Settings table

List with description of settings for LDAP found in settings page.

Field

Description

Default

URL

URL that points to your LDAP server.

Empty

Bind Username

Bind DN used for authentication.

cn=admin,dc=example,dc=org

Bind Password

Password used for authentication.

Empty

Member Attribute

Naming attribute for group membership.

memberOf

Username Attribute

Naming attribute for users.

User Search Base

Relative Distinguished Name (RDN) of your user entries.

ou=users,dc=example,dc=org

User Object Class

Object class used for user entries.

inetOrgPerson

Additional User Object Classes

Auxiliary classes for user entries

simpleSecurityObject, sambaSamAccount

Groupname Attribute

Naming attribute for groups.

Group Object Class

Object class used for group entries.

groupOfUniqueNames

Group Member Attribute

Naming attribute for group membership.

uniqueMember

Group Search Base

Relative Distinguished Name (RDN) of your group entries.

ou=groups,dc=example,dc=org

User RDN attribute

The attribute which is a part of the user's DN (the leftmost component of the DN).

Empty, defaults to the username attribute

Limit synchronization to these groups

Limits all LDAP actions only to users belonging to one of the specified groups, both ways. Values should be provided as a list separated by commas.

Empty

Settings in depth

There are a few settings that may be not so obvious:

Additional User Object Classes: User object classes that will be assigned to a user and will also define assigned attributes. For example, simpleSecurityObject will make users posses the userPasswordattribute.
User Object Class: The structural class of your users. Just like the additional user object classes it will define the added attributes but also will be used during user search. Defguard will only consider entries with this class as users.

Changing the RDN attribute may cause your users to be re-added to Defguard, causing potential loss of Defguard-specific user data, e.g. their device information.

User RDN attribute: The attribute used in your user's DN. It will be used to link users between LDAP and Defguard. Depending on your setup, it may be different than the attribute used for usernames. If left empty, your username attribute will be used instead. For example: Given a user DN of cn=user1,cn=users,dc=ad,dc=example,dc=com you would set the RDN attribute to cn.
Username attribute: The username attribute which will be used to set the username of a Defguard user. The following restrictions apply:
- Only alphanumeric characters except for ., - or _
- At least 1 and at most 64 characters

To use this feature, your LDAP user entries must posses the "memberOf" attribute (or it's equivalent, defined using the member attribute), which may not be available by default on your LDAP server. This may require enabling an appropriate module.

Limit synchronization to these groups: limits the synchronization scope to only the members of the selected groups, this works both ways:
- Changes in Defguard will be propagated to LDAP only if a user belongs to a given group in Defguard.
- If the two way synchronization is enabled, only the users belonging to the specified groups will be fetched from the LDAP server.
- Adding a user to one of the synchronization groups in Defguard will automatically create that user in LDAP if they don't exist yet. If they already exists, their LDAP data (e.g. the email address) will be overwritten with the data in Defguard if only the one way synchronization (Defguard -> LDAP) is enabled. Otherwise if the two way synchronization is enabled the selected authority server will be respected.

PreviousConfiguration NextTwo-way LDAP and Active Directory synchronization

Last updated 3 days ago

Was this helpful?

Settings in depth

There are a few settings that may be not so obvious:

Additional User Object Classes: User object classes that will be assigned to a user and will also define assigned attributes. For example, simpleSecurityObject will make users posses the userPasswordattribute.

User Object Class: The structural class of your users. Just like the additional user object classes it will define the added attributes but also will be used during user search. Defguard will only consider entries with this class as users.

Changing the RDN attribute may cause your users to be re-added to Defguard, causing potential loss of Defguard-specific user data, e.g. their device information.

User RDN attribute: The attribute used in your user's DN. It will be used to link users between LDAP and Defguard. Depending on your setup, it may be different than the attribute used for usernames. If left empty, your username attribute will be used instead. For example: Given a user DN of cn=user1,cn=users,dc=ad,dc=example,dc=com you would set the RDN attribute to cn.

Username attribute: The username attribute which will be used to set the username of a Defguard user. The following restrictions apply:

Only alphanumeric characters except for ., - or _
At least 1 and at most 64 characters

Limit synchronization to these groups: limits the synchronization scope to only the members of the selected groups, this works both ways:

Changes in Defguard will be propagated to LDAP only if a user belongs to a given group in Defguard.
If the two way synchronization is enabled, only the users belonging to the specified groups will be fetched from the LDAP server.
Adding a user to one of the synchronization groups in Defguard will automatically create that user in LDAP if they don't exist yet. If they already exists, their LDAP data (e.g. the email address) will be overwritten with the data in Defguard if only the one way synchronization (Defguard -> LDAP) is enabled. Otherwise if the two way synchronization is enabled the selected authority server will be respected.