Clone this wiki locally
Configuring Ampache for LDAP authentication
Enable LDAP as an authentication method
You first need to add LDAP to the authentication methods of your Ampache instance:
auth_methods = "ldap"
The above example does not include MySQL authentication support. Ampache can have multiple authentication methods at the same time. It will try them in the order they are listed until a match is found. If you would like it to try LDAP first, and then fall back on MySQL simply set
auth_methods as follows:
auth_methods = "ldap,mysql"
Enable the automatic user creation
As with all others login extension methods, you need to set the
auto_create and the
auto_create variable allows Ampache to create new users when they manage to connect using a login extension method (here, LDAP). This variable MUST be set to
true, otherwise your users wont be able to connect to Ampache.
auto_user variable states what status one will obtain by connecting with a login extension method. The default is "guest". The other possible values are "user" and "admin".
Configure Ampache's LDAP client
You now need to set the
ldap_* variables that will define the behaviour of Ampache against your LDAP server.
You MUST set the following variables:
ldap_search_dn: The DN in which the users will be searched for (usually something like
ldap_objectclass: The objectClass common to all users. In OpenLDAP, this is usually
posixAccount; In Microsoft Active Directory,
ldap_filter: The filter that will be used when searching for the user. The
%vstring will be replaced by the username. For OpenLDAP, try
(uid=%v). For Microsoft Active Directory, try
If you want Ampache to use a specific username/password combination instead of the anonymous login, you'll have to set the
ldap_password variables. Be carefull:
ldap_username takes a DN.
If you want all your users to be in a specific group, you can provide the
ldap_require_group variable that takes a group DN. Ampache will search for the username in the list of the members of this group. By default, this list is in attribute
member, but it's not always the case (it might be
memberuid for instance). If you need to change this attribute name, change the
If you want Ampache to automatically fetch the user's name and/or e-mail from your LDAP server, fill the
ldap_name_field can reconstruct a name. If you have for instance the first names of your users in a
givenName field, and their family name in a
sn field, you can set
By default, the LDAP protocol version used is 3. You can customize this behaviour with the
If your server can use StartTLS, you may want Ampache to use it. In that case, set the
ldap_start_tls variable to
TIPs and Gotchas
My users can't connect, how can I know what's happening?
Enable Ampache's logging (debug mode). Look in the logs for the lines containing
cat ampache.XXXXX.log | grep '(LDAP)'
When logging on, I get the message "undefined function ldap_connect()"
Make sure PHP's LDAP libraries are installed and accessible (Debian/Ubuntu:
sudo apt-get install php5-ldap).
Once the libraries are installed, you may need to restart Apache if it is already running. (Debian/Ubuntu:
sudo service apache2 restart).
- Specifying an
ldap_objectclassvalue other than
"*"may cause authentication to fail. Check this value if you are getting authentication failure messages from the login page.