<nav type="pills" justified="false">
  * [[:user_manuals|Back to Documentation]]
  * [[:technical:ldap-integration|LDAP Integration]]
</nav>

-----

====== Introduction ======

  * RADIUSdesk has become a popular choice for enterprise deployments due to its flexibility and a user-friendly and versatile interface.
  * We now also offer our enterprise customers the option of LDAP integration for managing administrators within the RADIUSdesk system.
  * In this document, we will cover the configuration and testing of LDAP integration in RADIUSdesk.

-----------------

====== Required Packages ======
  * We use the Authentication **Plugin** available with CakePHP v4 and CakePHP v5 as the foundation for the LDAP integration.
  * In the past we used the Auth **Component** which is now being replaced by the Authentication and Authorization **Plugins** in more recent versions of CakePHP.
  * The rdcore git code from 15 February onward will have the Authentication plugin included and active.
  * To add LDAP capability you also need to install the LDAP php library on the system hosting RADIUSdesk.
<code bash>
sudo apt-get install php-ldap
</code>

-----------------
====== LDAP Authentication Process ======

===== Bind (Initial Connection) =====
  - **Client connects:** The LDAP client (e.g., a user authentication script) connects to the LDAP server.
  - **Bind request:** The client sends a bind request to the server, which includes the username (or DN) and password.
  - **Server authenticates:** The server checks the username and password against its stored credentials.
  - **Bind response:** If the credentials are valid, the server responds with a bind response, indicating a successful connection.

===== Search =====
  - **Search request:** The client sends a search request to the server, specifying the search base, scope, filter, and attributes to retrieve.
  - **Server searches:** The server searches its directory based on the client's request.
  - **Search response:** The server responds with a search response, containing the matching entries and their attributes.

===== Bind on Search Result with Password =====
  - **Client selects entry:** The client selects an entry from the search results.
  - **Client extracts DN:** The client extracts the DN (distinguished name) from the selected entry.
  - **Bind request with DN and password:** The client sends a new bind request to the server, using the extracted DN and the user-provided password.
  - **Server authenticates:** The server checks the DN and password against its stored credentials.
  - **Bind response:** If the credentials are valid, the server responds with a bind response, indicating a successful authentication.

----------
---------- 
====== Configure LDAP ======
  * LDAP Integration is configured under the settings tab.
  * One item that needs a bit more explanation is Filter.
  * The filter contains a special character (**%s**) which will be substituted with the username that the user provide to log in.
  * For active directory it will typically be **(&(objectClass=user)(samaccountname=%s))**.
  * This filter will be applied when searching to find the DN of the user who needs to be authenticated.
 
<panel type="primary">
{{:technical:ldap:ldap_settings.png|}}
</panel>

---------

====== Test LDAP Settings ======
  * There is also a **Test LDAP Settings** Button that helps you to test the LDAP settings to ensure they work as intended.
  * The tests that will be done will be matching the **LDAP Authentication Process** described earlier on this page.
<panel type="primary">
{{:technical:ldap:ldap_settings_test.png|}}
</panel>