Breached password detection is a critical component of secure applications.    Read the white paper

FusionAuth logo
FusionAuth logo
  • Features
    FusionAuth Reactor

    FusionAuth Reactor is a powerful suite of features developed to extend FusionAuth's core functionality.

    • Flexible Architecture   Flexible Architecture
    • Auth the Way You Want It   Auth the Way You Want It
    • Security & Compliance   Security & Compliance
    • Ultimate Password Control   Ultimate Password Control
    • Customizable User Experience   Customizable User Experience
    • Advanced Registration Forms   Advanced Registration Forms
    • Built for Devs   Built for Devs
    • User Management & Reporting   User Management & Reporting
    • Scalability   Scalability
    • Breached Password Detection   Breached Password Detection
    • Connectors   Connectors
    • FusionAuth Reactor   FusionAuth Reactor
  • Pricing
  • Docs
  • Downloads
  • Resources
    FusionAuth Resources
    • Upgrade from SaaS
    • Upgrade from Open Source
    • Upgrade from Home Grown
    • Blog   Blog
    • Forum   Forum
    • Community & Support   Community & Support
    • Customer & Partners   Customers & Partners
    • Video & Podcasts   Videos & Podcasts
    • Tech Guides   Getting Started
  • Expert Advice
    Expert Advice for Developers

    Learn everything you need to know about authentication, authorization, identity, and access management from our team of industry experts.

    • Authentication   Authentication
    • CIAM   CIAM
    • Identity Basics   Identity Basics
    • OAuth   OAuth
    • Security   Security
    • Tokens   Tokens
    • Dev Tools   Dev Tools
  • Account
Navigate to...
  • Welcome
  • Getting Started
  • 5-Minute Setup Guide
  • Reactor
  • Core Concepts
    • Overview
    • Users
    • Roles
    • Groups
    • Registrations
    • Applications
    • Tenants
    • Identity Providers
    • Authentication and Authorization
    • Integration Points
    • Roadmap
  • Installation Guide
    • Overview
    • System Requirements
    • Server Layout
    • Cluster
    • Docker
    • Fast Path
    • Kickstart™
    • Homebrew
    • Packages
    • Database
    • FusionAuth App
    • FusionAuth Search
    • Securing
    • Upgrading
  • APIs
    • Overview
    • Authentication
    • Errors
    • Actioning Users
    • Applications
    • Audit Logs
    • Connectors
      • Overview
      • Generic
      • LDAP
    • Consent
    • Emails
    • Event Logs
    • Families
    • Forms
    • Form Fields
    • Groups
    • Identity Providers
      • Overview
      • Apple
      • Facebook
      • Google
      • HYPR
      • Twitter
      • OpenID Connect
      • SAML v2
      • External JWT
    • Integrations
    • JWT
    • Keys
    • Lambdas
    • Login
    • Passwordless
    • Registrations
    • Reports
    • System
    • Tenants
    • Themes
    • Two Factor
    • Users
    • User Actions
    • User Action Reasons
    • User Comments
    • Webhooks
  • Client Libraries
    • Overview
    • Dart
    • Go
    • Java
    • JavaScript
    • .NET Core
    • Node
    • PHP
    • Python
    • Ruby
    • Typescript
  • Themes
    • Overview
    • Localization
    • Examples
  • Email & Templates
    • Overview
    • Configure Email
    • Email Templates
  • Events & Webhooks
    • Overview
    • Events
    • Writing a Webhook
    • Securing Webhooks
  • Example Apps
    • Overview
    • Go
    • Java
    • JavaScript
    • .NET Core
    • PHP
    • Python
    • Ruby
  • Lambdas
    • Overview
    • Apple Reconcile
    • External JWT Reconcile
    • Facebook Reconcile
    • Google Reconcile
    • HYPR Reconcile
    • JWT Populate
    • LDAP Connector Reconcile
    • OpenID Connect Reconcile
    • SAML v2 Populate
    • SAML v2 Reconcile
    • Twitter Reconcile
  • Identity Providers
    • Overview
    • Apple
    • Facebook
    • Google
    • HYPR
    • Twitter
    • OpenID Connect
      • Overview
      • Azure AD
      • Github
      • Discord
    • SAML v2
      • Overview
      • ADFS
    • External JWT
      • Overview
      • Example
  • Connectors
    • Overview
    • Generic Connector
    • LDAP Connector
    • FusionAuth Connector
  • Integrations
    • Overview
    • CleanSpeak
    • Kafka
    • Twilio
  • OpenID Connect & OAuth 2.0
    • Overview
    • Endpoints
    • Tokens
  • SAML v2 IdP
    • Overview
    • Google
    • Zendesk
  • Plugins
    • Writing a Plugin
    • Password Encryptors
  • Guides
    • Overview
    • Advanced Registration Forms
    • Breached Password Detection
    • Migration
    • Passwordless
    • Securing Your APIs
    • Silent Mode
  • Tutorials
    • Overview
    • Setup Wizard & First Login
    • Register/Login a User
    • Migrate Users
    • JSON Web Tokens
    • Authentication Tokens
    • Start and Stop FusionAuth
    • Switch Search Engines
    • User Account Lockout
    • Two Factor
  • Reference
    • CORS
    • Configuration
    • Data Types
    • Known Limitations
    • Password Encryptors
  • Release Notes
  • Troubleshooting

