LDAP for Accounts
LDAP authentication enables UDMG to integrate with your existing enterprise identity systems, such as Microsoft Active Directory or OpenLDAP. You can configure LDAP authentication for Accounts independently from Users, and each can connect to a different directory provider if needed.
Once configured, Accounts authenticate using their LDAP credentials, reducing administrative overhead, ensuring consistent access policies, and enhancing overall security.
Before You Begin
LDAP Sync
Accounts are automatically synchronized with the LDAP server every day at midnight by default.
You can also trigger a Sync manually via the Sync LDAP button (next to the Test LDAP button).
During an LDAP Sync, UDMG compares the LDAP users returned from the LDAP server with the Accounts in the UDMG database.
If an LDAP user does not have a corresponding Account, a new Account record is automatically created in UDMG.
This diagram describes the process of synchronizing LDAP users with Accounts. It covers checking for existing Accounts, creating new Accounts, and updating Account information.
%%{init: {'theme': 'default', 'themeVariables': { 'fontSize': '18px' }}}%%
flowchart
classDef highlighted fill:#d4e8ff,stroke:#1890ff,stroke-width:3px,color:#000
ProcessAccount["Process Account"] --> CheckAccountExistsInDB{{"Account exists in database?"}}
CheckAccountExistsInDB -->|Yes| CheckIsLDAPAccount{{"Is **Login Method** LDAP?"}}
CheckIsLDAPAccount -->|No| SkipAccountProcessing["Skip non-LDAP Account"]
CheckIsLDAPAccount -->|Yes| NoChangesNeeded["No changes needed for existing LDAP Account"]
CheckAccountExistsInDB -->|No| CheckLDAPGroups["Check LDAP user groups against UDMG Account Groups"]
CheckLDAPGroups --> FindMatchingGroups["Find matching Account Groups in the system"]
FindMatchingGroups --> GroupsFound{{"Any matching Account Groups found?"}}
GroupsFound -->|No| SkipNoMatchingGroups["Skip Account creation. No matching Account Groups"]
GroupsFound -->|Yes| CreateNewAccount["Create new Account:
- **Name** from LDAP username
- **Login Method** = LDAP
- **Enabled** = true
- **Source** = LDAP server URL
- **Description** = 'LDAP synchronized account'"]
CreateNewAccount --> AssignGroupsToAccount["For each matching group:
- Create Account Group access record"]
SkipAccountProcessing --> AccountComplete["Account processing complete"]
NoChangesNeeded --> AccountComplete
SkipNoMatchingGroups --> AccountComplete
AssignGroupsToAccount --> AccountComplete
Sync Result
After the Sync completes, a popup displays the sync status and the number of LDAP users synced. Four metrics are given:
| Name | Description |
|---|---|
| Processed | Number of Accounts synced. |
| Skipped | Number of LDAP users whose corresponding Account did not require creation or updates. |
| Failed | Number of LDAP users that failed to sync (due to some system failure). |
| Total | Total number of LDAP users returned by the LDAP server. |
These metrics only count Accounts with Login Method = LDAP.
LDAP Sync Interval
You can configure the Sync interval for Accounts in the ldap block in the Configuration File.
ldap {
ldap_account_sync_interval = "24h"
}
For more information on the ldap.ldap_account_sync_interval field, see Configuration File.
LDAP Configuration
LDAP is configured at the Domain level, meaning it can only be used to authenticate Accounts within the specific Domain. If you want to use the same LDAP provider across multiple Domains, it must be configured separately in each Domain.
To configure LDAP settings for Accounts in your Domain, follow these steps:
- From the Sidebar, click General > Settings.
- Click Account LDAP Authentication.
- Click Edit.
- Fill out the fields for the new LDAP settings using the Field Descriptions table as a guide.
- Click Update.
Only Admins can configure LDAP authentication.
