Skip to main content Skip to complementary content

Configuring LDAP authentication

An LDAP user is automatically created as a result of a successful LDAP authentication login. The user/password combination must be valid for the LDAP authentication connection definitions and query rules.

Before you begin

  • You have been assigned a global role with the Security Administration capability.

  • You have already created a user.

Procedure

  1. Go to MANAGE > Users.
  2. In the Authentication field of the toolbar, select LDAP from the drop-down list.
  3. Click the Configure authentication icon next to the drop-down list.
  4. In the Connection tab, select the type of LDAP system.
    If you select Custom, specify more information in the Attribute Mappings tab.
    Information noteNote: With Windows Active Directory, it is generally best to use to the UPN (User Principal Name) format (for example, USER@FQDN) instead of the Windows domain style (DOMAIN\USERNAME) format (for example, corp\mc25438). The Active Directory is configured as a forest. It is mandatory to use the UPN and switch from the default port to the global catalog port as well.
  5. Fill in the connection information such as the URL or domain name, username, matching password and the session timeout.
    You must have sufficient privileges to query the needed LDAP users and groups.

    If you are seeing slow performance when authenticating LDAP users, what is taking the vast majority of the time is often retrieving the data from the LDAP server. This may often be the case when you are using Microsoft Active Directory on the default port 389. It is recommended to switch to the global catalog on port 3268 (generally the same URL but with the different port).

  6. In the Attribute Mappings tab, enter the mapping information for the LDAP user attributes.
  7. Go to the Group Assignment tab to assign automatically groups based on the LDAP security model.
    • Click Add then enter a name for the query and define the group to be associated with the users in the query.
    • To assign groups by group name, click the Browse icon in the Group entry, enter a group name in the LDAP system and select the Distinguished Name for that group.
    • To specify a search filter and include individual users, specify a search root such as CN=company,CN=Users,DC=company,DC=local, then click the Browse icon in the search filter entry and select users in that filter.
    • To specify a search filter and exclude individual users, specify a search root such as CN=company,CN=Users,DC=company,DC=local, then use the following syntax (&(!(sAMAccountName=username1))(!(sAMAccountName=username))) and click OK.

    When creating the first LDAP query for group assignment, you switch from native and manually managed group assignment to LDAP driven and automatic group assignment for all LDAP users. Any LDAP user will lose any previous native group assignment at the next login.

    When deleting the last LDAP query for group assignment, you switch from LDAP driven group assignment to native group assignment. Any LDAP user will be associated with the Guest group, until the users are manually assigned to other groups.

  8. Click Test and save your changes.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here