Active Directory and LDAP Configuration

(Some fields are new in version 4.2.)

To prevent LDAP injection attacks, usernames are strictly sanitized. Permitted characters: alphanumerics, underscore(_), period(.), plus(+), and minus(-).


The hostname for your Active Directory or LDAP server. This field supports values such as,, and ldaps:// [:636].

For TLS operation (strongly advised), preface the hostname with ldaps://. Example for insecure LDAP: ldap://hostname:389.


A non-administrative user to check disabled or locked out status on other users. Only read-only (or self-only, standard user) privileges are needed. This field autodetects usernames in the following formats:

  • email:
  • a single username in the base DN: username
  • LDAP distinguished name (DN) such as: CN=username, DC=corp, DC=example, DC=com

Note: If this field is set incorrectly, Userify will be unable to lock out, delete, or disable accounts when these actions occur in Active Directory.

This user should be just a standard user account, since most Active Directory configurations allow users to browse other user accounts as read-only. Set this account to never disable or need password changes.

Note: LDAP servers currently do not have a standard for disabled/locked out users, so detection of disabled or locked-out users currently is only utilized on Active Directory.

LDAP Password

The password for the non-admin user specified in ldap_email. A long, highly random password is recommended. All characters are permitted.


For Active Directory, provide the domain name/realm (ie that users exist in. For more control or LDAP installations, use a full LDAP Base DN.

As with LDAP User, if commas are detected, this is treated as a raw base DN; otherwise, it is appended to usernames to create fully distinguished AD usernames (ie if a simple username is provided.