Applicable to:
- Plesk for Linux
- Plesk for Windows
How does Plesk LDAP Auth extension work and for which of the following type of Plesk user accounts?
- Reseller accounts
- Customer accounts
- User accounts such as mail account
- Additional Administrator Accounts
Answer
Note: Currently, the LDAP Auth extension cannot be configured via CLI. Vote and comment on this feature request from our Official Plesk UserVoice channel as top-voted suggestions are likely to be included in future versions.
The extension allows to disable Plesk native authentication and enable LDAP authentication to Plesk. In other words, if there is an external LDAP server (a central database storing multiple combinations of usernames and passwords), it is possible to use one login/password pair to log into several Plesk servers that have the extension installed and configured to use the same LDAP server.
Note: The extension works as LDAP client and does not provide ability to manage login/password storage as a LDAP server.
Note: If LDAP needs a prefix or a suffix this should be checked on the LDAP directory.
Note: LDAP extension cannot be used for webmail.
In case if it is needed to use both Plesk native authentication and LDAP Auth methods, enable LDAP Auth settings only at Extensions > LDAP Auth as it is shown below:
No additional configuration from OS level is required before installing the LDAP Auth extension. The only requirement is that Plesk should have the user with the same name as the one on LDAP server. For example, LDAP server has user jdoe with password password. Then it is required to create the same user in Plesk, configure extension and disable Plesk native authentication. After that it will be possible to log into Plesk as jdoe with password password.
Note: The type of the user is not related specifically to account type.
For Windows it is required to specify domain name with ending slash DOMAIN\ in "Login prefix" or a suffix such as @example.com.
The following ports should be open from Plesk to Domain Controller:
- UDP Port 88 for Kerberos authentication
- UDP Port 389 for LDAP and TCP Port 636 for SSL LDAP to handle queries from client computers to the domain controllers
Comments
4 comments
Hi,
This is really interesting but I have only one question. What happens if the user changes his/her password though the PLESK interface? Then the passwords in LDAP and PLESK won't match and login will fail until these two are sync'd again. Right? Is there a way to prevent a user from changing his/her password through PLESK?
Thanks,
George
Hello George Labropoulos
An investigation is required to provide you a precise answer.
Do you have a possibility to submit a request for support?
Hello,
do I have to create first the users in Plesk and then switch to LDAP?
I followed the instuctions above, but it doesn't work.
Thanks,
Orlando
There are a few problems with this plugin and description.
1) DOMAIN\ is probably nice for a Windows domain, but for example jumpcloud has a ORG DN: o=<your id>,dc=jumpcloud,dc=com
I assume that is what needs to go here, but that is not clear from this article.
2) There is no way to test whether the configuration works. As a minimum, you would expect a user list to appear once it has been properly configured.
But when you disable the plesk login and it does not work, you can't log in anymore. If you don't disable the internal plesk authentication, there is no way telling which of the authentications have been used, because the users need to exist in both.
Please sign in to leave a comment.