LDAP and AD User Interface Examples

5min

The following examples can be used to set up the LDAP Active Directory and LDAP rfc2307bis.
Form Example
The following form examples are Active Directory and LDAP rfc2307bis. 
Active Directory
Text

const PROVIDER_CONFIG = {
  name:              'openldap',
  type:              'ldap2307bis',
 
  host:              'ldap.example.com',
  port:              389,
  tls:               false,
  bindDN:            'cn=system,dc=example,dc=com',
  bindDNPassword:    'password',
 
  userSearchBaseDN:  'ou=People,dc=example,dc=com',
  userSearchScope:   'sub',
  userFilter:        '(objectClass=posixAccount)',
  userAttrID:        'uidNumber',
  userAttrUsername:  'uid',
  userAttrFirstName: 'givenName',
  userAttrLastName:  'sn',
 
  groupSearchBaseDN: 'ou=Groups,dc=example,dc=com',
  groupSearchScope:  'sub',
  groupFilter:       '(objectClass=posixGroup)',
  groupAttrName:     'cn',
  groupAttrUser:     'dn',
  groupAttrType:     'member'
};

const PROVIDER_CONFIG = {
  name:              'openldap',
  type:              'ldap2307bis',
 
  host:              'ldap.example.com',
  port:              389,
  tls:               false,
  bindDN:            'cn=system,dc=example,dc=com',
  bindDNPassword:    'password',
 
  userSearchBaseDN:  'ou=People,dc=example,dc=com',
  userSearchScope:   'sub',
  userFilter:        '(objectClass=posixAccount)',
  userAttrID:        'uidNumber',
  userAttrUsername:  'uid',
  userAttrFirstName: 'givenName',
  userAttrLastName:  'sn',
 
  groupSearchBaseDN: 'ou=Groups,dc=example,dc=com',
  groupSearchScope:  'sub',
  groupFilter:       '(objectClass=posixGroup)',
  groupAttrName:     'cn',
  groupAttrUser:     'dn',
  groupAttrType:     'member'
};
﻿
LDAP rfc2307bis
﻿
Text

const PROVIDER_CONFIG = {
  name:              'openldap',
  type:              'ldap2307bis',
 
  host:              'ldap.example.com',
  port:              389,
  tls:               false,
  bindDN:            'cn=system,dc=example,dc=com',
  bindDNPassword:    'password',
 
  userSearchBaseDN:  'ou=People,dc=example,dc=com',
  userSearchScope:   'sub',
  userFilter:        '(objectClass=posixAccount)',
  userAttrID:        'uidNumber',
  userAttrUsername:  'uid',
  userAttrFirstName: 'givenName',
  userAttrLastName:  'sn',
 
  groupSearchBaseDN: 'ou=Groups,dc=example,dc=com',
  groupSearchScope:  'sub',
  groupFilter:       '(objectClass=posixGroup)',
  groupAttrName:     'cn',
  groupAttrUser:     'dn',
  groupAttrType:     'member'
};

const PROVIDER_CONFIG = {
  name:              'openldap',
  type:              'ldap2307bis',
 
  host:              'ldap.example.com',
  port:              389,
  tls:               false,
  bindDN:            'cn=system,dc=example,dc=com',
  bindDNPassword:    'password',
 
  userSearchBaseDN:  'ou=People,dc=example,dc=com',
  userSearchScope:   'sub',
  userFilter:        '(objectClass=posixAccount)',
  userAttrID:        'uidNumber',
  userAttrUsername:  'uid',
  userAttrFirstName: 'givenName',
  userAttrLastName:  'sn',
 
  groupSearchBaseDN: 'ou=Groups,dc=example,dc=com',
  groupSearchScope:  'sub',
  groupFilter:       '(objectClass=posixGroup)',
  groupAttrName:     'cn',
  groupAttrUser:     'dn',
  groupAttrType:     'member'
};
﻿
More examples for Active Directory filter can be found at Active Directory. 
Field Definitions
Definition
Description
Name
Name of this connector.
Type
The connector type. Only the Generic type is currently supported.
Connection
These fields are attributes of the server connection.
Host
Domain name or IP address of the LDAP host.
Port
The LDAP port. 
Use TLS
Enable or disable LAPS protocol for a secure connection. TLS settings should match the port. LDAP servers use port 389 for LDAP protocol and port 636 for LDAPS protocol. The connection fails if port 389 is specified and the Use TLS option is enabled.



