Active Directory and LDAP Configuration
(Some fields are new in version 4.2.)
To prevent LDAP injection attacks, usernames are strictly sanitized. Permitted characters: alphanumerics, underscore(_), period(.), plus(+), and minus(-).
The hostname for your Active Directory or LDAP server. This field supports values such as
For TLS operation (strongly advised), preface the hostname with
ldaps://. Example for insecure LDAP:
A non-administrative user to check disabled or locked out status on other users. Only read-only (or self-only, standard user) privileges are needed. This field autodetects usernames in the following formats:
- email: email@example.com
- a single username in the base DN: username
- LDAP distinguished name (DN) such as: CN=username, DC=corp, DC=example, DC=com
Note: If this field is set incorrectly, Userify will be unable to lock out, delete, or disable accounts when these actions occur in Active Directory.
This user should be just a standard user account, since most Active Directory configurations allow users to browse other user accounts as read-only. Set this account to never disable or need password changes.
Note: LDAP servers currently do not have a standard for disabled/locked out users, so detection of disabled or locked-out users currently is only utilized on Active Directory.
The password for the non-admin user specified in ldap_email. A long, highly random password is recommended. All characters are permitted.
LDAP Base DN
For Active Directory, provide the domain name/realm (ie
corp.example.com) that users exist in. For more control or LDAP installations, use a full LDAP Base DN.
As with LDAP User, if commas are detected, this is treated as a raw base DN; otherwise, it is appended to usernames to create fully distinguished AD usernames (ie
firstname.lastname@example.org) if a simple username is provided.