Product SiteDocumentation Site

5.21.2. LDAP authentication method parameters

The parameters below are only used if $g_login_method (see Section 5.21.1, “Global authentication parameters” above) is set to LDAP.
$g_ldap_server
Specifies the LDAP or Active Directory server to connect to.
This must be a full LDAP URI (protocol://hostname:port)
  • Protocol must be either:
    • ldap - unencrypted or opportunistic TLS (STARTTLS)
    • ldaps - TLS encryption
  • Port number is optional, and defaults to 389.
    If this doesn't work, try using one of the following standard port numbers: 636 (ldaps); for Active Directory Global Catalog forest-wide search, use 3268 (ldap) or 3269 (ldaps).
Examples of valid URI:
ldap://ldap.example.com/
ldaps://ldap.example.com:3269/

Note

Multiple servers can be specified as a space-separated list.
$g_ldap_use_starttls
Determines whether the connection will attempt an opportunistic upgrade to a TLS connection (STARTTLS).
Defaults to ON.

Warning

For security, a failure aborts the entire connection, so make sure your server supports StartTLS if this setting is ON, and use the ldap:// scheme (not ldaps://).
$g_ldap_tls_protocol_min
An integer indicating the minimum version of the TLS protocol to allow. This maps to the LDAP_OPT_X_TLS_PROTOCOL_MIN LDAP library option.
For example, LDAP_OPT_X_TLS_PROTOCOL_TLS1_2.
Defaults to OFF (protocol version not set).

Note

Requires PHP 7.1 or later.

Warning

For security, a failure aborts the entire connection.
$g_ldap_root_dn
The root distinguished name for LDAP searches. For example, dc=example, dc=com.
$g_ldap_organization
LDAP search filter for the organization. For example, (organizationname=*Traffic). Defaults to '' (empty string).
$g_ldap_protocol_version
The LDAP Protocol Version to use (2, 3 or 0). This maps to the LDAP_OPT_PROTOCOL_VERSION ldap library option.
Defaults to 3.

Note

If 0, then the protocol version is not set, and you get whatever default the underlying LDAP library uses.
In almost all cases you should use 3. LDAPv3 was introduced back in 1997, and LDAPv2 was deprecated in 2003 by RFC3494.
$g_ldap_network_timeout
Duration of the timeout for TCP connection to the LDAP server (in seconds). This maps to LDAP_OPT_NETWORK_TIMEOUT ldap library option. Defaults to 0 (infinite).
Set this to a low value when the hostname defined in $g_ldap_server resolves to multiple IP addresses, allowing rapid failover to the next available LDAP server.
$g_ldap_follow_referrals
Determines whether the LDAP library automatically follows referrals returned by LDAP servers or not. This maps to LDAP_OPT_REFERRALS ldap library option. Defaults to ON.
For Active Directory, this should be set to OFF. If you have only one LDAP server, setting to this to OFF is advisable to prevent any man-in-the-middle attacks.
$g_ldap_bind_dn
The distinguished name of the service account to use for binding to the LDAP server. For example, cn=ldap,ou=Administrators,dc=example,dc=com. Leave empty for anonymous binding.
$g_ldap_bind_passwd
The password for the service account used to establish the connection to the LDAP server. For anonymous binding, leave empty.
$g_ldap_uid_field
The LDAP field for username. Defaults to uid.
For Active Directory, set to sAMAccountName.
$g_ldap_realname_field
The LDAP field for the user's real name (i.e. common name). Defaults to cn.
$g_use_ldap_realname
Use the realname specified in LDAP (ON) rather than the one stored in the database (OFF). Defaults to OFF.

Note

MantisBT will update the database with the data retrieved from LDAP when ON.
$g_use_ldap_email
Use the email address specified in LDAP (ON) rather than the one stored in the database (OFF). Defaults to OFF.

Note

MantisBT will update the database with the data retrieved from LDAP when ON.
$g_ldap_simulation_file_path
This configuration option allows replacing the ldap server with a comma-delimited text file for development or testing purposes.
The LDAP simulation file format is as follows:
  • No headers
  • One line per user
  • Each line has 4 comma-delimited fields
    • username
    • realname
    • e-mail
    • password
  • Any extra fields are ignored

Warning

On production systems, this option should be set to '' (This is the default).