Skip to main content
Snipe-IT supports LDAP and Active Directory integration for user authentication and synchronization. This allows you to:
  • Authenticate users against your corporate directory
  • Automatically import user information
  • Keep user data synchronized
  • Leverage existing directory groups

Prerequisites

Before configuring LDAP, ensure you have:
  • LDAP/AD server hostname or IP address
  • LDAP bind user credentials (service account)
  • Base DN for your directory
  • Network connectivity from Snipe-IT to your LDAP server
  • PHP LDAP extension installed (php-ldap)

Configuration

1. Enable LDAP

Navigate to Admin > Settings > LDAP in the Snipe-IT interface.

2. Basic LDAP Settings

1

Server Configuration

Configure your LDAP server connection:
  • LDAP Server: Hostname or IP (e.g., ldap.example.com or 192.168.1.10)
  • LDAP Port: Usually 389 for LDAP or 636 for LDAPS
  • LDAP Version: Typically 3
  • Base DN: Your directory base (e.g., dc=example,dc=com)
2

Bind Credentials

Provide credentials for a service account with read access to your directory:
  • LDAP Bind Username: Full DN (e.g., cn=snipeit,ou=service,dc=example,dc=com)
  • LDAP Bind Password: Password for the bind user
3

User Filter

Define which users to import:
  • LDAP Filter: Filter query (e.g., (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))

Environment Variables

You can also configure LDAP settings via environment variables in your .env file:
.env
# LDAP Server Configuration
LDAP_ENABLED=true
LDAP_SERVER=ldap.example.com
LDAP_PORT=389
LDAP_VERSION=3

# LDAP Bind Credentials
LDAP_UNAME="cn=snipeit,ou=service,dc=example,dc=com"
LDAP_PWORD="your_bind_password"

# LDAP Search Base
LDAP_BASEDN="dc=example,dc=com"

# LDAP User Filter
LDAP_FILTER="(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"

# LDAP Field Mappings
LDAP_USERNAME_FIELD=samaccountname
LDAP_FNAME_FIELD=givenname
LDAP_LNAME_FIELD=sn
LDAP_EMAIL=mail
LDAP_EMP_NUM=employeenumber
LDAP_PHONE_FIELD=telephonenumber
LDAP_JOBTITLE=title
LDAP_DEPT=department
LDAP_MANAGER=manager
LDAP_COUNTRY=c
LDAP_LOCATION=physicaldeliveryofficename

# LDAP Security Settings
LDAP_TLS=false
LDAP_SERVER_CERT_IGNORE=false

# LDAP Password Sync
LDAP_PW_SYNC=false

# Memory and Time Limits
LDAP_MEM_LIM=500M
LDAP_TIME_LIM=600

Field Mapping

Map LDAP attributes to Snipe-IT user fields:
Snipe-IT FieldCommon AD AttributeCommon LDAP Attribute
Usernamesamaccountnameuid
First NamegivennamegivenName
Last Namesnsn
Emailmailmail
Employee NumberemployeenumberemployeeNumber
PhonetelephonenumbertelephoneNumber
Job Titletitletitle
Departmentdepartmentou
Managermanagermanager
Countrycc
Locationphysicaldeliveryofficenamel
The exact attribute names may vary depending on your LDAP schema. Consult your directory administrator for the correct attribute names.

Active Directory Examples

Standard Active Directory Configuration

.env
LDAP_ENABLED=true
LDAP_SERVER=dc01.corp.example.com
LDAP_PORT=389
LDAP_VERSION=3
LDAP_BASEDN="dc=corp,dc=example,dc=com"
LDAP_UNAME="cn=Snipe-IT Service,ou=Service Accounts,dc=corp,dc=example,dc=com"
LDAP_PWORD="SecurePassword123!"
LDAP_USERNAME_FIELD=samaccountname
LDAP_FNAME_FIELD=givenname
LDAP_LNAME_FIELD=sn
LDAP_EMAIL=mail

# Only import enabled users
LDAP_FILTER="(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"

Active Directory with LDAPS (Secure)

.env
LDAP_ENABLED=true
LDAP_SERVER=dc01.corp.example.com
LDAP_PORT=636
LDAP_VERSION=3
LDAP_TLS=true
LDAP_SERVER_CERT_IGNORE=false
LDAP_BASEDN="dc=corp,dc=example,dc=com"
LDAP_UNAME="cn=Snipe-IT Service,ou=Service Accounts,dc=corp,dc=example,dc=com"
LDAP_PWORD="SecurePassword123!"
LDAP_USERNAME_FIELD=samaccountname