Field Descriptions
| Name | Description | Specifications | Required |
|---|---|---|---|
| LDAP Host | The host and optional port of the LDAP server (e.g., ldap.example.com:389). | If the port is not supplied, it will be guessed based on the TLS configuration. | Yes |
| Description | Optional description for this LDAP configuration. | No | |
| Use SSL/TLS Connection | A toggle switch to enable or disable SSL/TLS. If SSL/TLS is enabled, the root certificate installed on the system will be used. | Default value: Enabled. | Yes |
| Bind DN | The distinguished name (DN) of the user account used to bind to the LDAP server. The connector uses this DN to search for Accounts. | Yes | |
| Base DN | The Base DN from where to start the LDAP user search. For example, dc=udmg,dc=local. | Yes | |
| User ID Attribute | The LDAP attribute containing the Account's Account Name to map. | Yes | |
| User Filter | The LDAP filter applied when searching the directory for LDAP user entries (e.g., (objectClass=person)). If the field contains an * ((objectClass=*)), then both LDAP user and LDAP group entries are pulled into UDMG. | Yes | |
| Bind Credentials | The Credential containing the password for the Bind DN. The connector uses these Credentials to search for Accounts. | Must reference an already created Username and Password. | Yes |
| UDMG to LDAP Attribute Mapping | Map LDAP attributes to Account fields by entering the exact attribute name from your LDAP provider for the Description field. | No |
LDAP Test
After configuring an LDAP provider, you can test the connection to UDMG.
Click the Test LDAP button above the LDAP configuration details.
A popup indicates whether the system was able to connect successfully. If the connection was successful, the popup displays the number of LDAP users retrieved that match the User Filter.
Testing the LDAP connection does not synchronize the LDAP server with UDMG. The test simply reports the status of the connection.
Managing an LDAP Configuration
Viewing LDAP Configuration Details
To view the details of an LDAP configuration, follow these steps:
- From the Sidebar, click General > Settings.
- Click the Account LDAP Authentication card.
LDAP Configuration Metadata
LDAP configuration details include all parameters given in the Field Descriptions table above, plus the following read-only metadata:
| Name | Description |
|---|---|
| UUID | Universally Unique Identifier of this LDAP configuration. |
| Version | Version number of the latest configuration of the LDAP configuration. |
| Created | Date and time this LDAP configuration was created. |
| Updated | Date and time this LDAP configuration was last updated. |
Editing LDAP Configuration Details
To edit the details of an LDAP configuration, follow these steps:
- From the Sidebar, click General > Settings.
- Click the Account LDAP Authentication card.
- Click Edit.
- Edit details for the LDAP settings, using the Field Descriptions table as a guide.
- Click Update.
Deleting an LDAP Configuration
Deleting an LDAP configuration is straightforward; however, you must plan what to do with any orphaned Accounts that have already been provisioned. Those options include:
| Option | When to Choose | Result |
|---|---|---|
| Delete the Accounts | No plans to migrate to a new configuration, or don't want to preserve the records. | Accounts are removed from UDMG; if they authenticate later via an active LDAP configuration, they will be re-provisioned. |
| Retain as orphaned | You need the records for auditing but do not want Accounts to log in. | Accounts remain visible but cannot authenticate; even with a new LDAP configuration, their usernames remain tied to the deprecated LDAP configuration. |
To delete an LDAP configuration, follow these steps:
- From the Sidebar, click General > Settings.
- Click the Account LDAP Authentication card.
- Click the Delete button above the LDAP configuration details.
- You will be asked to confirm the deletion. Click Continue.
Deleting an LDAP configuration blocks new login attempts for associated Accounts. Existing Account sessions remain active until they expire or the user logs out.
Managing LDAP-Provisioned Accounts
Editing LDAP-Provisioned Accounts
To edit the details of an LDAP-provisioned Account, follow these steps:
- From the Sidebar, click Configuration > Accounts.
- Click the Name of the Account you want to edit.
- Click the Edit button above the Account details.
- Only the Require Two-factor Authentication (TOTP) is editable.
- Click Update.
Deleting LDAP-Provisioned Accounts
To delete an LDAP-provisioned Account, follow these steps:
- From the Sidebar, click Configuration > Accounts.
- Click the Name of the Account you want to delete.
- Click the Delete button above the details.
- You will be asked to confirm the deletion. Click Continue.
Deleting an LDAP-provisioned Account only removes the local record, but it will reappear after the next LDAP sync if it still exists in LDAP and matches the sync criteria. To permanently revoke access, remove the corresponding LDAP user from LDAP first, then optionally delete it from the Accounts page.