Managing Users via Directory Service (LDAP/AD)

ftrack can be synchronized with LDAP and Active Directory. All users found in LDAP or AD will be created or updated in ftrack and are instantly available for scheduling and planning.

When a user tries to login to ftrack, it will be detected as a LDAP/AD user, and credentials are verified against the external server instead. This way, there is no need for users to have a separate password for ftrack.

During synchronization, ftrack will automatically activate new users and disable users that are no longer found.

Please note: ftrack will only accept users with all the required attributes:
  • login

  • first/last name

  • email address.

 

When configuring ftrack to use LDAP for authentication, it is good practice to keep at least one regular ftrack user that can login even if the LDAP service fails or is misconfigured.

  • LDAP/AD can be configured from the LDAP Settings page, which is located in the System settings > Resources > LDAP settings.
Screenshot_2022-11-07_at_10.22.24.png
 

Explanation of the parameters:

  • Enable LDAP - Use the checkbox to enable/disable LDAP

When LDAP is enabled, a Sync menu will appear in the Resources > Users and Groups page in System settings.

Screenshot_2022-11-07_at_10.30.02.png
  • Base DN - The point in LDAP structure, where we start searching for users, for example: ou=Company,o=Org
  • url - The URL pointing to the LDAP host, for example: ldap(s)://ldaphost.org.com
    In case of ldaps is used, please make sure to use a certificate from a trusted CA.
  • Account - The account used for the connection against the LDAP host, for example: uid=ftrackbind,ou=users,ou=Company,o=Org
  • Password - The password for the account.
  • Filter - The filter used in the search for user accounts in LDAP. Example: (&(uid=*)(businessCategory=ftrack)) where we will search for (any) uid and the value "ftrack" must be set on attribute businessCategory for the account to be created.

Please note: The filter is used for the synchronization of accounts, not the login. Make sure to synchronize accounts accordingly to make sure that only valid accounts are enabled. Synchronization can be made manually on "Users and Groups" page, or using the API.

  • Login attribute - LDAP attribute used for login, for example: uid or sAMAccountName.
  • First name attribute/Last name Attribute/Mail attribute - Normally set to givenName, sn, and mail.
  • Activate existing users - Turn this on to enable inactive users in ftrack if they appear in LDAP again. This is useful if you only want to enable/disable users in LDAP and have ftrack do the same automatically when syncing.

 

The type of a user can be changed from "ftrack" to "ldap" to change how the user authenticates. It is important that the user name in ftrack matches the username in LDAP.

Please note: For ftrack to be able to talk to the LDAP server, it has to accept a simple bind.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section