LDAP Configuration for Active Directory


Hi all !

I’ve spent a few hours this week trying to find a working configuration for an Active Directory LDAP backend.

Basically, only these two configuration directives needs to differ from the documentation’s example ;

    user_id_attribute: "sAMAccountName"
    unique_member_attribute: "member"

This will allow users to login using their account name. No DOMAIN\user or [email protected] required, simply user will work.

If you want to enable SSL;

      host: "dc01.domain.com"
      port: 3269
      ssl_enabled: true
      ssl_trust_all_certs: true

3269 is the Global Catalog LDAPS port. I prefer it over the non-GC port, 636, to avoid referrals. Use case may differ according to your own environment, especially if you have multiple domains within a forest.

ssl_trust_all_certs is necessary unless you prefer importing your Active Directory’s domain root CA into the java keystore.

LDAP connectivity Issue and rules issues
Need to connect elasticsearch with Active Directory for authentication - Need help
(Ld57) #2

Thank you for your guide !