We will describe how to configure the JPD to work with Active Directory using an example.
Consider an Active Directory server that must support the following conditions:
Users are located in two geographically separated sites. Some are in the US (designated as "us"), while others are in Israel (designated as "il").
Each site defines users and groups in different places in the Active Directory tree as displayed below.
To configure Active Directory authentication, in the Admin module, go to Authentication Providers | LDAP and click New.
The following table describes the configuration parameters.
The unique ID of the Active Directory setting.
When set, these settings are enabled.
Location of the Active Directory server LDAP access point in the following format:
The URL may include the base DN used to search for and/or authenticate users. If not specified, the Search Base field is required.
Auto Create System Users
When set, the JPD will automatically create new users for those who have logged in using Active Directory. Any newly created users will be associated with the default groups.
Allow Created Users Access to Profile Page
When set, users created automatically will have access to their profile page and perform actions such as generating an API key.
User DN Pattern
A DN pattern is used to log users directly in tot he LDAP database.
For Active Directory, we recommend leaving this field blank since this only works if anonymous binding is allowed and a direct user DN can be used, which is not the default case in Active Directory.
An attribute that can be used to map a user's email to a user created automatically by JPD.
This corresponds to the mail field in Active Directory.
A filter expression is used to search for the user DN that is used in Active Directory authentication.
This is an LDAP search filter (as defined in 'RFC 2254') with optional arguments. In this case, the
For Active Directory, the corresponding field should be
The Context name in which to search relative to the base DN in the Active Directory URL. This parameter is optional, but if possible, we highly recommend that you set it to prevent long searches on the Active Directory tree. Leaving this field blank will significantly slow down the Active Directory integration.
The configuration in the example below indicates that the search should only be performed under "frogs/il" or "frogs/us". This improves search performance since the JPD will not search outside the scope of the "frogs" entry.
The full DN of a user with permissions that allow querying the Active Directory server. When working with LDAP Groups, the user should have permissions for any extra group attributes such as memberOf.
The password of the user binding to the Active Directory server when using "search" authentication.
Search Sub Tree
When set, enables deep search through the sub-tree of the Active Directory URL + Search Base. True by default.