Grocy - How To Configure LDAP-based Authentication

Preface: These instructions work on FreeIPA/389 Directory Server. It should work on every LDAP solution but YMMV.

I had struggled for a few days with setting up Grocy to talk with my IPA server for authentication, and I finally figured it out.

First, let me show you my configuration:

// Either "Grocy\Middleware\DefaultAuthMiddleware", "Grocy\Middleware\ReverseProxyAuthMiddleware"
// or any class that implements Grocy\Middleware\AuthMiddleware
Setting('AUTH_CLASS', 'Grocy\Middleware\LdapAuthMiddleware');

// Options when using LdapAuthMiddleware
Setting('LDAP_ADDRESS', 'ldaps://'); // Example value "ldap://"
Setting('LDAP_BASE_DN', 'dc=example,dc=com'); // Example value "DC=local,DC=berrnd,DC=net"
Setting('LDAP_BIND_DN', 'uid=svcacct_grocy,cn=users,cn=accounts,dc=example,dc=com'); // Example value "CN=grocy_bind_account,OU=service_accounts,DC=local,DC=berrnd,DC=net"
Setting('LDAP_BIND_PW', 'passw0rd'); // Password for the above account
Setting('LDAP_USER_FILTER', '(memberOf=cn=grocy-users,cn=groups,cn=accounts,dc=example,dc=com)'); // Example value "(OU=grocy_users)"
Setting('LDAP_UID_ATTR', 'uid'); // Windows AD: "sAMAccountName", OpenLDAP: "uid", GLAuth: "cn"
  1. It's not documented, but Grocy supports LDAP over TLS
  2. If you want to limit access to Grocy to certain POSIX groups, that filter works perfectly.
  3. Most importantly, if you are getting errors, make sure the php-ldap module is installed. That's what tripped me up.
(EL8/9/Fedora) # dnf install php-ldap
(Debian/Ubuntu) # apt-get install php-ldap
(Gentoo) I don't know lol

Hopefully this is of use to someone!

Also, don't forget: