Active Directory and LDAP Configuration

  • Home
  • Docs
  • Active Directory and LDAP Configuration

Active Directory and LDAP Configuration

To prevent LDAP injection attacks, usernames are strictly sanitized. Permitted characters: alphanumerics, underscore(_), period(.), plus(+), and minus(-). You can override these allowed characters in base_config.cfg.

LDAP Host

The hostname for your Active Directory or LDAP server. This field supports values such as 10.11.12.13, ad.corp.example.com, and ldaps://ad.corp.example.com [:636].

For TLS operation (strongly advised), preface the hostname with ldaps://. Example for insecure LDAP: ldap://hostname:389.

LDAP User

A non-administrative user to check disabled or locked out status on other users. Only read-only (or self-only, standard user) privileges are needed. This field autodetects usernames in the following formats:

  • email: username@corp.example.com
  • a single username in the base DN: username
  • LDAP distinguished name (DN) such as: CN=username, DC=corp, DC=example, DC=com

Note: If this field is set incorrectly, Userify will be unable to lock out, delete, or disable accounts when these actions occur in Active Directory.

This user should be just a standard user account, since most Active Directory configurations allow users to browse other user accounts as read-only. Set this account to never disable or need password changes.

Note: LDAP servers currently do not have a standard for disabled/locked out users, so detection of disabled or locked-out users currently is only utilized on Active Directory.

LDAP Password

The password for the non-admin user specified in ldap_email. A long, highly random password is recommended. All characters are permitted.

LDAP Base DN

For Active Directory, provide the domain name/realm (ie corp.example.com) that users exist in. For more control or LDAP installations, use a full LDAP Base DN.

As with LDAP User, if commas are detected, this is treated as a raw base DN; otherwise, it is appended to usernames to create fully distinguished AD usernames (ie joe@corp.example.com) if a simple username is provided.

Get More Information

Please fill out the form below to receive more information. If you are inquiring about purchasing Userify, please be sure to include your company name, number of servers and users, and the Userify edition that you are interested in.