Guides
Start typing to search…

📁 LDAP Connector

How to configure your LDAP Connector for fetching users and groups

Below is a step-by-step guide on how to configure the Lumos LDAP connector. Each setting is explained in detail, alongside recommended values and examples to help you get started quickly.

1. Enter Authentication Details

These settings determine how the Lumos connector will authenticate to your LDAP directory.

Bind DN

Description: The distinguished username for your LDAP service account.

Guidelines:

  • Ensure the account has the necessary permissions to read user and group objects in LDAP.

Example:

[email protected]

Password

Description: The password for your Bind DN service account.

Guidelines:

  • Store this securely.
  • If your organization employs password vaults or credential managers, use them to keep this password safe.

2. Host

Description: The hostname (FQDN) or IP address of your LDAP server.

Guidelines:

  • Use FQDN (e.g., example.com) wherever possible; IP addresses (e.g., 192.168.127.12) are acceptable but less flexible.
  • Ensure the name or IP address is reachable from the machine hosting the connector.

3. Base DN

Description: The base (or root) distinguished name for your directory. This is where the connector starts searching for objects.

Guidelines:

  • Often corresponds to your domain components (e.g., dc=example,dc=com).
  • For multi-domain environments, verify you are targeting the correct domain.

Example:

dc=example,dc=com

4. Port

Description: The port number on which your Active Directory server listens for LDAP/LDAPS requests.

Guidelines:

  • Default LDAP port is 389.
  • Default LDAPS (SSL) port is 636.

5. Protocol

Description: Determines whether to connect using plain LDAP or encrypted LDAPS.

Options:

  • LDAP: Does not encrypt traffic.
  • LDAPS: Encrypts traffic, including user credentials.

Guidelines:

  • Use LDAPS wherever possible to ensure security.
  • If you must use LDAP, ensure you have network-level encryption (e.g., VPN or TLS encapsulation) in place.

6. Validate Certificate

Description: Determines whether the server certificate is validated when using LDAPS.

Guidelines:

  • If enabled, the certificate must be trusted by the local machine running the connector (requires root CA or intermediate CA in the trusted store).
  • Only applies when Protocol is set to LDAPS.

Example:

  • On (recommended for production)
  • Off (use with caution, typically for testing environments)

7. Users Search Base DN (optional)

Description: The subtree in your directory where Lumos will begin searching for user objects.

Guidelines:

  • If not provided, the search base defaults to the Base DN.
  • Commonly set to a specific OU to limit searches to a smaller portion of the directory for efficiency.

Example:

OU=Users,DC=example,DC=com

9. Users Search Filter (optional)

Description: An additional LDAP filter applied to user queries.

Guidelines:

  • Useful for excluding certain object classes or focusing on specific users.
  • Must be in valid LDAP query syntax.

Examples:

  • Include only person objects.
(objectCategory=person)

10. Groups Search Base DN (optional)

Description: The subtree in your directory where Lumos will begin searching for group objects.

Guidelines:

  • If not provided, defaults to the Base DN.
  • Commonly set to an OU containing your security or distribution groups.

Example:

OU=Groups,DC=example,DC=com

11. Groups Search Filter (optional)

Description: An additional LDAP filter applied to group queries.

Guidelines:

  • Useful for narrowing down the scope to specific types of groups.
  • Must be in valid LDAP query syntax.

Example:

  • Include only specific groups:
(objectClass=posixGroup)

Troubleshooting Tips

  1. Authentication Failures

    • Verify the Username and Password are correct.
    • Confirm the service account is not locked or disabled.

  2. Connection Errors

    • Check you can reach the Domain Name or IP address from the connector server (DNS resolution, firewall rules, etc.).
    • For LDAPS, confirm ports are open (e.g., 636) and the certificate is trusted.

  3. Incorrect or Empty Search Results

    • Validate your Base DN and Search Base DNs are correct.
    • Temporarily remove or simplify your Search Filters to verify objects appear.
    • Make sure the service account has permissions to read objects in the specified OUs.

  4. Certificate Validation

    • If certificate validation is On, ensure the certificate chain is trusted by the machine running the connector.

If you continue to experience issues, consult your LDAP connector logs for troubleshooting.

Conclusion

Configuring the Lumos LDAP connector involves specifying the fundamental connection details (e.g., credentials, domain, port, protocol) and refining your searches (e.g., base DNs, filters) to accurately scope the user and group data in your environment. By following the detailed instructions above and using the provided examples, you should be able to set up the connector successfully and start synchronizing objects into Lumos.

Updated 15 days ago