- Hosted LDAP Providers

Azure Active Directory

Your Azure AD needs to have LDAP enabled, and password hash synchronization enabled, and it needs to be accessible to the server running Snipe-IT on port 389 and/or 636.

Microsoft's documentation on LDAP is here: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps

Specifically, an important part of that is:

Users (and service accounts) can't perform LDAP simple binds if you have disabled NTLM password hash synchronization on your managed domain.

Documentation on how to do that is here: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/secure-your-domain

Note that, after enabling the password hash system, users must change their passwords first before they can login. This is not a Snipe-IT limitation, it's unfortunately built-in to Azure itself.

Okta

Snipe-IT LDAP/AD works with Okta, and you should use the settings below, changing the placeholder information to your actual Okta subdomain:

  • Active Directory : False
  • Active Directory domain : Null
  • LDAP Server: ldaps://your-okta-subdomain.ldap.okta.com
  • Use TLS: leave unchecked (ldaps:// is already secure!)
  • LDAP Bind Username: [email protected],ou=users,dc=your-okta-subdomain,dc=okta,dc=com
  • Base Bind DN: dc=your-okta-subdomain,dc=okta,dc=com or possibly something like ou=users,dc=your-okta-subdomain,dc=okta,dc=com, depending on your configuration.
  • LDAP Filter: &(uid=*) or possibly objectClass=inetOrgPerson depending on your configuration.
  • Username field: uid
  • Last Name: sn
  • First Name: givenname
  • LDAP Authentication Query: uid=
  • LDAP Version : 3
  • LDAP Active Flag : Null

Note that these may not be exact values, as it will depend upon how you've set up your Okta account.

Testing the LDAP synchronization might return a admin limit exceeded exception from the Okta LDAP Interface if you don't limit the expected results (see : LDAP Interface known issues ).
To build your LDAP filter, see LDAP filter Syntax.

Here is a query exemple to limit the results that Okta should return :
(&(objectClass=inetOrgPerson)(organization=MyOrg)(organizationalStatus=ACTIVE))

JumpCloud

To use JumpCloud's LDAP-as-a-Service, please see the documentation on JumpCloud's website.

OneLogin

  • Active Directory: false
  • LDAP Server: ldaps://ldap.XY.onelogin.com (with a country code like 'us' or 'eu' for XY)
  • LDAP Bind Username: [email protected],ou=users,dc=customer-name,dc=onelogin,dc=com
  • Base Bind DN: ou=users,dc=customer-name,dc=onelogin,dc=com LDAP Filter: &(cn=*)
  • Username Field: uid
  • Last Name: sn
  • LDAP First Name: givenname
  • LDAP Auth Query: uid=

❗️

Getting Partial Results only on large directories (>500 users)?

OneLogin has a Pagination feature they need to activate for your account in order for Snipe-IT to see all of your users. Snipe-IT fetches users 500 at a time, and then uses pagination to get the rest of the results. Please talk to your OneLogin account rep and ask them to turn on paging for your account. Then Snipe-IT will be able to fetch all of your users.

Google Secure LDAP service

As of Snipe-IT v5.2.0, Snipe-IT now supports user syncing with Google Secure LDAP.

You'll find two new fields in the Admin Settings > LDAP configuration of the UI: LDAP Client-Side TLS key and LDAP Client-Side TLS Certificate.

If you are NOT using Google Secure LDAP, you do not need to change anything in your settings and these fields are not required.

Note that since Google Secure LDAP does not currently support logging in via Secure LDAP, you'll want to configure your Snipe-IT instance to work with Google's SAML setup instead. (This is a limitation in Google, not with Snipe-IT.)


What’s Next
Did this page help you?