LDAP host name
LDAP server host name
**Notes**
1. Do NOT append your port (e.g. ``:389``, ``:636``, etc.) to the host name. Use **LDAP port number** (see below) instead.
2. Do NOT prepend ``ldap://`` to the host name.
LDAP port number
LDAP server port number, e.g. ``389`` or ``636``.
LDAP encryption
LDAP server encryption, supported values are: ``none``, ``ssl``, or ``tls``.
LDAP protocol version
LDAP protocol version, default is ``3``.
LDAP referrals
Specifies whether to automatically follow referrals returned by the LDAP server, default is ``false``.
LDAP base dn
Required. For LDAP user provider. The base DN for the directory, e.g. ``dc=companyA,dc=com``. This is equivalent to the ``$base`` parameter for [ldap_search()](https://www.php.net/manual/en/function.ldap-search.php).
LDAP search dn
For LDAP user provider. This is your read-only user's DN, which will be used to authenticate against the LDAP server to fetch the user's information.
This user is only used to retrieve data. It's a static user defined by its username and password. If you don't use **LDAP query string** (see below), you can leave this setting empty. Otherwise, make sure you set up this setting.
LDAP search password
For LDAP user provider. This is your read-only user's password, which will be used to authenticate against the LDAP server to fetch the user's information. This user is only used to retrieve data. It's a static user defined by its username and password. If don't use **LDAP query string** (see below), you can leave this setting empty. Otherwise, make sure you set up this setting.
LDAP default roles (array)
For LDAP user provider. This is the default role you wish to give to a user fetched from the LDAP server. If you do not configure this key, your users won't have any roles, and will not be considered as authenticated fully. You should provide at least one role. Default is ``["PUBLIC_ACCESS"]``.
LDAP uid key
For LDAP user provider. This is the entry's key to use as its UID. Depends on your LDAP server implementation. Commonly used values are: ``sAMAccountName``, ``userPrincipalName``, or ``uid``. If you leave this setting empty, the default UID key ``sAMAccountName`` is used. This setting is for use with **LDAP filter** (see below).
LDAP extra fields (array)
For LDAP user provider. Defines the custom fields to pull from the LDAP server to the ``LdapUser`` object, e.g. ``["memberOf"]``. Default is ``null``. If any field does not exist, an ``InvalidArgumentException`` will be thrown. This is equivalent to the ``$attributes`` parameter for [ldap_search()](https://www.php.net/manual/en/function.ldap-search.php).
LDAP filter
For LDAP user provider. This setting lets you configure which LDAP query will be used. Default is ``null``.
The ``{uid_key}`` string will be replaced by the value of the uid_key configuration value (by default, ``sAMAccountName``), and the ``{user_identifier}`` string will be replaced by the user identified you are trying to load.
For example, with a ``uid_key`` of ``uid``, and if you are trying to load the user ``fabpot``, the final string will be: ``(uid=fabpot)``.
If this setting is empty, the default filter ``({uid_key}={user_identifier})`` is used. If your LDAP server uses other filter, this settings is required.
To prevent LDAP injection, the username will be escaped.
The syntax for the filter key is defined by [RFC4515](https://datatracker.ietf.org/doc/rfc4515/).
This is equivalent to the ``$filter`` parameter for [ldap_search()](https://www.php.net/manual/en/function.ldap-search.php).
LDAP dn string
For LDAP Authentication. This setting defines the form of the string used to compose the DN of the user, from the username.
The ``{user_identifier}`` string is replaced by the username inputted by user in the login page. Default is ``{user_identifier}``.
For example, if your users have DN strings in the form ``uid=einstein,dc=example,dc=com``, then this setting will be ``uid={user_identifier},dc=example,dc=com``.
LDAP query string
For LDAP Authentication. This (optional) setting makes the user provider search for a user and then use the found DN for the bind process. Default is ``null``.
**Note** This setting is only necessary if the user's DN cannot be derived statically using the **dn string** config option.
The value of this option must be a valid search string, e.g. ``uid={user_identifier}``, or (&(uid={user_identifier})(memberOf=cn=users,ou=Services,dc=example,dc=com)), etc. The placeholder value will be replaced by the actual user identifier.
Using this option without using a **search dn** (see above) and a **search password** (see above) is not supported.
When this option is used, **query string** will search in the DN specified by **dn string** and the DN resulted of the **query string** will be used to authenticate the user with their password. (Otherwise the **dn string** will be used as the DN to authenticate the user.)
For example, if your users have the following two DN: ``dc=companyA,dc=example,dc=com`` and ``dc=companyB,dc=example,dc=com``, then **dn string** should be ``dc=example,dc=com``, but the usernames must be unique across both DN, as the authentication provider won't be able to select the correct user for the bind process if more than one is found.
LDAP options (array)
Array of options, for use with
ldap_set_option, e.g
[LDAP_OPT_XXX => "xxx"]. By default the ``LDAP_OPT_PROTOCOL_VERSION`` and ``LDAP_OPT_REFERRALS`` are already set (see **protocol version** and **referrals** above).