{"id":47214,"date":"2020-05-20T10:04:40","date_gmt":"2020-05-20T09:04:40","guid":{"rendered":"https:\/\/churchtools.academy\/help\/non-knowledgebase\/uncategorized\/ldap-service\/"},"modified":"2026-03-18T16:06:34","modified_gmt":"2026-03-18T15:06:34","password":"","slug":"ldap-service","status":"publish","type":"docs","link":"https:\/\/churchtools.academy\/en\/help\/system-settings\/ldap-login-systemsettings\/ldap-service\/","title":{"rendered":"LDAP service"},"content":{"rendered":"\n<p>The ChurchTools LDAP service works as an <a href=\"http:\/\/de.wikipedia.org\/wiki\/Lightweight_Directory_Access_Protocol\" target=\"_blank\" rel=\"noopener\">LDAP server<\/a> and makes all persons and groups available via LDAP access.  <\/p>\n\n\n\n<p>Alternatively, ChurchTools can also authenticate users against an existing LDAP server. For more information, see <a href=\"https:\/\/churchtools.academy\/help\/verwaltung\/ldap\/0-ldap-integration\/\" data-type=\"docs\" data-id=\"7396\">LDAP integration<\/a>. <\/p>\n\n\n\n<p>Many software with user rights etc. can use LDAP for authentication (check for valid user name and password) and authorization (which rights). This means that further software use can be controlled via ChurchTools. So there is only ONE password for everything!    <\/p>\n\n\n\n<p>For example, you could configure a congregation&#8217;s firewall so that as soon as a person receives the &#8220;Graphics&#8221; group in ChurchTools, the person can dial into the congregation via <a href=\"http:\/\/de.wikipedia.org\/wiki\/Virtual_Private_Network\" target=\"_blank\" rel=\"noopener\">VPN<\/a> and access the corresponding network drive. <\/p>\n\n\n\n<p>Which is already working well: The connection with NextCloud. NextCloud then pulls all groups via LDAP and also detects when I am in a group. A shared folder can then be created for each group, for example, which is automatically available to me if I am in the technical team, for example.  <\/p>\n\n\n\n<p>For NextCloud see <span style=\"background-color: #f2f4f6\"><a href=\"https:\/\/churchtools.academy\/help\/verwaltung\/ldap\/0-anbindung-von-nextcloud-an-den-churchtools-login\/\" data-type=\"docs\" data-id=\"7247\">Connecting Nextcloud to the ChurchTools Login<\/a><\/span><\/p>\n\n\n\n<p>For OwnCloud see <span style=\"background-color: #f2f4f6\"><a href=\"https:\/\/churchtools.academy\/help\/verwaltung\/ldap\/0-einrichten-von-owncloud\/\" data-type=\"docs\" data-id=\"7326\">Setting up OwnCloud<\/a><\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Setup<\/h2>\n\n\n\n<p>The LDAP service can be transacted directly in the ChurchTools license settings.<\/p>\n\n\n\n<p>The next step is to create a user with the following data and permissions in your ChurchTools:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>E-mail: <a href=\"mailto:ldap@churchtools.de\">ldap@churchtools.de<\/a><\/strong><\/li>\n\n\n\n<li><strong>Permissions: <\/strong><em>Manage permissions (administer persons)<\/em><strong>, <\/strong><em>See &#8220;persons&#8221; (view)<\/em><strong>, <\/strong><em>See &#8220;Groups&#8221; (view)<\/em><\/li>\n<\/ul>\n\n\n\n<p>The <strong>Administer Persons<\/strong> right is mandatory for the LDAP user, as the LDAP service currently uses a special ChurchTools interface that retrieves _ALL_ persons and groups and is secured via the &#8220;Administer Persons&#8221; right. Therefore, the LDAP service currently does not work without this right. <\/p>\n\n\n\n<p>A <strong>password<\/strong> must be set for the user; this will later be the password for using the LDAP service. You must NOT tell us the password, it must only be set and you must sign up once with this user and password (if necessary, confirm the confidentiality agreement). <\/p>\n\n\n\n<p>When this is done, send a short message via https:\/\/contact.church.tools and we will set up the LDAP service for your ChurchTools.