Configure LDAP/Active Directory groups
In addition to being an authentication method, the LDAP/Active Directory integration can optionally also be used to retrieve additional attributes about the accounts authenticating: first name, last name, email address and group membership.
DCT only supports retrieving groups which are exposed as an attribute of the LDAP/Active Directory user record. DCT can not fetch groups membership from group records at the LDAP/Active Directory, and thus also does not support nested groups.
Group memberships are retrieved at authentication time, using the account credentials. DCT does not need credentials of an LDAP/Active Directory administrator, but will only be able to retrieve group memberships if LDAP/Active Directory users have the right to read the corresponding attribute.
This can be enabled by setting additional arguments to the domain API object.
search_base | The Context name in which to search. Being specific enables faster LDAP search. To construct the search_base DN string according to your LDAP/Active Directory server, using an LDAP browser, navigate to a user, and then construct the search_base DN in reverse order from the User, up the folder hierarchy. For example: If a User DN is: CN=some-user-id,CN=Users,DC=mycompany,DC=co The corresponding search base might be: CN=Users,DC=mycompany,DC=co |
email_attr | Name of the attribute in the LDAP/Active Directory server containing email addresses. Example: mail |
last_name_attr | Name of the attribute in the LDAP/Active Directory server containing last names Example: sn |
first_name_attr | Name of the attribute in the LDAP/Active Directory server containing first names Example: givenName |
group_attr | Name of the attribute in the LDAP/Active Directory server containing group(s) membership. This can be a multi-valued attribute. Example: memberOf |
search_attr | Name of the attribute in the LDAP/Active Directory server of which value corresponds to the username provided to the DCT login requests. For Active Directory, this is usually sAMAccountName. Example: If the search base is CN=Users,DC=mycompany,DC=co and the search_attr is principalName, DCT will search for a record with a principalName matching the username provided to the login request under the CN=Users,DC=mycompany,DC=co sub tree. |
object_class_attr | Restricts search to records with an objectClass matching this value. Example: person |
Active Directory example
The following requests enable LDAP authentication over SSL with an Active Directory server at address activedirectory.company.co, using the us.company.co domain, and configures optional attributes to retrieve first name, last name, email address, and group membership from the users sub-tree.
curl --location --request PUT 'https://<hostname>/v2/management/ldap-config' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: apk <your API key>' \
--data-raw '{
"enabled": true,
"auto_create_users": true,
"hostname": "activedirectory.mycompany.co",
"enable_ssl": true,
"port": 636,
"domains":[{
"msad_domain_name":"mycompany.co",
"search_base":"CN=Users,DC=mycompany,DC=co",
"email_attr": "mail",
"first_name_attr": "givenName",
"last_name_attr": "sn",
"group_attr": "memberOf",
"object_class_attr":"person",
"search_attr": "sAMAccountName"
}]
}'
With the above config, when a user logs in with username John, DCT will:
Authenticate with the Active Directory server using the user principal name john@mycompany.co and supplied password.
Search in the CN=Users,DC=mycompany,DC=co sub tree a record with objectClass=person and sAMAccountName=john.
Create or update a DCT Account record with the attributes extracted from the Active Directory server.
For each group membership found in the
memberOf
of the Active Directory server, an account tag is created with key=login_groups and value is the group name. These tags are protected (i.e cannot be modified within DCT) and can be securely used to control access groups membership.
As explained above, the ldap-config/validate API endpoint can be used to validate that each of the attributes corresponding to LDAP/Active Directory attributes.