LDAP server
Casdoor can act as a simple LDAP server for systems (e.g. Nexus) that use LDAP for authentication. It supports bind and search with Simple Authentication.
Port
The LDAP server listens on port 389 by default. Change it via ldapServerPort in conf/app.conf.
Behavior
- User entries follow the posixAccount style.
- Bind: The server parses
cn(username) andou(organization).dcis ignored. It verifies the user with Casdoor and grants access for subsequent operations. - Search: The server checks that the client has permission (from the bind) and returns results accordingly.
Only Simple Authentication is supported.
Bind
Use a DN in this form: cn=<username>,ou=<organization>,dc=example,dc=com.
Example: cn=admin,ou=built-in,dc=example,dc=com. Set the admin’s DN to this format, then bind with that DN and the user’s password. On success, the client is authorized for search.
Search
After a successful bind:
- One user (e.g. Alice in
built-in): Base DNou=built-in,dc=example,dc=com, filtercn=Alice. - All users in an org (e.g.
built-in): Base DNou=built-in,dc=example,dc=com, filtercn=*. - All users in all orgs (if permitted): Base DN
ou=*,dc=example,dc=com, filtercn=*. - Users in a group: Use a filter such as
(memberOf=organization_name/group_name).
User attributes
| Attribute | Description | Source |
|---|---|---|
cn | Common name | User name |
uid | User ID | User id |
homeDirectory | Home directory | /home/{username} |
mail | User email | |
mobile | Phone | User phone |
sn | Surname | User last name |
givenName | Given name | User first name |
memberOf | Groups | User’s groups |
loginShell | Login shell | user.Properties["loginShell"], defaults to /bin/bash |
gecos | GECOS (full name) | user.DisplayName, falls back to user.Name |
sshPublicKey | SSH public key | user.Properties["sshPublicKey"], omitted if empty |
All entries also carry objectClass: posixAccount, which is required by PAM and NSS for Linux authentication.
Linux machine login
Casdoor’s LDAP server exposes posixAccount-compatible entries, so Linux hosts can authenticate users directly against Casdoor via standard tools such as sssd, nss-ldap, or pam_ldap.
To configure per-user values for loginShell and sshPublicKey, set them in the user’s Properties field (key-value map):
{
"loginShell": "/bin/zsh",
"sshPublicKey": "ssh-ed25519 AAAA..."
}
If loginShell is not set, /bin/bash is used. If sshPublicKey is absent, the attribute is omitted from the LDAP entry entirely.
RFC-style features
Root DSE (baseDN="")
- namingContexts:
ldapsearch -x -H ldap://<casdoor-host>:389 -D "cn=admin,ou=built-in" -w <passwd> -b "" -s base "(objectClass=*)" namingContexts— returns visible organization DNs. - subschemaSubentry:
ldapsearch -x -H ldap://<casdoor-host>:389 -D "cn=admin,ou=built-in" -w <passwd> -b "" -s base "(objectClass=*)" subschemaSubentry— returnssubschemaSubentry: cn=Subschema.
Schema
Query objectClasses: ldapsearch -x -H ldap://<casdoor-host>:389 -D "cn=admin,ou=built-in" -w <passwd> -b "cn=Subschema" -s base "(objectClass=*)" objectClasses — returns posixAccount and posixGroup definitions.
POSIX filters
(objectClass=posixAccount)— user list.(objectClass=posixGroup)— group list for an org (e.g.-b "ou=<org>" "(objectClass=posixGroup)").
(objectClass=posixGroup) does not support combined filters like (&(objectClass=posixGroup)(cn=<group>)). Use memberOf to find members of a group.