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Testing<\/h2>\n\n\n\n<p>Now the LDAP server can be tested, e.g. with the command:<\/p>\n\n\n\n<p><span class=\"s1\"><code>ldapsearch -H ldaps:\/\/ldap.church.tools:636 -x -w &lt;LDAP-Passwort&gt; -D cn=root,ou=users,o=&lt;subdomain&gt; -LLL -b ou=users,o=&lt;subdomain&gt;<\/code><\/span><\/p>\n\n\n\n<p class=\"p1\"><span class=\"s1\">This displays all persons in ChurchTools.<\/span><\/p>\n\n\n\n<p class=\"p1\">Options from ldapsearch:<\/p>\n\n\n\n<p class=\"p1\">-H: Host name, this is always used for the LDAP service  <code><span class=\"s1\">ldaps:\/\/ldap.church.tools:636<\/span><\/code><\/p>\n\n\n\n<p class=\"p1\"><span class=\"s1\">-x: Authentication with password (simple authentication)<\/span><\/p>\n\n\n\n<p class=\"p1\"><span class=\"s1\">-w: the LDAP password that was set for the user <a href=\"mailto:ldap@churchtools.de\">ldap@churchtools.de<\/a> (see &#8220;Setup&#8221; above)<\/span><\/p>\n\n\n\n<p class=\"p1\"><span class=\"s1\">-D: the user via which the LDAP query is to run. Always use <code>cn=root,ou=users,o=&lt;subdomain&gt;<\/code> as the DN (distinguished name) here <\/span><\/p>\n\n\n\n<p class=\"p1\"><span class=\"s1\">-LLL: suppress all comments in the output of ldapsearch (can also be omitted)<\/span><\/p>\n\n\n\n<p class=\"p1\"><span class=\"s1\">-b: the base DN, i.e. the base of the search tree. Here you can either search for persons (<code>-b ou=users,o=&lt;subdomain&gt;<\/code>), groups (<code>-b ou=groups,o=&lt;subdomain&gt;<\/code>), or both (<code>-b o=&lt;subdomain&gt;<\/code>). The ChurchTools subdomain name must always be used as <code>&lt;subdomain&gt;<\/code>, e.g. o=ldaptest .  <\/span><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Scheme<\/h3>\n\n\n\n<p>The user name of the respective person is read out as the CN (CDB_PERSON.CMSUSERID).  <\/p>\n\n\n\n<p>The tree for users is then: cn=&lt;cmsuserid&gt;, ou=users, o=&lt;subdomain&gt;<\/p>\n\n\n\n<p><code>dn: cn=mustermax,ou=users,o=ldaptest, <\/code><br><code>attributes: {<\/code><br>    <code>cn: mustermax,<\/code><br>    <code>displayname: Max Mustermann,<\/code><br>    <code>id: 42,<\/code><br>    <code>uid: mustermax,<\/code><br>    <code>nsuniqueid: u42,<\/code><br>    <code>givenname: Max,<\/code><br>    <code>street: Mustergasse 1,<\/code><br>    <code>telephoneNumber: 0123456789,<\/code><br>    <code>postalCode: 12345,<\/code><br>   <code>l: Musterstadt,<\/code><br>   <code>sn: Mustermann,<\/code><br>   <code>email: mustermax@gmail.com,<\/code><br>   <code>mail: mustermax@gmail.com,<\/code><br>   <code>objectclass: CTPerson <\/code><br><code>}<\/code><\/p>\n\n\n\n<p>The tree for groups: cn=&lt;group name&gt;, ou=groups, o=&lt;subdoamin&gt;<\/p>\n\n\n\n<p><code>dn: cn=technical team,ou=groups,o=ldaptest, <\/code><br><code>attributes: {<\/code><br><code>cn: technical team,<\/code><br><code>displayname: technical team,<\/code><br><code>nsuniqueid: g17,<\/code><br><code>objectclass: 'CTGroup'+'group type', e.g. 'CTGroupService'<\/code><br><code>uniquemember: members[IDs] \/\/ Array of dns <\/code><br><code>}<\/code><\/p>\n\n\n\n<p>As can be seen, the group membership is also indicated by the &#8220;uniquemember&#8221; attribute.