LDAP Authentication Type Configuration

We have provided several configuration settings with the intention of making this package flexible and performant in many different environments. These settings are available from the ec_ldap authentication type page, found by clicking on the authentication type at index.php/dashboard/system/registration/authentication.

Sync Settings

Queue Batch Size - When running our user sync or remove jobs, you may need to adjust the number of users that sync per request to prevent php timeout errors, or to maximize performance. Setting this number higher will result in faster sync times, but is more susceptible to cause errors if the request runs to long.

Delete LDAP User Action - This setting determines what happens when a user it perceived to have been deleted from the LDAP directory.

  • Do Nothing - No action is taking on the concrete5 user account
  • Deactivate User - The concrete5 user that this account is linked to will be deactivated if there are no other LDAP accounts linked to it
  • Delete User - The concrete5 user that this account is linked to will be deleted if there are no other LDAP accounts linked to it

Delete Timer Minutes - When the check is run to determine if a user has been deleted, in order to limit the number of users checked we only check users who haven't been synced in the last X minutes. This setting allows you to set how long or short of a period of time you want this to be. Generally, it is a good idea to run your sync job just prior to your remove job if you are syncing all users. If you are not syncing all users via the sync job or have a small number of users, this setting is far less valuable. To always check all users if they have been deleted, simply set this setting to 0.

Link a concrete5 and LDAP user if the email matches - Pretty much what it says. When we attempt to sync LDAP and concrete5 users, normally we check if a link exists and if not we attempt to create it. When this method is enabled, we first check if a user is already linked, if not then we will check if a concrete5 user exists with the same email account and if it does we link it. Note: This could be a security risk if you do not have email verification enabled as it could allow for someone else to create a concrete5 account ahead of tie which is then synced to an ldap account. Use with caution.

Only allow LDAP users to log in with LDAP authentication - When this setting is enabled, any account that is linked to an LDAP account, will be prevented from logging in using any other authentication type other than their LDAP account. This could be useful if you want to prevent LDAP users from being able to log in using another authentication type to circumvent LDAP security.

Automatic Directory Selection - When this setting is enabled, when a user attempts to log in, the username and password for that user will attempt to authenticate against each directory that has been set up. Note: This can cause accounts to lock out of the same username but different passwords are used for different directories.

Network Settings

LDAP Network Timeout - This is the duration in seconds that we wait for an LDAP server to respond when connecting before trying the next server in the list. If you have high latency LDAP servers you may need to adjust this setting higher, but doing so may cause longer delays in logging in when one or more LDAP servers are unavailable.

LDAP Time Limit - The maximum number of seconds an ldap query can take to run before timing out. Note: The actual time limit for operations is also bounded by the server's configured maximum time. The lesser of these two settings is the actual time limit.

LDAP Cache TTL - The number of seconds to cache LDAP objects. In this package we cache User and Group LDAP queries in certain situations. This helps to reduce the load on your LDAP servers when running the sync job, and additionally helps performance in environments that leverage nested groups. We recommend setting this value to the slightly longer than amount of time that it takes for your environment's user sync job to run (after all users have been synced the first time). If you wish to disable the LDAP Cache, simply set this value to 0.

Debug Settings

Log Level - This is the minimum log level that get logged to the concrete5 logger in the "ec_ldap" channel. Normally you should leave this at WARNING. If you are having problems or unexpected behavior, you should review the log and if necessary modify this to a more verbose setting. Note that this setting will be ignored and use "DEBUG" for concrete5 versions prior to 5.7.5. When this setting is set to debug in addition to the concrete5 logs, verbose LDAP output will be written to your system stderr log.