Set up LDAP user authentication

Owned by Helen Gosper
Last updated: Aug 29, 2023 by Denise McGettigan

Administration permission required: Configuration

Phocas authentication is the default security model, with users and passwords stored in the Phocas system. However, you can configure LDAP (Lightweight Directory Access Protocol) authentication as the user authentication mechanism. This method only authenticates a user's username and password; permissions are stored in Phocas.

Access LDAP configuration

Click the Phocas menu button > Administration > Configuration, then click the LDAP button in the top right corner.

Configure the LDAP

The following configuration options are available in the LDAP window:

Connection String - String to store the server, port, domain and, where required, the organization unit where the users are stored.

  • To create the LDAP URL, you need to know the serverportdomain and possibly the organization unit, where:

    • The server is usually the Active Directory (AD) server. 

    • The default LDAP port is 636.

    • The domain is split by the period and added as DC elements. Larger companies might split users into organization units (where the users are stored), however, not including the OU should allow any user of the domain to authenticate.

  • The LDAP, OU and DC must be capitalized.

  • Syntax: LDAP://[server]:[port]/OU=[organisation unit],DC=[domain],DC=[domain]

  • Examples:
    LDAP://ldap.phocas.com.au:636/DC=phocas,DC=com,DC=au
    LDAP://dc.company.com:587/OU=users,DC=company,DC=com
    LDAP://HostName[:PortNumber]/CN=Smith,Jeff,CN=users,DC=fabrikam,DC=com

See a detailed explanation of the LDAP URL (this will take you to an external site).

See a brief explanation of the LDAP URL (this will take you to an external site).

Username

Username to connect to the LDAP server.

Group

LDAP Users can be a member of one or more LDAP Groups.

  • A group name can be entered to limit the number of LDAP usernames retrieved.

  • Alternatively, a valid LDAP filter can be entered, beginning with a left bracket ‘(‘.

  • If an LDAP filter is not entered, the following filter will automatically be applied to limit the number of usernames retrieved: (objectClass=user)(objectCategory=person).

  • Groups can be used with or without LDAP organizational units (OUs).

Domain - Should be left blank, as it is added to LDAP usernames at login.

Test the LDAP configuration

Click the Test button in the bottom left corner of the LDAP window to test the current LDAP configuration.

If the connection is successful, a list of retrieved usernames displays.

If the connection is unsuccessful, a Connection Failed message displays, with an explanation of the problem.

Deal with server changess

From time to time, server changes might affect LDAP access. This can easily be addressed by updating IP addresses in your firewall, which can be obtained from your Phocas Support Team.

Combine LDAP and non-LDAP users

When LDAP is enabled, all new users are assumed to be LDAP accounts, but the system does allow a mixed approach.  

In the user maintenance form, there is a checkbox under the Username box which is selected for new users by default. If you deselect this checkbox, the user will be authenticated by Phocas instead.