Home Contact Buy
Sitemap Contact
Home Download Video Free Buy Sitemap Contact

LDAP Authentication with Windows Active Directory

This document describes how to configure LDAP Authentication in Time Tracker against Windows Active Directory.

Change Authentication Parameters in config.php

To enable LDAP authentication set AUTH_MODULE value in config.php file as so:
define('AUTH_MODULE', 'ldap');

Also, define the following authentication parameters in the same file.
  'server' => '',
  'type' => 'ad',
  'base_dn' => 'DC=example,DC=com',
  'default_domain' => 'example.com',
  'member_of' => array());
The parameters here are:

server - IP address or name of your domain controller. If you installed Time Tracker on the domain controller it could be localhost, or

type - type of LDAP server. Set it to ad for Active Directory.

base_dn - base distinguished name in LDAP catalog. For example, if your domain is example.com you can specify DC=example,DC=com.

default_domain - default domain name Time Tracker will use to append to logins when they are specified without domain part. Do not underestimate the importance of this parameter. For example, you may login to Windows as johndoe but your identifier for LDAP is really johndoe@example.com. Specify domain name taken from your domain controller here.

member_of - comma-separated list of Windows groups, membership in which is required for user to be authenticated. It can be empty.

Enable php_ldap Extension

Enable php_ldap extension in your php.ini. Usually, it is just a matter of un-commenting one line in php.ini so that it becomes:
Do not forget to restart your web server after changing php.ini.

How to Set Users with LDAP Authentication

It is very important to set Time Tracker users correctly for LDAP authentication.

IMPORTANT NOTE: logins for managers, co-managers, and users must be in the form username@domain.com in Time Tracker (not in Windows), otherwise users will not be able to login to Time Tracker. The only exception is for admin. Admin's login is always just admin. If you already have a database of Time Tracker users you need to change their logins accordingly.

  1. Create a domain account admin. Login to your Time Tracker as admin. When LDAP authentication is used only admin can create teams.
  2. If you need to create a new team go to the Teams page in admin's interface and create a new team. Use username@domain.com format for manager login. Additionally, create a Windows domain account for team manager if it does not exist. Without Windows domain accounts users are not able to login to Time Tracker.
  3. Log out admin and login as team manager to Time Tracker. Create co-managers and regular users in similar manner (in format username@domain.com). Remember, that all Time Tracker users must have their domain accounts in Active Directory.

If you don't want to mess with the admin account configure Time Tracker with db authentication first. Make sure that user logins are in the windowslogin@domain.com format. Once this is working change authentication parameters in Time Tracker config.php.

How to Debug

If you see a problem with LDAP authentication enable debug output in config.php file as so:
define('AUTH_DEBUG', 1);
This will allow you to see some values being passed to domain controller and hopefully troubleshoot the problem.

LDAP Configuration Example for Active Directory

Here is an example of configurations parameters and user names / logins for Windows Active Directory:
define('AUTH_MODULE', 'ldap');

  'server' => 'localhost',
  'type' => 'ad',
  'base_dn' => 'DC=mydomain,DC=com',
  'default_domain' => 'mydomain.com',
  'member_of' => array());

Windows Logins - Example

These Windows logins are configured with Active Directory Users and Computers.

Corresponding Time Tracker Logins - Example

These logins are configured in Time Tracker for corresponding Windows login example entries above.

Time Tracker Install Guide