168.152.3).

In order to make sure that your PHP’s LDAP extension is working properly, you can try to connect to the test OpenLDAP server:

  • LDAP Host: ldap.forumsys.com
  • Port: 389
  • Encryption: none
  • Base DN: dc=example,dc=com
  • Bind Username: read-only-admin
  • Bind Password: password

How can I log in under an imported user

To log in under one of the imported test users enable “LDAP Authentication” option and use password as the password to log in.

LDAP Filter has no effect – everyone in our LDAP system can log in

LDAP module first tries to authenticate a user against “Bind DN”, if not successful – it tries all the “DNs and Filters”. If your Bind DN is dc=example,dc=org for example all, users located in groups and units below dc=example,dc=org will be able to authenticate (for example cn=freescout,dc=example,dc=org). To avoid this you need to change your Bind DN to something like cn=admins,dc=example,dc=org and move your admin user there.

Lifetime license for one domain
Purchase
Demo
  • Version: 1.0.14
  • Required App Version: 1.5.13
  • Required PHP Extensions: ldap
  • Open Source: AGPL-3.0