Snipe-IT Asset Management Installation Documentation

Welcome to the Snipe-IT documentation hub. You'll find comprehensive guides and documentation to help you install Snipe-IT as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

LDAP Sync & Login

NOTE:

You must have the php-ldap extension installed for LDAP integration to work

The LDAP functionality will import any users in your LDAP/Active Directory using the LDAP sync (in People > LDAP), and will update existing users. It will also allow users to use their LDAP credentials to login to Snipe-IT.

To set up your Snipe-IT installation to be able to use LDAP for user login and import, go to Admin > Settings and scroll down to the LDAP settings sections.

We never, ever write anything to your LDAP server, and a read-only administrator account can be used for these settings.

LDAP Login Overview

When you have LDAP enabled and a user tries to login, it will first query your LDAP server with their credentials. If they authenticate successfully with your LDAP server, their local user record will be updated and they will be logged in.

If the user does not authenticate successfully against your LDAP server, their local user is NOT updated, and the system falls back to trying to authenticate them as a local (non-LDAP) account.

Configuration

TIP:

In most cases, all attribute values you enter should be all lowercase

Option
Example
Notes
Required

LDAP Server

ldap://ldap.example.com

The URL of the LDAP server, beginning with ldap:// or ldaps://

Yes

LDAP Port

389

Please note there is a difference between ldaps and start-TLS for ldap. start-TLS uses port 389, while ldaps uses port 636. ldaps has been deprecated in favour of start-TLS for ldap. Both encrypted (start-TLS ldap) and unencrypted ldap (ldap) run on port 389 concurrently.

Errors encountered are generally due to misunderstanding how to implement TLS-encrypted ldap.

Active Directory Domain

ad.yourdomain.com

The domain to authenticate your AD against. This is often your company email domain, but not always. We concatenate this with your user's username to execute the authentication, so if your user was janedoe, and your AD domain was mysite.com, we create the User Principal Name by combining them.

This is only needed for AD (not LDAP) connections.

No

LDAP Bind Username

cn=read-only-admin,dc=example,dc=com

Admin username to use to connect to LDAP to search the OU for LDAP import.

Yes

LDAP Bind Password

password

Password to use when authenticating to LDAP

Yes

Base Bind DN

dc=example,dc=com

The base where the search for users will be executed.

Yes

LDAP Filter

&(cn=*)

The search filter for the LDAP query.

For AD filter enabled users using:
&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))

This should EXCLUDE the final enclosing parentheses. For example, &(cn=*), NOT (&(cn=*)).

Yes

Username Field

uid

The name of the field in your LDAP that you want to use for Snipe-IT username.

AD: usually samaccountname
LDAP: usually uid

Yes

Last Name

sn

The name of the field in your LDAP to use for last name. This is often sn (for surname).

Yes

LDAP First Name

cn

The name of the field in your LDAP to use for first name.

AD: Usually givenname
LDAP: Usually cn

Yes

LDAP Authentication query

uid=

The LDAP query we should use to search your LDAP users.

AD: Usually sAMAccountName=

Yes

LDAP Version

3

Version of LDAP. This is usually going to be 3

Yes

LDAP Active Flag

active

Optional flag for disabled user accounts.

No

LDAP Employee Number

emp_no

Only necessary if you use a field in LDAP to store an employee number. Can otherwise be left blank.

No

LDAP Email

mail

LDAP field that should map to an email address for the user.

No

For an extensive list of Active Directory filters that can help you narrow down the users you sync, check out the documentation on Microsoft's website.

Once your settings are entered, make sure you check the LDAP Integration checkbox to enable LDAP authentication.

Testing LDAP Settings

In Snipe-IT v4.0.10 and higher, there is an easier way to determine if your LDAP settings are correct.

Once you have entered your LDAP settings (in Admin > LDAP/AD), and you have checked the "Enable LDAP" checkbox and saved your settings, you will see two LDAP test buttons at the bottom of your LDAP Settings page.

(Click on the images below for a larger, animated demonstration if they do not play automatically.)

The first checks to make sure your LDAP binding and OU is correct, and we can search your directory. This is necessary for syncing your users via the LDAP Sync utility.

The second LDAP test button attempts to actually authenticate with your LDAP server as if you were one of your users logging in, so you will need to provide a valid username and password for an LDAP user account that has permission to bind to your LDAP server. This user does not need to have searching/indexing capabilities.

Using Active Directory

If your LDAP server is an Active Directory server, make sure you check the AD checkbox on your LDAP Settings page (Admin > LDAP/AD), and add an Active Directory Domain to your settings.

Snipe-IT will first check to see if you've set your LDAP server as an AD server, and will then try to use whatever AD Domain you've specified. If you don't add an AD Domain, it will try to guess the user's distinguished name using the email domain you set in your settings.

In the code, that looks like this:

if ($settings->is_ad =='1') {
	
    // Check if they are using the userprincipalname for the username field.
    // If they are, we can skip building the UPN to authenticate against AD
    if ($ldap_username_field=='userprincipalname') {
        $userDn = $username;
    } else {
        // In case they haven't added an AD domain
        if ($settings->ad_domain == '') {
            $userDn      = $username.'@'.$settings->email_domain;
        } else {
            $userDn      = $username.'@'.$settings->ad_domain;
        }
    }

} else {
    $userDn      = $ldap_username_field.'='.$username.','.$settings->ldap_basedn;
}

LDAP Command Line Sync

LDAP syncing is also available via the LDAP Sync command line tool.

Azure Active Directory

If you're using Azure for your AD service, the settings you need are slightly different:

  • Enable LDAP: Check
  • This is an Active Directory Server: Check
  • LDAP Password Sync Yes: Check
  • Active Directory Domain: Put Domain Here
  • LDAP Server: Should exactly be like this: LDAP://PrivateIP:389 (Do not use LDAPS, Port 636, or Public IP)
  • USE TLS: Do Not Check
  • LDAP Bind Username: Just username such as "Admin" (NO CN, OU, DC needed)
  • LDAP Bind Password: provide password here
  • Base Bind DN: DC = Domain, DC = Com

Everything else can be left as the default.


What's Next

Command line tools for LDAP in Snipe-IT:

LDAP Sync
Disabling LDAP