To configure OpenGroupware to authenticate against Active Directory, you need to:

1. Create a user in AD that it can bind as to search. I have a cn=ldap_search,cn=Role Account,dc=example,dc=com I created for this purpose. This is necessary because Active Directory does not permit anonymous binds as far as I can tell.
2. Adjust the LDAP defaults in OGo so that it binds as that DN and searches for the sAMAccountName instead of uid. You probably also want to down-case the username, because sometimes they vary and you don't want OGo mixing them up and creating new accounts in the database if the capitalization is different. The LDAPInitialBindSpecfic causes it to not perform the anonymous bind (why it doesn't assume so from the presence of LDAPInitialBindDN I know not). The quotes are important in LDAPInitialBindDN and LSAuthLDAPServerRoot because otherwise Defaults will interpret the = and mangle the settings. You can make sure everything is correct by running Defaults read.

Defaults write NSGlobalDomain LDAPInitialBindDN "cn=ldap_search,cn=Role Accounts,dc=example,dc=com" Defaults write NSGlobalDomain LDAPInitialBindPW password Defaults write NSGlobalDomain LDAPInitialBindSpecific YES Defaults write NSGlobalDomain LDAPLoginAttributeName sAMAccountName Defaults write NSGlobalDomain LSAuthLDAPServer directory_server Defaults write NSGlobalDomain LSAuthLDAPServerRoot "dc=example,dc=com" Defaults write NSGlobalDomain LSUseLowercaseLogin YES

1. You probably also want to rename the admin login from root to something like ogoadmin. Create such a user in Active Directory, then connect to the database and run:

UPDATE person SET login=ogoadmin WHERE login=root

1. Restart for the new defaults to take effect.