<\/p>\n\n\n\n<aside class=\"wp-block-group ct-artikel-zum-weiterlesen has-background is-layout-constrained wp-container-core-group-is-layout-89fd719a wp-block-group-is-layout-constrained\" style=\"border-radius:8px;background-color:#f9fafb;margin-top:24px;margin-bottom:24px;padding-top:32px;padding-right:24px;padding-bottom:32px;padding-left:24px\">\n<h2 class=\"wp-block-heading has-medium-font-size\">Read more<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/churchtools.academy\/en\/help\/system-settings\/ldap-login-systemsettings\/ldap-integration\/\" data-type=\"docs\" data-id=\"7396\" target=\"_blank\" rel=\"noreferrer noopener\">LDAP Integration<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/churchtools.academy\/en\/help\/system-settings\/ldap-login-systemsettings\/overview-ldap\/\" data-type=\"docs\" data-id=\"7394\" target=\"_blank\" rel=\"noreferrer noopener\">Overview LDAP<\/a><\/li>\n<\/ul>\n<\/aside>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The ChurchTools LDAP service works as an LDAP server and makes all persons and groups available via LDAP access. Alternatively, ChurchTools can also authenticate users against an existing LDAP server. For more information, see LDAP integration. Many software with user rights etc. can use LDAP for authentication (check for valid user name and password) and [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"doc_category":[475,475],"doc_tag":[653],"knowledge_base":[425],"class_list":{"0":"post-47214","1":"docs","2":"type-docs","3":"status-publish","4":"hentry","5":"doc_category-ldap-login-systemsettings","7":"doc_tag-content-outdated-en","8":"knowledge_base-system-settings"},"pp_statuses_selecting_workflow":false,"pp_workflow_action":"current","pp_status_selection":"publish","acf":[],"year_month":"2026-04","word_count":661,"total_views":"404","reactions":{"happy":"0","normal":"0","sad":"0"},"author_info":{"name":"Hans-Helge B\u00fcrger","author_nicename":"hhbuerger","author_url":"https:\/\/churchtools.academy\/en\/author\/hhbuerger\/"},"doc_category_info":[{"term_name":"LDAP","term_url":"https:\/\/churchtools.academy\/en\/help\/system-settings\/ldap-login-systemsettings\/"},{"term_name":"LDAP","term_url":"https:\/\/churchtools.academy\/en\/help\/system-settings\/ldap-login-systemsettings\/"}],"doc_tag_info":[{"term_name":"Content outdated","term_url":"https:\/\/churchtools.academy\/en\/docs-tag\/content-outdated-en\/"}],"knowledge_base_info":[{"term_name":"System Settings","term_url":"https:\/\/churchtools.academy\/en\/help\/system-settings\/","term_slug":"system-settings"}],"knowledge_base_slug":["system-settings"],"_links":{"self":[{"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/docs\/47214","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/comments?post=47214"}],"version-history":[{"count":287,"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/docs\/47214\/revisions"}],"predecessor-version":[{"id":50190,"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/docs\/47214\/revisions\/50190"}],"wp:attachment":[{"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/media?parent=47214"}],"wp:term":[{"taxonomy":"doc_category","embeddable":true,"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/doc_category?post=47214"},{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/doc_tag?post=47214"},{"taxonomy":"knowledge_base","embeddable":true,"href":"https:\/\/churchtools.academy\/en\/wp-json\/wp\/v2\/knowledge_base?post=47214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}