Active Directory and LDAP Configuration
To prevent LDAP injection attacks, usernames are strictly sanitized. Permitted characters: alphanumerics, underscore(_), period(.), plus(+), and minus(-). You can override these allowed characters in
The hostname for your Active Directory or LDAP server. This field supports values such as
For TLS operation (strongly advised), preface the hostname with
ldaps://. Example for insecure LDAP:
A non-administrative user to check disabled or locked out status on other users. Only read-only (or self-only, standard user) privileges are needed. This field autodetects usernames in the following formats:
- email: email@example.com
- a single username in the base DN: username
- LDAP distinguished name (DN) such as: CN=username, DC=corp, DC=example, DC=com
Note: If this field is set incorrectly, Userify will be unable to lock out, delete, or disable accounts when these actions occur in Active Directory.
This user should be just a standard user account, since most Active Directory configurations allow users to browse other user accounts as read-only. Set this account to never disable or need password changes.
Note: LDAP servers currently do not have a standard for disabled/locked out users, so detection of disabled or locked-out users currently is only utilized on Active Directory.
The password for the non-admin user specified in ldap_email. A long, highly random password is recommended. All characters are permitted.
LDAP Base DN
For Active Directory, provide the domain name/realm (ie
that users exist in. For more control or LDAP installations, use a full LDAP
As with LDAP User, if commas are detected, this is treated as a raw base DN;
otherwise, it is appended to usernames to create fully distinguished AD
firstname.lastname@example.org) if a simple username is provided.