Can you show us a screenshot of the settings that can be made in GLPI and what you've entered there so far?
Always keep the following three points in mind when configuring a third-party application for access to the UCS LDAP:
- There are actually two LDAP servers running, one provided by Samba 4 and the OpenLDAP one that the Univention Management Console & assorted tools use (with bidirectional data sync between them). The Samba 4 LDAP server is running on the standard LDAP ports 389 (unencrypted or via StartTLS) and 636 (encrypted) whereas the OpenLDAP server is running on ports 7389 (unencrypted or via StartTLS) and 7636 (encrypted).
- Both servers require authentication before they can be searched. For this you need a user account. We often create one named
ldapsearch just for this purpose. The format of the user name used to bind depends on the LDAP server you're contacting:
email@example.com should work with Samba 4 whereas you need the user name's LDAP DN for the OpenLDAP server (e.g.
- If you're using encryption, then it's quite possible that the connecting device won't like the certificate authority used by the UCS server. In such a case try importing the UCS CA certificate on the other device. The CA certificate can be downloaded from the UCS DC Master web site or copied via
scp from the DC Master where it's can be found in
- Group membership is usually easier to handle in Samba 4's LDAP server as there's an attribute for that stored in the user object called
memberOf which can be used in LDAP filters. OpenLDAP on the other hand stores group membership in the group object, not in the user object, and that you cannot filter for; the application has to handle OpenLDAP group membership on its own.
…ok there are four important things to remember