LDAP Configuration for Active Directory

Hi all !

I’ve spent a few hours this week trying to find a working configuration for an Active Directory LDAP backend.

Basically, only these two configuration directives needs to differ from the documentation’s example ;

    user_id_attribute: "sAMAccountName"
    unique_member_attribute: "member"

This will allow users to login using their account name. No DOMAIN\user or user@DOMAIN.com required, simply user will work.

If you want to enable SSL;

      host: "dc01.domain.com"
      port: 3269
      ssl_enabled: true
      ssl_trust_all_certs: true

3269 is the Global Catalog LDAPS port. I prefer it over the non-GC port, 636, to avoid referrals. Use case may differ according to your own environment, especially if you have multiple domains within a forest.

ssl_trust_all_certs is necessary unless you prefer importing your Active Directory’s domain root CA into the java keystore.


Thank you for your guide !