ftrack can be synchronised with LDAP and Active Directory. All users found in LDAP or AD will be created or updated in ftrack and are instantly available for scheduling and planning.
When a user tries to login to ftrack, it will be detected as a LDAP/AD user and credentials are verified against the external server instead. This way there is no need for users to have a separate password for ftrack.
During synchronization ftrack will automatically activate new users and disable users that are no longer found.
ftrack will only accept users with all the required attributes:
When configuring ftrack to use LDAP for authentication it is good practice to keep at least one regular ftrack user that can login even if the LDAP service fail or is misconfigured.
LDAP/AD can be configured from the LDAP Settings page in Settings.
Explanation of the parameters:
Base DN - The point in LDAP structure, where we start searching for users, example: ou=Company,o=Org
url - The URL pointing to the LDAP host, example: ldap(s)://ldaphost.org.com
In case ldaps is used, please make sure to use a certificate from trusted CA.
Account - The account used for the connection against the LDAP host, example: uid=ftrackbind,ou=users,ou=Company,o=Org
Password - The password for the account.
Filter - The filter used in the search for user accounts in LDAP. Example: (&(uid=*)(businessCategory=ftrack)) where we will search for (any) uid and the value "ftrack" must be set on attribute businessCategory for account to be created.
Note: The filter is used for the synchronisation of accounts, not the login. Make sure to synchronise accounts accordingly, to make sure that only valid accounts are enabled. Synchronisation can be made manually on "Users and Groups" page, or using the API.
Login attribute - LDAP attribute used for login, example: uid or sAMAccountName.
First name attribute/Last name Attribute/Mail attribute - Normally set to givenName, sn and mail.
When LDAP is enabled, a Sync menu will appear in the Users and Groups page in Settings.
Activate existing users - Turn this on to enable inactive users in ftrack if they appear in LDAP again. This is useful if you only want to enable/disable users in LDAP and have ftrack do the same automatically when syncing.
For ftrack to be able to talk to the LDAP server it has to accept a simple bind.
The type of a user can be changed from "ftrack" to "ldap" to change how the user authenticates. It is important that the user name in ftrack matches the username in LDAP.