Snipe-IT Asset Management Installation Documentation

Welcome to the Snipe-IT documentation hub. You'll find comprehensive guides and documentation to help you install Snipe-IT as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

LDAP Sync & Login

🚧

NOTE:

You must have the php-ldap extension installed for LDAP integration to work! (Hosted customers already have this configured.)

The LDAP functionality will import any users in your LDAP/Active Directory using the LDAP sync (in People > LDAP), and will update existing users. It will also allow users to use their LDAP credentials to login to Snipe-IT.

To set up your Snipe-IT installation to be able to use LDAP for user login and import, go to Admin > Settings and scroll down to the LDAP settings sections.

We never, ever write anything to your LDAP server, and a read-only administrator account can be used for these settings.

LDAP Login Overview

When you have LDAP enabled and a user tries to login, it will first query your LDAP server with their credentials. If they authenticate successfully with your LDAP server, their local user record will be updated and they will be logged in.

If the user does not authenticate successfully against your LDAP server, their local user is NOT updated, and the system falls back to trying to authenticate them as a local (non-LDAP) account.

Configuration

To get started configuring your LDAP integration, go to Admin > Settings in your top right navigation, click on Edit, and then scroll down to the LDAP settings section.

📘

TIP:

In most cases, all attribute values you enter should be all lowercase

Option

Example

Notes

Required

LDAP Server

ldap://ldap.example.com

The URL of the LDAP server, beginning with ldap:// or ldaps://

Yes

LDAP Port

389

Please note there is a difference between ldaps and start-TLS for ldap.  start-TLS uses port 389, while ldaps uses port 636.  ldaps has been deprecated in favour of start-TLS for ldap.  Both encrypted (start-TLS ldap)  and unencrypted ldap (ldap) run on port 389 concurrently.

Errors encountered are generally due to misunderstanding how to implement TLS-encrypted ldap.

Active Directory Domain

ad.yourdomain.com

The domain to authenticate your AD against. This is often your company email domain, but not always. We concatenate this with your user's username to execute the authentication, so if your user was janedoe, and your AD domain was mysite.com, we create the User Principal Name by combining them.

This is only needed for AD (not LDAP) connections.

No

LDAP Bind Username

cn=read-only-admin,dc=example,dc=com

Admin username to use to connect to LDAP to search the OU for LDAP import.

Yes

LDAP Bind Password

password

Password to use when authenticating to LDAP

Yes

Base Bind DN

dc=example,dc=com

The base where the search for users will be executed.

Yes

LDAP Filter

&(cn=*)

The search filter for the LDAP query.

For AD filter enabled users using:
&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))

This should EXCLUDE the final enclosing parentheses. For example, `&(cn=*), NOT (&(cn=*)).

Yes

Username Field

uid

The name of the field in your LDAP that you want to use for Snipe-IT username.

AD: usually samaccountname
LDAP: usually uid

Yes

Last Name

sn

The name of the field in your LDAP to use for last name. This is often sn (for surname).

Yes

LDAP First Name

cn

The name of the field in your LDAP to use for first name.

AD: Usually givenname
LDAP: Usually cn

Yes

LDAP Authentication query

uid=

The LDAP query we should use to search your LDAP users.

AD: Usually sAMAccountName=

Yes

LDAP Version

3

Version of LDAP. This is usually going to be 3

Yes

LDAP Active Flag

active

Optional flag for disabled user accounts.

No

LDAP Employee Number

emp_no

Only necessary if you use a field in LDAP to store an employee number. Can otherwise be left blank.

No

LDAP Email

mail

LDAP field that should map to an email address for the user.

No

Once your settings are entered, make sure you check the LDAP Integration checkbox to enable LDAP authentication.

LDAP Command Line Sync

You can set up a cron to automatically sync LDAP users using the following:

php artisan snipeit:ldap-sync {--location=} {--location_id=} {--summary}

location and location_id are optional.

So for example, if you know the location_id of the location you're trying to add the users to, you could use:

php artisan snipeit:ldap-sync --location_id=1 --summary

Or if you know the name of the location, you could use:

php artisan snipeit:ldap-sync --location=Queens --summary

Updated 4 years ago


LDAP Sync & Login


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.