Skip to content

LDAP Configuration Guide

LDAP Configuration Guide for OpenID and Active Directory Integration

This guide provides a step-by-step overview to help configure LDAP for syncing users, groups, and roles from Active Directory with OpenID. With this setup, users can authenticate using their Active Directory credentials, and roles will be mapped automatically based on group memberships.


Table of Contents

  1. Overview
  2. General Configuration Settings
  3. Connection and Authentication Settings
  4. LDAP Searching and Updating
  5. Group to Role Mapping
  6. Synchronization Settings
  7. Testing the Configuration

Overview

Integrating LDAP with OpenID enables seamless authentication and authorization by importing users and roles from Active Directory (AD). The following steps will guide you through setting up a working LDAP configuration:

  • Users from Active Directory will log in with their credentials.
  • Roles will be automatically assigned based on LDAP group memberships.
  • The system will sync users and roles periodically to reflect any changes in AD.

1. General Configuration Settings

Set up the primary configuration for your LDAP provider.

Field Sample Value Description
UI display name ldap Name for identifying this LDAP configuration.
Vendor Active Directory Select Active Directory from the vendor options.

2. Connection and Authentication Settings

These settings define how OpenID connects and authenticates with your Active Directory server.

Field Sample Value Description
Connection URL ldap://192.168.1.100:389 The IP or hostname of your AD server.
Enable StartTLS Off Enable if your AD requires StartTLS.
Use Truststore SPI Always Configures OpenID to use the Truststore.
Connection pooling Off Use only if multiple concurrent requests are expected.
Connection timeout (Optional) Leave blank Timeout for LDAP connections (in milliseconds).
Bind type Simple Use Simple for straightforward authentication.
Bind DN CN=service_user,CN=Users,DC=example,DC=com The Distinguished Name of the account used to bind to AD.
Bind credentials Password123 Password of the bind account (keep this secure).

Explanation:
- Connection URL: Use the correct protocol (ldap://) and port (389 for standard LDAP).
- Bind DN: This is the service account used to query Active Directory.
- Bind credentials: Use the service account’s password.

Testing:
- Click Test connection to verify the server connection.
- Use Test authentication to confirm that the bind credentials are valid.


3. LDAP Searching and Updating

Configure how OpenID will search for users and groups.

Field Sample Value Description
Edit mode READ_ONLY Prevents changes to LDAP data from OpenID.
Users DN CN=Users,DC=example,DC=com Base DN where users are located.
Username LDAP attribute sAMAccountName Maps to the user's username in AD.
RDN LDAP attribute cn Relative DN attribute (usually cn).
UUID LDAP attribute objectGUID Unique identifier for each LDAP entry.
User object classes person, organizationalPerson, user Defines the types of objects to import.
User LDAP filter (objectClass=user) Filter to only retrieve user objects.
Search scope Subtree Searches within the entire subtree of the base DN.
Pagination Off Enable if dealing with a large number of users.

4. Group to Role Mapping

This section allows you to map LDAP groups to OpenID roles.

Field Sample Value Description
Name LDAP Group to Roles Name for identifying this mapping.
Mapper type group-ldap-mapper Select the appropriate mapper type.
LDAP Groups DN OU=Groups,DC=example,DC=com Base DN where groups are located.
Group Name LDAP Attribute cn Attribute to use for the group name.
Group Object Classes group Defines the group object type.
Membership LDAP Attribute memberOf Attribute that stores the group memberships.
Membership Attribute Type DN Defines how the memberships are stored.
Membership User LDAP Attribute cn Attribute used to reference users.
Mode IMPORT Select IMPORT to bring in groups during sync.
User Groups Retrieve Strategy LOAD_GROUPS_BY_MEMBER_ATTRIBUTE Strategy to retrieve groups based on membership.
Mapped Group Attributes (Leave Blank) Optional: Map additional attributes if needed.

5. Synchronization Settings

Control how often OpenID synchronizes with LDAP.

Field Sample Value Description
Import users On Enable to import users from LDAP.
Sync Registrations On Sync user registrations automatically.
Batch size 100 Number of records processed per batch.
Periodic full sync On Enable regular full synchronization.
Full sync period 10 Sync interval (in minutes).
Periodic changed users sync Off Enable if you want to sync only changes.

6. Testing the Configuration

Once all the settings are configured, follow these steps to test the setup:

  1. Test LDAP Connection:
  2. Go to Connection Settings and click Test connection.
  3. If successful, you should see a confirmation message indicating the connection was established.

  4. Test Authentication:

  5. In the Connection Settings, use the Test authentication button to verify that the bind credentials are correct.

  6. Sync Users and Groups:

  7. Go to the User Federation section in OpenID.
  8. Click on Synchronize all users to import users and their group memberships.
  9. Ensure the users and groups appear in the Users section of OpenID.

Troubleshooting Tips

  • Failed Connection:
  • Ensure the Connection URL is correct and the LDAP server is accessible.
  • Check firewall settings if the server is not reachable.

  • Invalid Credentials:

  • Double-check the Bind DN and password. Ensure the service account has the necessary read permissions.

  • Users Not Imported:

  • Verify the Users DN and LDAP filter settings.
  • Ensure the objectClass matches the types of objects you're trying to import.

  • Groups Not Assigned:

  • Confirm that the Group Name LDAP Attribute and Membership LDAP Attribute are correct.
  • Run a full sync to ensure all groups are imported.

By following this guide, you can set up and configure LDAP integration with OpenID for seamless authentication and authorization. This setup will ensure that users and their roles are synchronized and that group memberships are correctly mapped to roles in OpenID.