LDAP Connectors allow you to authenticate users against or migrate them from an LDAP server accessible to FusionAuth.
- Id Optional
An optional UUID. When this value is omitted a unique Id will be generated automatically.
- Name Required
A unique name to identify the Connector. This name is for display purposes only and it can be modified later if desired.
- LDAP URL Required
The URL used to connect to the LDAP service.
- Security method Optional default is
The desired security method used to connect to LDAP. The default value of
Noneis unencrypted which is not recommended unless you use an alternative method of securing your connection, such as a VPN.
- Connect timeout Required default is
The connect timeout in milliseconds used when making the request to LDAP.
- Read timeout Required default is
The read timeout in milliseconds used when making the request to LDAP.
- Reconcile lambda Required
The lambda used to reconcile the user from LDAP to FusionAuth.
Navigate toto create this lambda.
- Debug enabled Optional default is
Enable debug to create an event log to assist you in debugging integration errors.
- Base structure Required
The base structure is the directory to use in order to search for users.
For example, to search the entire directory, you’d use a base structure of
DC=piedpiper,DC=com. If you want to search against only engineering, add the organization:
- System account DN Required
The distinguished name of an entry which has read access to the directory.
- System account password Required
The password of the System Account DN.
- Login identifier attribute Required
The value that the user would enter for their username on a login screen.
- Identifying attribute Required
The entry attribute name which is the first component of the distinguished name of entries in the directory.
- Requested attributes Required
The list of requested directory attributes to be returned. These will be passed to the lambda to be converted into FusionAuth user attributes. These must be added one at a time.
Using the LDAP Connector
Once you have completed configuration of the LDAP connector, you will need to instruct a tenant to use this connector.
Ensure your LDAP server is accessible to the FusionAuth instance. This may entail setting up a VPN, locating FusionAuth in the correct network, or configuring a firewall to allow access.
Determine which LDAP user FusionAuth will connect as.
Create an LDAP reconcile Lambda to map the directory attributes to FusionAuth user attributes.
Configure the Connector in. At a minimum, configure
The LDAP URL and connection security
The previously created lambda
LDAP directory settings
Add the Connector Policy into configure to which domains the connector applies.
Connecting to Active Directory
User data stored in Microsoft Active Directory is accessible via LDAP. If you’d like to federate and allow some of your users to authenticate against Active Directory, use the LDAP Connector.
Here’s a video walking through such a configuration of FusionAuth and Microsoft Active Directory:
How helpful was this page?