The ChurchTools LDAP service works as an LDAP server and makes all persons and groups available via LDAP access.
Alternatively, ChurchTools can also authenticate users against an existing LDAP server. For more information, see LDAP integration.
Many software with user rights etc. can use LDAP for authentication (check for valid user name and password) and authorization (which rights). This means that further software use can be controlled via ChurchTools. So there is only ONE password for everything!
For example, you could configure a congregation’s firewall so that as soon as a person receives the “Graphics” group in ChurchTools, the person can dial into the congregation via VPN and access the corresponding network drive.
Which is already working well: The connection with NextCloud. NextCloud then pulls all groups via LDAP and also detects when I am in a group. A shared folder can then be created for each group, for example, which is automatically available to me if I am in the technical team, for example.
For NextCloud see Connecting Nextcloud to the ChurchTools Login
For OwnCloud see Setting up OwnCloud
Setup #
The LDAP service can be transacted directly in the ChurchTools license settings.
The next step is to create a user with the following data and permissions in your ChurchTools:
- E-mail: ldap@churchtools.de
- Permissions: Manage permissions (administer persons), See “persons” (view), See “Groups” (view)
The Administer Persons right is mandatory for the LDAP user, as the LDAP service currently uses a special ChurchTools interface that retrieves _ALL_ persons and groups and is secured via the “Administer Persons” right. Therefore, the LDAP service currently does not work without this right.
A password must be set for the user; this will later be the password for using the LDAP service. You must NOT tell us the password, it must only be set and you must sign up once with this user and password (if necessary, confirm the confidentiality agreement).
When this is done, send a short message via https://contact.church.tools and we will set up the LDAP service for your ChurchTools.
Testing #
Now the LDAP server can be tested, e.g. with the command:
ldapsearch -H ldaps://ldap.church.tools:636 -x -w <LDAP-Passwort> -D cn=root,ou=users,o=<subdomain> -LLL -b ou=users,o=<subdomain>
This displays all persons in ChurchTools.
Options from ldapsearch:
-H: Host name, this is always used for the LDAP service ldaps://ldap.church.tools:636
-x: Authentication with password (simple authentication)
-w: the LDAP password that was set for the user ldap@churchtools.de (see “Setup” above)
-D: the user via which the LDAP query is to run. Always use cn=root,ou=users,o=<subdomain> as the DN (distinguished name) here
-LLL: suppress all comments in the output of ldapsearch (can also be omitted)
-b: the base DN, i.e. the base of the search tree. Here you can either search for persons (-b ou=users,o=<subdomain>), groups (-b ou=groups,o=<subdomain>), or both (-b o=<subdomain>). The ChurchTools subdomain name must always be used as <subdomain>, e.g. o=ldaptest .
Scheme #
The user name of the respective person is read out as the CN (CDB_PERSON.CMSUSERID).
The tree for users is then: cn=<cmsuserid>, ou=users, o=<subdomain>
dn: cn=mustermax,ou=users,o=ldaptest, attributes: {
cn: mustermax,
displayname: Max Mustermann,
id: 42,
uid: mustermax,
nsuniqueid: u42,
givenname: Max,
street: Mustergasse 1,
telephoneNumber: 0123456789,
postalCode: 12345,
l: Musterstadt,
sn: Mustermann,
email: mustermax@gmail.com,
mail: mustermax@gmail.com,
objectclass: CTPerson }
The tree for groups: cn=<group name>, ou=groups, o=<subdoamin>
dn: cn=technical team,ou=groups,o=ldaptest, attributes: {cn: technical team,displayname: technical team,nsuniqueid: g17,objectclass: 'CTGroup'+'group type', e.g. 'CTGroupService'uniquemember: members[IDs] // Array of dns }
As can be seen, the group membership is also indicated by the “uniquemember” attribute.