LDAP

Traccar server can authenticate users via external LDAP (Lightweight Directory Access Protocol) server. Authentication process happens in two steps:

• Traccar connects to LDAP server with service credentials and lookup provided login/email with configured filter
• If a user is found and he is only one, Traccar tries to authenticate on LDAP server with founded full Distinguished Name and provided password

If both steps are successful, the user considered authenticated

There is still an internal Traccar user representation, which is created on first user login. Server administrator can configure adminGroup/adminFilter to automatically give user admin rights when it is registered.

Configuration

• ldap.enable - Main switch.
• ldap.url - Full connection url to LDAP server. If it is ommited next two parameters will be used to connect to server.
• ldap.server - LDAP server name.
• ldap.port - LDAP server port. Default is 389.
• ldap.base - Search base. Used to limit search scope with some OU.
• ldap.idAttribute - LDAP user attribute used to uniquely identify user in catalog. Default is uid. For Active Directory sAMAccountName usually should be used.
• ldap.nameAttribute - LDAP user attribute used to fill name field in traccar representation. Default is cn.
• ldap.mailAttribute - LDAP user attribute used to fill email field in traccar representation. Default is mail.
• ldap.searchFilter - LDAP filter to search users in catalog. Must contain :login substring which will be replaced with provided login/email when lookup. If parameter is omitted search will happen by simple equality idAttribute to provided login/email.
• ldap.adminFilter - LDAP filter to determine if user is traccar admin. Must contain :login substring which will be replaced with provided login/email when lookup. If parameter is omitted but ldap.adminGroup is defined members of this group will be traccar admins. If both are missed users will not be automatically promoted to traccar admins.
• ldap.user - Service user name used to lookup other users in catalog. Usually full Distinguished Name should be defined here.
• ldap.password - Password for service user.
• ldap.force - Disables internal authentication, only LDAP users can login.

Examples

Search filter to login in Active Directory by either login or email

<entry key='ldap.searchFilter'>(|(sAMAccountName=:login)(mail=:login))</entry>

According to next filter user must be member of Traccar users group or its nested groups (!) and not disabled. It is valid for Active Directory.

<entry key='ldap.searchFilter'>(&(sAMAccountName=:login)(memberOf:1.2.840.113556.1.4.1941:=CN=Traccar users,OU=Traccar,OU=Security,DC=domain,DC=local)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))</entry>