- $g_ldap_server
Specifies the LDAP or Active Directory server to connect to.
This must be a full LDAP URI (protocol://hostname:port
)
Protocol must be either:
ldap
- unencrypted or opportunistic TLS (
STARTTLS)
ldaps
- TLS encryption
Port number is optional, and defaults to 389
.
If this doesn't work, try using one of the following standard port numbers: 636
(ldaps); for Active Directory Global Catalog forest-wide search, use 3268
(ldap) or 3269
(ldaps).
Examples of valid URI:
ldap://ldap.example.com/
ldaps://ldap.example.com:3269/
Multiple servers can be specified as a space-separated list.
- $g_ldap_use_starttls
Determines whether the connection will attempt an opportunistic upgrade to a TLS connection (STARTTLS).
Defaults to ON
.
For security, a failure aborts the entire connection, so make sure your server supports StartTLS if this setting is ON, and use the ldap://
scheme (not ldaps://
).
- $g_ldap_tls_protocol_min
An integer indicating the minimum version of the TLS protocol to allow. This maps to the
LDAP_OPT_X_TLS_PROTOCOL_MIN LDAP library option.
For example, LDAP_OPT_X_TLS_PROTOCOL_TLS1_2
.
Defaults to OFF
(protocol version not set).
Requires PHP 7.1 or later.
For security, a failure aborts the entire connection.
- $g_ldap_root_dn
The root distinguished name for LDAP searches. For example, dc=example, dc=com
.
- $g_ldap_organization
LDAP search filter for the organization. For example, (organizationname=*Traffic)
. Defaults to ''
(empty string).
- $g_ldap_protocol_version
The LDAP Protocol Version to use (2, 3 or 0). This maps to the LDAP_OPT_PROTOCOL_VERSION ldap library option.
Defaults to 3
.
If 0
, then the protocol version is not set, and you get whatever default the underlying LDAP library uses.
In almost all cases you should use 3
. LDAPv3 was introduced back in 1997, and LDAPv2 was deprecated in 2003 by RFC3494.
- $g_ldap_network_timeout
Duration of the timeout for TCP connection to the LDAP server (in seconds). This maps to LDAP_OPT_NETWORK_TIMEOUT ldap library option. Defaults to 0
(infinite).
Set this to a low value when the hostname defined in $g_ldap_server resolves to multiple IP addresses, allowing rapid failover to the next available LDAP server.
- $g_ldap_follow_referrals
Determines whether the LDAP library automatically follows referrals returned by LDAP servers or not. This maps to LDAP_OPT_REFERRALS ldap library option. Defaults to ON
.
For Active Directory, this should be set to OFF
. If you have only one LDAP server, setting to this to OFF is advisable to prevent any man-in-the-middle attacks.
- $g_ldap_bind_dn
The distinguished name of the service account to use for binding to the LDAP server. For example, cn=ldap,ou=Administrators,dc=example,dc=com
. Leave empty for anonymous binding.
- $g_ldap_bind_passwd
The password for the service account used to establish the connection to the LDAP server. For anonymous binding, leave empty.
- $g_ldap_uid_field
The LDAP field for username. Defaults to uid
.
For Active Directory, set to sAMAccountName
.
- $g_ldap_email_field
The LDAP field for e-mail address. Defaults to mail
.
- $g_ldap_realname_field
The LDAP field for the user's real name (i.e. common name). Defaults to cn
.
- $g_use_ldap_realname
Use the realname specified in LDAP (ON) rather than the one stored in the database (OFF). Defaults to OFF
.
MantisBT will update the database with the data retrieved from LDAP when ON.
- $g_use_ldap_email
Use the email address specified in LDAP (ON) rather than the one stored in the database (OFF). Defaults to OFF
.
MantisBT will update the database with the data retrieved from LDAP when ON.
- $g_ldap_simulation_file_path
This configuration option allows replacing the ldap server with a comma-delimited text file, useful for development or testing purposes.
The LDAP simulation file format is as follows:
On production systems, this option should be set to ''
(This is the default).