Active Directory and LDAP Configuration

(Some fields are new in version 4.2.)

To prevent LDAP injection attacks, usernames are strictly sanitized. Permitted characters: alphanumerics, underscore(_), period(.), plus(+), and minus(-).

LDAP Host

The hostname for your Active Directory or LDAP server. This field supports values such as 10.11.12.13, ad.corp.example.com, and ldaps://ad.corp.example.com [:636].

For TLS operation (strongly advised), preface the hostname with ldaps://. Example for insecure LDAP: ldap://hostname:389.

LDAP User

A non-administrative user to check disabled or locked out status on other users. Only read-only (or self-only, standard user) privileges are needed. This field autodetects usernames in the following formats:

  • email: username@corp.example.com
  • a single username in the base DN: username
  • LDAP distinguished name (DN) such as: CN=username, DC=corp, DC=example, DC=com

Note: If this field is set incorrectly, Userify will be unable to lock out, delete, or disable accounts when these actions occur in Active Directory.

This user should be just a standard user account, since most Active Directory configurations allow users to browse other user accounts as read-only. Set this account to never disable or need password changes.

Note: LDAP servers currently do not have a standard for disabled/locked out users, so detection of disabled or locked-out users currently is only utilized on Active Directory.

LDAP Password

The password for the non-admin user specified in ldap_email. A long, highly random password is recommended. All characters are permitted.

LDAP Base DN

For Active Directory, provide the domain name/realm (ie corp.example.com) that users exist in. For more control or LDAP installations, use a full LDAP Base DN.

As with LDAP User, if commas are detected, this is treated as a raw base DN; otherwise, it is appended to usernames to create fully distinguished AD usernames (ie joe@corp.example.com) if a simple username is provided.