Bind DN
Account used to connect to the LDAP server (only requires read and browse permissions). The distinguished name of the account used for accessing LDAP server. An anonymous connect is used of Bind DN is not specified.
CA Certificate Chain
Trusted root certificate chain (only required if private CA is used by the server). 
The CA Certificate Chain file is only available if the Use TLS option is selected.
The CA Certificate Chain field can be left blank if the server certificate is issued by a public CA.
Private root certificates can be added to the trusted store using System > Certificates. In this case, the CA Certificate Chain field can be left blank.
Bind DN Password
Password for Bind DN
Users
These attributes are used to find user accounts in the LDAP server.
User Search Base DN
Distinguished name of the entity where search for users starts
.
Search Scope
The Search Scope is an option. sub, one or base indicate the search scope (sub is the default).
sub is used to indicate searching of all entries at all levels under and including the specified base DN.
one is used to indicate searching all entries on level under the base DN. This does not include the base DN and any entries under that one level under the base DN.
base is used to indicate searching only the entry being returned. It must meet the search filter criteria.
User Search Filter
The LDAP filter used to identify user accounts.
Attribute for Unique User ID
LDAP attribute to uniquely identify a user. The typical value is uidNumber for rfc2307 and object GUID for AD
.
Attribute for Username
An LDAP attribute containing the username for logging in. It is usually uid for sAMAccountName for AD
.
Attribute for First Name
An LDAP attribute that contains the first name of the user. The default value is givenName.
Attribute for Last Name
An LDAP attribute contains the last name of the user. The default value is sn
.
Groups
These attributes are used to find groups in the LDAP server. User roles are derived from group names. For example, administrator is matched against Litmus Edge user roles.
Group Search Base DN
The distinguished name of the entity where search for group starts.
Group Search Filter
The LDAP filter used to identify user groups
.
Group Name Attribute
The attribute name containing the group name (usually cn)
.
Group Membership Attribute
The attribute name that contains the list of group members (usually member)
. 
The most common group membership scheme is when the group object contains multiple member attributes that contain the DN name of the member account.

However, there is an old rfc2703 standard that uses the reverse mechanism when the user object contains a list of group names.

The old rfc2703 standard is not supported by the Generic connector.

Member value type
The type of the member value (values are dnor uid). This attribute is case sensitive.
Test
These values are used for testing connectivity.

UserID
The userid. 
Password
The password.
Test Failure
If the test fails, you should receive a detailed message about the reason for failure. Here is a list of a few possible failure reasons:
Unable to connect to the server: Wrong address/DNS name or port of the of the LDAP host.
Protocol mismatch: Connecting with TLS to the port that doesn't support authentication.
Certificate validation failure: Missing or invalid rootCA.
User not found: Indicates broad range of possible problems like invalid search path, invalid filter, or invalid attributes for username or userid.
User attribute not found: When one of the user attributes is either missing or empty.
Group not found: If search path, scope, or filter are invalid.
Group attribute not found: If any of the group attributes is empty or missing.
Authentication failure: If authentication fails, this usually means invalid username or password.
Authorization failure: Means that returned set of scopes does not match those of the requested role.
Note: The Save button is only available if the test is successfully completed.
﻿

Definition	Description
Name	Name of this connector.
Type	The connector type. Only the Generic type is currently supported.
Connection	These fields are attributes of the server connection.
Host	Domain name or IP address of the LDAP host.
Port	The LDAP port.
Use TLS	Enable or disable LAPS protocol for a secure connection. TLS settings should match the port. LDAP servers use port 389 for LDAP protocol and port 636 for LDAPS protocol. The connection fails if port 389 is specified and the Use TLS option is enabled.
Bind DN	Account used to connect to the LDAP server (only requires read and browse permissions). The distinguished name of the account used for accessing LDAP server. An anonymous connect is used of Bind DN is not specified.
CA Certificate Chain	Trusted root certificate chain (only required if private CA is used by the server). The CA Certificate Chain file is only available if the Use TLS option is selected. The CA Certificate Chain field can be left blank if the server certificate is issued by a public CA. Private root certificates can be added to the trusted store using System > Certificates. In this case, the CA Certificate Chain field can be left blank.
Bind DN Password	Password for Bind DN
Users	These attributes are used to find user accounts in the LDAP server.
User Search Base DN	Distinguished name of the entity where search for users starts .
Search Scope	The Search Scope is an option. sub, one or base indicate the search scope (sub is the default). sub is used to indicate searching of all entries at all levels under and including the specified base DN. one is used to indicate searching all entries on level under the base DN. This does not include the base DN and any entries under that one level under the base DN. base is used to indicate searching only the entry being returned. It must meet the search filter criteria.
User Search Filter	The LDAP filter used to identify user accounts.
Attribute for Unique User ID	LDAP attribute to uniquely identify a user. The typical value is uidNumber for rfc2307 and object GUID for AD .
Attribute for Username	An LDAP attribute containing the username for logging in. It is usually uid for sAMAccountName for AD .
Attribute for First Name	An LDAP attribute that contains the first name of the user. The default value is givenName.
Attribute for Last Name	An LDAP attribute contains the last name of the user. The default value is sn .
Groups	These attributes are used to find groups in the LDAP server. User roles are derived from group names. For example, administrator is matched against Litmus Edge user roles.
Group Search Base DN	The distinguished name of the entity where search for group starts.
Group Search Filter	The LDAP filter used to identify user groups .
Group Name Attribute	The attribute name containing the group name (usually cn) .
Group Membership Attribute	The attribute name that contains the list of group members (usually member) . The most common group membership scheme is when the group object contains multiple member attributes that contain the DN name of the member account. However, there is an old rfc2703 standard that uses the reverse mechanism when the user object contains a list of group names. The old rfc2703 standard is not supported by the Generic connector.
Member value type	The type of the member value (values are dnor uid). This attribute is case sensitive.
Test	These values are used for testing connectivity.
UserID	The userid.
Password	The password.

Updated 23 Sep 2024

Find LDAP Distinguished Names (DN)

Manage the Password Policy