Active Directory - Specific OU Only

.env
LDAP_ENABLED=true
LDAP_SERVER=dc01.corp.example.com
LDAP_PORT=389
LDAP_BASEDN="ou=Employees,dc=corp,dc=example,dc=com"
LDAP_FILTER="(&(objectClass=user)(memberOf=CN=IT Department,ou=Groups,dc=corp,dc=example,dc=com))"

OpenLDAP Examples

Standard OpenLDAP Configuration

.env
LDAP_ENABLED=true
LDAP_SERVER=ldap.example.com
LDAP_PORT=389
LDAP_VERSION=3
LDAP_BASEDN="dc=example,dc=com"
LDAP_UNAME="cn=admin,dc=example,dc=com"
LDAP_PWORD="admin_password"
LDAP_USERNAME_FIELD=uid
LDAP_FNAME_FIELD=givenName
LDAP_LNAME_FIELD=sn
LDAP_EMAIL=mail
LDAP_FILTER="(objectClass=inetOrgPerson)"

LDAP Authentication

When LDAP authentication is enabled, Snipe-IT will:
  1. Check if the username exists in the local database
  2. If found and LDAP is enabled, authenticate against LDAP
  3. If authentication succeeds, update the user’s information from LDAP
  4. If the user doesn’t exist locally, they must be imported via LDAP sync first

Authentication Filter

You can specify an additional authentication filter to restrict which LDAP users can log in:
.env
# Only allow users in specific group to authenticate
LDAP_AUTH_FILTER_QUERY="(memberOf=CN=Snipe-IT Users,ou=Groups,dc=corp,dc=example,dc=com)"

Importing Users

Manual Import via Web Interface

  1. Navigate to Admin > Users
  2. Click LDAP Sync button
  3. Optionally select a default location for imported users
  4. Click Synchronize
  5. Review the import summary

Command Line Import

You can import users via the command line: 
# Import all LDAP users
php artisan snipeit:ldap-sync

# Import users to a specific location
php artisan snipeit:ldap-sync --location_id=1

# Show JSON summary
php artisan snipeit:ldap-sync --json_summary

Scheduled LDAP Sync

To automatically sync users on a schedule, add a cron job:
crontab
# Sync LDAP users daily at 2 AM
0 2 * * * cd /path/to/snipe-it && php artisan snipeit:ldap-sync

Troubleshooting

Use the built-in LDAP test tool:
  1. Navigate to Admin > Settings > LDAP
  2. Click Test LDAP Connection
  3. Review the test results
You can also test via API:
curl -X GET https://your-snipe-it-instance.com/api/v1/settings/ldaptest \
  -H "Authorization: Bearer YOUR_API_TOKEN"
Cannot connect to LDAP server:
  • Verify network connectivity: telnet ldap.example.com 389
  • Check firewall rules
  • Ensure correct hostname/IP and port
  • Verify LDAP service is running
Certificate verification failed:
  • For testing, temporarily set LDAP_SERVER_CERT_IGNORE=true
  • For production, install proper CA certificates
  • Verify certificate CN matches server hostname
Users cannot log in:
  • Verify users have been imported first (LDAP sync)
  • Check the authentication filter is not too restrictive
  • Verify bind user credentials are correct
  • Check user’s account is enabled in AD/LDAP
  • Review Snipe-IT logs: storage/logs/laravel.log
Wrong user information:
  • Verify field mappings match your LDAP schema
  • Re-run LDAP sync to update user data
No users imported:
  • Verify LDAP filter syntax
  • Check base DN is correct
  • Ensure bind user has read permissions
  • Review error messages in web interface or command output
Duplicate users:
  • Check if users exist with different usernames
  • Verify username field mapping is correct
  • Snipe-IT matches on username field

Security Best Practices

Use LDAPS

Always use LDAPS (port 636) in production to encrypt credentials in transit.

Dedicated Service Account

Create a dedicated LDAP service account with read-only permissions for Snipe-IT.

Restrict Base DN

Use the most specific base DN possible to limit the directory scope.

Filter Carefully

Use LDAP filters to import only necessary users and exclude disabled accounts.

Advanced Configuration

Client TLS Certificates

If your LDAP server requires client certificates:
.env
LDAP_CLIENT_TLS_CERT=/path/to/client.crt
LDAP_CLIENT_TLS_KEY=/path/to/client.key

Default Group for LDAP Users

Assign imported LDAP users to a specific Snipe-IT group:
.env
LDAP_DEFAULT_GROUP=3

Password Synchronization

Allow LDAP users to change their Snipe-IT password (not recommended if using LDAP auth):
.env
LDAP_PW_SYNC=false

Next Steps

SAML SSO

Configure enterprise single sign-on

User Management

Learn about user permissions and groups

Build docs developers (and LLMs) love

Get started for freeTalk to us