This works with every LDAP v2 or v3 server, including <ahref="../../documentation/1.9/authad.html"class="wikilink1"title="documentation:1.9:authad">Active Directory</a>.
<abbrtitle="LemonLDAP::NG">LL::NG</abbr> is compatible with <ahref="https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt"class="urlextern"title="https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt"rel="nofollow">LDAP password policy</a>:
<liclass="level1"><divclass="li"> LDAP server can check password strength, and <abbrtitle="LemonLDAP::NG">LL::NG</abbr> portal will display correct errors (password too short, password in history, etc.)</div>
<liclass="level1"><divclass="li"> LDAP sever can block brute-force attacks, and <abbrtitle="LemonLDAP::NG">LL::NG</abbr> will display that account is locked</div>
<liclass="level1"><divclass="li"> LDAP server can force password change on first connection, and <abbrtitle="LemonLDAP::NG">LL::NG</abbr> portal will display a password change form before opening <abbrtitle="Single Sign On">SSO</abbr> session</div>
In Manager, go in <code>General Parameters</code>><code>Authentication modules</code> and choose LDAP for authentication, users and/or password modules.
For <ahref="../../documentation/1.9/authad.html"class="wikilink1"title="documentation:1.9:authad">Active Directory</a>, choose <code>Active Directory</code> instead of <code>LDAP</code>.
<liclass="level1"><divclass="li"> decreased (-1) if the portal autocompletion is allowed (see <ahref="../../documentation/1.9/portalcustom.html"class="wikilink1"title="documentation:1.9:portalcustom">portal customization</a>)</div>
List of attributes to query to fill user session. See also <ahref="../../documentation/1.9/exportedvars.html"class="wikilink1"title="documentation:1.9:exportedvars">exported variables configuration</a>.
<liclass="level1"><divclass="li"><strong>Server host</strong>: LDAP server hostname or <abbrtitle="Uniform Resource Identifier">URI</abbr> (by default: localhost). Accept some specificities:</div>
<liclass="level2"><divclass="li"> More than one server can be set here separated by spaces or commas. They will be tested in the specified order.</div>
</li>
<liclass="level2"><divclass="li"> To use TLS, set <code>ldap+tls://server</code> and to use LDAPS, set <code>ldaps://server</code> instead of server name.</div>
</li>
<liclass="level2"><divclass="li"> If you use TLS, you can set any of the <ahref="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod"class="urlextern"title="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod"rel="nofollow">Net::LDAP</a> start_tls() sub like <code>ldap+tls://server/verify=none&capath=/etc/ssl</code>. You can also use caFile and caPath parameters.</div>
<liclass="level1"><divclass="li"><strong>Server port</strong>: TCP port used by LDAP server. Can be overridden by an LDAP <abbrtitle="Uniform Resource Identifier">URI</abbr> in server host.</div>
<liclass="level1"><divclass="li"><strong>Account</strong>: <abbrtitle="Distinguished Name">DN</abbr> used to connect to LDAP server. By default, anonymous bind is used.</div>
<liclass="level1"><divclass="li"><strong>Authentication filter</strong>: Filter to find user from its login (default: <code>(&(uid=$user)(objectClass=inetOrgPerson))</code>)</div>
</li>
<liclass="level1"><divclass="li"><strong>Mail filter</strong>: Filter to find user from its mail (default: <code>(&(mail=$mail)(objectClass=inetOrgPerson))</code>)</div>
<liclass="level1"><divclass="li"><strong>Search base</strong>: <abbrtitle="Distinguished Name">DN</abbr> of groups branch. If no value, disable group searching.</div>
<liclass="level1"><divclass="li"><strong>Object class</strong>: objectClass of the groups (default: groupOfNames).</div>
</li>
<liclass="level1"><divclass="li"><strong>Target attribute</strong>: name of the attribute in the groups storing the link to the user (default: member).</div>
</li>
<liclass="level1"><divclass="li"><strong>User source attribute</strong>: name of the attribute in users entries used in the link (default: dn).</div>
</li>
<liclass="level1"><divclass="li"><strong>Searched attributes</strong>: name(s) of the attribute storing the name of the group, spaces separated (default: cn).</div>
</li>
<liclass="level1"><divclass="li"><strong>Recursive</strong>: activate recursive group functionality (default: 0). If enabled, if the user group is a member of another group (group of groups), all parents groups will be stored as user's groups.</div>
</li>
<liclass="level1"><divclass="li"><strong>Group source attribute</strong>: name of the attribute in groups entries used in the link, for recursive group search (default: dn).</div>
<liclass="level1"><divclass="li"><strong>Password policy control</strong>: enable to use LDAP password policy. This requires at least Net::LDAP 0.38. (see ppolicy workflow below)</div>
<liclass="level1"><divclass="li"><strong>Password modify extended operation</strong>: enable to use the LDAP extended operation <code>password modify</code> instead of standard modify operation.</div>
<liclass="level1"><divclass="li"><strong>Change as user</strong>: enable to perform password modification with credentials of connected user. This requires to request user old password (see <ahref="../../documentation/1.9/portalcustom.html"class="wikilink1"title="documentation:1.9:portalcustom">portal customization</a>).</div>
<liclass="level1"><divclass="li"><strong>LDAP password encoding</strong>: can allow to manage old LDAP servers using specific encoding for passwords (default: utf-8).</div>
<liclass="level1"><divclass="li"><strong>Use reset attribute</strong>: enable to use the password reset attribute. This attribute is set by LemonLDAP::NG when <ahref="../../documentation/1.9/resetpassword.html"class="wikilink1"title="documentation:1.9:resetpassword">password was reset by mail</a> and the user choose to generate the password (default: enabled).</div>