Email our fast, friendly support if you have a question not covered here: [email protected].
Applies to: Userify Enterprise when configured with Active Directory and LDAP
To prevent LDAP injection attacks, usernames are strictly sanitized. Permitted characters: alphanumerics, underscore(_), period(.), plus(+), and minus(-).
The hostname for your Active Directory or LDAP server. This field supports values such as 10.11.12.13, ad.corp.example.com, and ldaps://ad.corp.example.com[:636].
For TLS operation (strongly advised), preface the hostname with ldaps://. Example for insecure LDAP: ldap://hostname:389.
We recommend that you do not expose your Active Directory or LDAP server to the Internet.
There are many ways to protect your AD/LDAP server, such as colocating them within the same VPC, restricting access to your LDAP/AD server by IP address (allowing your Userify server), or deploying an SSH tunnel or VPN for the LDAP communications.
Note: unlike LDAP/AD, Userify is hardened and designed to be accessible via port 80/443 to the Internet. All communication with Userify must be over port 443 (HTTPS), and you can optionally place a WAF in front of it for additional control over CSP, X-Frame headers, etc.
A non-administrative user to check disabled or locked out status on other users. Only read-only (or self-only, standard user) privileges are needed. This field autodetects usernames in the following formats:
Note: If this field is set incorrectly, Userify will be unable to lock out, delete, or disable accounts when these actions occur in Active Directory.
This user should be just a standard user account, since most Active Directory configurations allow users to browse other user accounts as read-only. Set this account to never disable or need password changes.
Note: Disabled/locked out users is not standardized in LDAP, so disabled or locked-out features are only available with Active Directory.
The password for the non-admin user specified in ldap_email. A long, highly random password is recommended. All characters are permitted.
For Active Directory, provide the domain name/realm (ie corp.example.com)
that users exist in. For more control or LDAP installations, use a full LDAP
Base DN.
As with LDAP User, if commas are detected, this is treated as a raw base DN;
otherwise, it is appended to usernames to create fully distinguished AD
usernames (ie [email protected]) if a simple username is provided.
Start managing your users and SSH keys in seconds Try for free