LDAP Connector

Overview

LDAP Connectors allow you to authenticate users against or migrate them from an LDAP server accessible to FusionAuth.

  • Configuration

  • Using the LDAP Connector

  • Connecting to Active Directory

Configuration

The LDAP Connector creation screen.

Form Fields

Id Optional

An optional UUID. When this value is omitted a unique Id will be generated automatically.

Name Required

A unique name to identify the Connector. This name is for display purposes only and it can be modified later if desired.

LDAP URL Required

The URL used to connect to the LDAP service.

Security method Optional default is None

The desired security method used to connect to LDAP. The default value of None is unencrypted which is not recommended unless you use an alternative method of securing your connection, such as a VPN.

Connect timeout Required default is 1000

The connect timeout in milliseconds used when making the request to LDAP.

Read timeout Required default is 2000

The read timeout in milliseconds used when making the request to LDAP.

Reconcile lambda Required

The lambda used to reconcile the user from LDAP to FusionAuth.

Navigate to Customizations → Lambdas to create this lambda.

Debug enabled Optional default is false

Enable debug to create an event log to assist you in debugging integration errors.

The LDAP Connector creation screen.

Form Fields

Base structure Required

The base structure is the directory to use in order to search for users.

For example, to search the entire directory, you’d use a base structure of DC=piedpiper,DC=com. If you want to search against only engineering, add the organization: OU=engineering,DC=piedpiper,DC=com.

System account DN Required

The distinguished name of an entry which has read access to the directory.

For example: CN=ReadOnlyFusionAuthUser,OU=engineering,DC=piedpiper,DC=com.

System account password Required

The password of the System Account DN.

Login identifier attribute Required

The value that the user would enter for their username on a login screen.

For example: uid or userPrincipalName

Identifying attribute Required

The entry attribute name which is the first component of the distinguished name of entries in the directory.

For example: cn

Requested attributes Required

The list of requested directory attributes to be returned. These will be passed to the lambda to be converted into FusionAuth user attributes. These must be added one at a time.

For example: cn givenName sn userPrincipalName mail

Using the LDAP Connector

Once you have completed configuration of the LDAP connector, you will need to instruct a tenant to use this connector.

  • Ensure your LDAP server is accessible to the FusionAuth instance. This may entail setting up a VPN, locating FusionAuth in the correct network, or configuring a firewall to allow access.

  • Determine which LDAP user FusionAuth will connect as.

  • Create an LDAP reconcile Lambda to map the directory attributes to FusionAuth user attributes.

  • Configure the Connector in Settings → Connectors. At a minimum, configure

    • The LDAP URL and connection security

    • The previously created lambda

    • LDAP directory settings

  • Add the Connector Policy in Tenants → Your Tenant → Connectors to configure to which domains the connector applies.

Connecting to Active Directory

User data stored in Microsoft Active Directory is accessible via LDAP. If you’d like to federate and allow some of your users to authenticate against Active Directory, use the LDAP Connector.

Here’s a video walking through such a configuration of FusionAuth and Microsoft Active Directory:

Related Posts

  • How to migrate your legacy user data to a centralized auth system
  • Authenticating with AWS Managed Microsoft Active Directory and LDAP

Quick Links

  • Download
  • Pricing
  • Enterprise Sales FAQ
  • Contact Us
  • Jobs (come work with us)
  • My Account

Resources

  • Docs
  • Blog
  • Community & Support
  • Upgrade from SaaS
  • Upgrade from Homegrown
  • Upgrade from Open Source

Everything Else

  • Privacy Policy
  • Product Privacy Policy
  • License
  • License FAQ
  • Security (contact, bug bounty, etc)
  • Technical Support

Connect with Us

logo
Subscribe for Updates
We only send dev friendly newsletters. No marketing fluff!
© 2020 FusionAuth