Back to marketplace
54

Advanced LDAP

Provides advanced LDAP functions like LDAP group/space mapping.

User Mapping

You can assign user's group or Space memberships automatically using LDAP.

Mapping Options:

  • User LDAP group memberships (memberOf field, e.g. CN=xyz_space_access,OU=Groups,DC=example,DC=com)
  • The part of the users base DN (e.g. OU=People,DC=example,DC=com)
  • Attribute values (e.g. street==Some Street or street=~Street)
  • LDAP Query

Note: If the option 'Fetch/Update Users Automatically' is activated, the mappings are updated automatically every hour and each time a user logs in.

Space Mapping

If the Advanced LDAP module is enabled and configured, the Space mapping can be configured in the respective Space under Space > Space Settings Dropdown > Members > LDAP.

Note: This LDAP mapping can only be configured by HumHub administrators. A Space Administrator does not have access to this setting for security reasons.

Space LDAP Mapping

Group Mapping

A mapping based on user groups can be defined under Administration > Users > Groups > Select a group > LDAP.

Group LDAP Mapping

Group Mapping

Profile Images

You can also synchronize profile image from LDAP.

Modify your configuration files protected/config/common.php and add following section:

<?php

return [
    'components' => [
        'authClientCollection' => [
            'clients' => [
                'ldap' => [
                    'class' => 'humhub\modules\advancedLdap\authclient\LdapAuth',
                    'profileImageAttribute' => 'thumbnailphoto'
                ]
            ]
        ]
    ]
];

In this example, it is assumed that the image is stored in the LDAP attribute thumbnailphoto. If a different attribute is used, the configuration must be adjusted accordingly.

Note: The attribute must be defined in lowercase, as any other naming convention will result in errors.

Multiple LDAP servers

If several different LDAP servers are used, the complete LDAP configuration must be organised via the configuration files.

Note: With the LDAP CLI tools, a clientId can always be passed as an additional parameter to define the desired LDAP connection.

When a user logs in, an authentication with the specified LDAP sources is attempted one after the other.

return [
    'components' => [
        'authClientCollection' => [
            'clients' => [
                'ldapServer1' => [
                    'class' => 'humhub\modules\advancedLdap\authclient\LdapAuth',
                    'clientId' => 'ldapServer1',
                    'hostname' => 'ldap1.example.com',
                    'port' => 636,
                     #'useStartTls' => true,
                    'useSsl' => true,
                    'baseDn' => 'dc=company1,dc=com',
                    'bindUsername' => 'cn=admin,dc=company1,dc=com',
                    'bindPassword' => 'XXX',
                    'loginFilter' => '(uid=%s)',
                    'userFilter' => '(objectClass=posixAccount)',
                    'idAttribute' => 'uid',
                    'usernameAttribute' => 'uid',
                    'autoRefreshUsers' => true
                ],
                'ldapServer2' => [
                    'class' => \humhub\modules\ldap\authclient\LdapAuth::class,
                    'clientId' => 'ldapServer2',
                    'hostname' => 'ldap2.example.com',
                    'port' => 636,
                    'useSsl' => true,
                    'baseDn' => 'dc=company2,dc=com',
                    'bindUsername' => 'cn=admin,dc=company2,dc=com',
                    'bindPassword' => 'XXX',
                    'loginFilter' => '(uid=%s)',
                    'userFilter' => '(objectClass=posixAccount)',
                    'idAttribute' => 'uid',
                    'usernameAttribute' => 'uid',
                    'autoRefreshUsers' => true
                ],

            ]
        ]
    ]
];

Module Information

Latest version release:
1.3.0 - August 27, 2025
Website:
Compatibility:
HumHub 1.4 - 1.18