Denali/Mt. McKinley and Brown Bear Software logo
Calcium Documentation - LDAP Authentication
Horizontal Line

The LDAP Authentication option for Calcium allows users to login to Calcium using username/passwords stored in an LDAP database. Calcium will also use the LDAP directory for user enumeration, e.g. getting lists of users to display for permission setting screens.


This feature requires the Perl module Net::LDAP. This module is not usually part of standard Perl distributions, so you may need to install it on your server. There are installation instructions in the Net::LDAP FAQ. (Search for "Install".) You can always get it from the CPAN, or if you're using ActiveState Perl, use PPM and/or see their page at (Look for the "perl-ldap" package.)

More information on the Net::LDAP module is available at


First, you need to configure some settings. Go to the "System Administration" page, and click on the "LDAP Settings" link. You'll then see a form you can use to specify the server, port, Base DN, and other settings for your Directory. There's also an option to test the connection once you're saved your settings.

By default, the connection to the LDAP server is not encrypted. To use SSL, instead of something like, set the Host on the LDAP Settings page to:

Or, you can omit the trailing port and specify it in the Port setting. The important part is the leading ldaps://

Once your connection is working, users can enter their LDAP username and password at the standard Calcium login screen. With LDAP, usernames are always case-insensitive. (This is not true for Calcium's internal authentication.)

Finally, it's important to know that you can also define users directly in Calcium, and login using the Calcium password, bypassing LDAP. This is useful in case Calcium can't communicate with the LDAP server for some reason; e.g. the LDAP configuration was changed, and you need to change the settings on the Calcium LDAP settings page. To login using a Calcium internally-defined user, prepend the username on the login form with "internal ", so it's something like internal [username]. E.g. "internal jsmith"