Configure LDAP authentication

You can add users using LDAP authentication.

Note: users can belong both to root domain and to subdomains. If you need to add users from subdomains, use Global Catalog.

To connect to the LDAP server:

  1. Click on in the left upper corner of the page;
  2. Select LDAP;
  3. Turn on LDAP connection;
  4. Fill all the required fields:

    • LDAP Protocol - connection method (plain ldap or secure ldaps);
    • LDAP Port - port number of the server (the common value of this field is 389);

    Note: when you add users from subdomains, use Global Catalog ports – 3268 or 3269.

  • LDAP Host - IP address of the server;
  • Base DN – catalog, in which search of users is performed. You should fill in this field with one or several attributes in LDAP syntax, f.e. DC=host,DC=test,DC=domain;
  • Administrator Login - LDAP user with the right to view the content of the Base DN branch. It is recommended to use userPrincipalName format (e.g. t.adm@test.domain), but you can also use distinguished name;
  • Administrator Password - LDAP user password;
  • User filter – defines objects attribute values that will be identified as users. Attribute values must be added according to the LDAP syntax, f.e.:

    • (objectClass=*) – the search will be done through all the available entries;
    • (&(objectClass=user)(loginAttr=login)) – the search will be done through the objects with corresponding attribute values;

      Note: in most cases, the right User filter's value is (objectClass=user), but if your LDAP server is not standard, try other variants.

      • Login attribute – attribute that will be used for users' authentication.
      • sAMAccountName – corresponds with the login format like t.adm;
      • userPrincipalName – corresponds with the login format like t.adm@test.domain;

      Note: if you want to connect only to subdomain, use login in the userPrincipalName format (e.g. t.adm @test.domain).

      • First Name attribute – attribute name that contains first username;
      • Last Name attribute – attribute name that contains last usernames;
      • E-mail attribute – attribute name that contains user e-mails;
  1. Click Test connection, to check the connection to the LDAP server. If settings are correct, you will see Connection established:

    • Click i to view all available users:

  2. Click Save. User will appear on Users tab after the first login to the platform.

    Note: after saving LDAP settings, you will not be able to add local users to the Platform.

Known LDAP Issues

  • Only simple authentication is available, gss-api is not available.
  • Unprocessed Continuation Reference(s) error can occur when system addresses to the domain with subdomains and without Global Catalog role (e.g., to the port number 389 with values DC=test,DC=domain in Base DN field). To solve this error, you should indicate more specific value in the field Base DN, e.g. CN=users,DC=test,DC=domain.

See also