PHP Setup #
Before we can begin setting up Booked, ensure LDAP support for PHP has been installed and configured.
If connecting to Active Directory over LDAPS, ensure that SSL support for PHP has been installed and configured.
Booked Configuration #
First, log into Booked as an administrator. Then open Application Configuration and choose Authentication-ActiveDirectory from the drop down at the top: We’ll go through each setting here.
After updating your Active Directory settings, return to Application Configuration, choose config.php from the drop down at the top, and change your authentication plugin option to Active Directory.
Booked uses adLDAP for Active Directory connectivity, which has a much more detailed explanation of each setting.
domain.controllers is your Active Directory domain controller name or IP. You can provide a comma separated list if you have fallback servers.
port is the port to connect to the LDAP sever over. The default is 389, but 636 is often used for ldaps connections.
username if your Active Directory does not allow anonymous binding, this is the username to bind with.
password if your Active Directory does not allow anonymous binding, this is the password to bind with.
basedn is simply the base dn for your domain. It is often the same as your account suffix, but broken up and prefixed with
version is version of LDAP being used. You’ll probably never have to change this from the default of 3.
use.ssl is whether or not to use SSL for connections. This requires changing your port and often prefixing domain controllers with ldaps://
account.suffix is the full account suffix for your domain, for example @mydomain.local.
database.auth.when.ldap.user.not.found tells Booked to store the user’s password to be used for authentication in the event that LDAP is not accessible.
attribute.mapping is the list of name value pairs to use to map LDAP values to Booked. The left side of the equals sign is the name of the attribute in Booked and cannot change. The right side is the name of your LDAP attribute.
use.sso is whether or not to attempt to authenticate the user without prompting them. This typically only works within the network.
required.groups is the comma separated list of Active Directory groups that a user must be part of in order to gain access to Booked.
sync.groups tells Booked whether or not to synchronize group membership. It’s important to note that groups themselves will never be created or removed from Booked. For any group membership that you want to sync, you must create a group in Booked with the exact name as it appears in Active Directory. For example, if the user is part of the students group in LDAP, there must be a students group in Booked.
prevent.clean.username if you require users to provide the domain name when logging in, this setting controls whether or not to strip that off when authenticating.