(408) 943-4100               V   Commercial Support

LDAP

  2 minute read.

Last Modified 2021-02-04 11:38 EST

TrueCommand provides the ability to use an external LDAP authentication server for managing user logins permissions.

Active directory environments utilize an LDAP authentication server as part of the active directory specifications. As such, the information specified here also applies to using an active directory instance for handling the authentication.

LDAP Settings Object

Each LDAP server definition can use provide several options to ensure

  • “server” (string, Required) : IP or DNS name of the LDAP server
  • “require_tls” (boolean, default: true) : Require a fully-verified TLS connection to the LDAP server before submitting user details. If false, this will attempt and use a TLS connection if one is available, but failover to trying a non-TLS connection as needed.
  • “user” (string, optional) : Username to try when validating the connection to the LDAP server (will use the account username by default)
    • WARNING: Do not provide this option when setting a system-wide LDAP authentication rule. It will overwrite the actual username being used to login. It is
  • “domain” (string, optional) : Domain settings for user authentication
    • Short form (“mycorp.com”): Use @ for the LDAP connection.
    • Long form (“cn=users,dc=mycorp,dc=com”) : Full list of domain settings needed for LDAP authentication.
      • NOTE: The “${USER}” string can be used in the long-form domain definition as a placeholder for the username. This will typically be needed when setting up a system-wide LDAP authentication rule.
  • “sasl_domain” (string, optional) : Specify the requested authorization ID for SASL bind.
    • Must be one of the following formats: “dn:” or “u:
    • Setting this field automatically switches the connection method over to a SASL bind.

SSL/TLS Connection Info

If the LDAP server uses an SSL certificate generated by a custom certificate authority (CA), then one of two things must occur before the LDAP server can be used by TrueCommand:

  • (Option 1) The custom certificate authority must be registered with TrueCommand via the ssl/ca_import API call.
  • (Option 2) The “require_tls” option can be disabled to allow non-TLS connections to the LDAP server. WARNING: This option can possibly leak user information and is not recommended.