Preface: These instructions work on FreeIPA/389 Directory Server. It should work on every LDAP solution but YMMV.
I had struggled for a few days with setting up Grocy to talk with my IPA server for authentication, and I finally figured it out.
First, let me show you my configuration:
// Either "Grocy\Middleware\DefaultAuthMiddleware", "Grocy\Middleware\ReverseProxyAuthMiddleware"
// or any class that implements Grocy\Middleware\AuthMiddleware
Setting('AUTH_CLASS', 'Grocy\Middleware\LdapAuthMiddleware');
// Options when using LdapAuthMiddleware
Setting('LDAP_ADDRESS', 'ldaps://example.com:636'); // Example value "ldap://vm-dc2019.local.berrnd.net"
Setting('LDAP_BASE_DN', 'dc=example,dc=com'); // Example value "DC=local,DC=berrnd,DC=net"
Setting('LDAP_BIND_DN', 'uid=svcacct_grocy,cn=users,cn=accounts,dc=example,dc=com'); // Example value "CN=grocy_bind_account,OU=service_accounts,DC=local,DC=berrnd,DC=net"
Setting('LDAP_BIND_PW', 'passw0rd'); // Password for the above account
Setting('LDAP_USER_FILTER', '(memberOf=cn=grocy-users,cn=groups,cn=accounts,dc=example,dc=com)'); // Example value "(OU=grocy_users)"
Setting('LDAP_UID_ATTR', 'uid'); // Windows AD: "sAMAccountName", OpenLDAP: "uid", GLAuth: "cn"
- It's not documented, but Grocy supports LDAP over TLS
- If you want to limit access to Grocy to certain POSIX groups, that filter works perfectly.
- Most importantly, if you are getting errors, make sure the
php-ldap
module is installed. That's what tripped me up.
(EL8/9/Fedora) # dnf install php-ldap
(Debian/Ubuntu) # apt-get install php-ldap
(Gentoo) I don't know lol
Hopefully this is of use to someone!
Also, don't forget: