GLPI + Active Directory

Objective

Integrate GLPI with Active Directory to allow domain users to log in with their Windows credentials and automatically import users and groups from the directory.

Prerequisites

• GLPI installed and functional
• Active Directory operational (e.g. grp3.local)
• AD service account with read rights
• PHP LDAP module installed: apt install php-ldap -y
• Network connectivity between GLPI and the domain controller

Full Procedure (GLPI Interface)

Step 1: Enable external authentication

1. Log in as GLPI administrator
2. Go to Configuration → Authentication
3. Configuration tab
4. Check "Enable external authentication"
5. Save

Step 2: Add an LDAP directory

1. Configuration → Authentication → LDAP directories
2. Click "+" (add)

Name: Active Directory grp3.local

Default server: Yes
Active: Yes

Server: grp3.local (or IP: 192.168.1.10)
Port: 389 (LDAP) or 636 (LDAPS)

Connection filter: (&(objectClass=user)(objectCategory=person))
BaseDN: DC=grp3,DC=local
RootDN (connection DN): CN=glpi,OU=ServiceAccounts,DC=grp3,DC=local
Password: [glpi account password]

Login field: samaccountname
Synchronisation field: objectguid

Last name field: sn
First name field: givenname
Email field: mail
Phone field: telephonenumber
Phone 2 field: mobile

Step 3: Test the connection

Click "Test" at the bottom of the form

Step 4: Import users

1. Administration → Users
2. "LDAP directory link" tab
3. Select the configured directory: Active Directory grp3.local
4. Choose the import mode:
   • LDAP search filter: (memberOf=CN=Utilisateurs_GLPI,OU=Groups,DC=grp3,DC=local)
   • Or leave empty to import all users
5. Click "Search"
6. Select the users to import
7. Click "Import"

Step 5: Automatic synchronisation

Configuration → Authentication → LDAP directories

Edit the created directory:

Automatic actions:
 Synchronise users already imported from an LDAP directory
 Import new users from an LDAP directory
 Restore users deleted from GLPI

Synchronisation frequency: Every hour

Step 6: Group configuration

Configuration → Authentication → LDAP directories → Groups

Group search filter: (objectClass=group)
Group search condition: memberOf
Use DN: Yes

Search groups in: OU=Groups,DC=grp3,DC=local

Importing groups:

1. Administration → Groups → LDAP directory link
2. Select the directory
3. Search and import the desired groups

Verification

Connection test with AD account

1. Log out of the GLPI admin account
2. Log in with an imported AD account (e.g. jdupont / ADpassword)
3. Verify access to GLPI

Synchronisation check

Administration → Users: AD users should appear with the LDAP icon

LDAP logs

Configuration → Authentication → LDAP directories → Logs

Advanced configuration

Automatic profile assignment by group

1. Administration → Profiles
2. Select a profile (e.g. Technician)
3. "Users" tab
4. Associate an imported LDAP group

All members of this AD group will automatically have the "Technician" profile

Restriction by OU

To import only a specific OU:

BaseDN: OU=Informatique,DC=grp3,DC=local

LDAPS (secure connection)

Server: ldaps://grp3.local
Port: 636

Troubleshooting

Test LDAP connectivity from the GLPI server

ldapsearch -x -H ldap://grp3.local:389 \
-D "CN=glpi,OU=ServiceAccounts,DC=grp3,DC=local" \
-W \
-b "DC=grp3,DC=local" \
"(samaccountname=jdupont)"

Error "Connection failed"

• Check the firewall (port 389/636 open)
• Check the service account DN
• Check the password
• Test with telnet: telnet grp3.local 389

No users found

• Check the BaseDN
• Check the connection filter
• Verify that the users exist in AD

Key Points for the BTS Oral

• Advantages: centralised authentication, unified management, partial SSO
• LDAP attributes: samaccountname (login), sn (last name), givenname (first name), mail
• Service account: minimal rights (read-only on the directory)
• Synchronisation: one-way (AD → GLPI)
• AD groups: enables automatic assignment of GLPI profiles
• Security: prefer LDAPS (port 636) for encryption
• Alternative: SSO authentication via CAS, SAML, OAuth2