# Configuration
{% hint style="warning" %}
Active Directory support is available in Defguard ≥ v1.3.0
{% endhint %}
The LDAP/AD integrations allows synchronizing users from/to your LDAP/AD server.
## Synchronization direction
The table below describes supported synchronization directions.
Synchronization Direction
Details
Defguard -> LDAP
The default mode after enabling the LDAP integration.
## Setup
First, navigate to the settings page and select the LDAP tab.
Now change fields according to your LDAP instance.
For an LDAP server with TLS/SSL you may want to configure one of the options related to TLS. Check "Use StartTLS" if your LDAP server uses StartTLS for encrypted connections, alternatively you may also use `ldaps` in the URL field. If you don't want to provide Defguard with your LDAP server's certificate, you may also disable checking it here.
If you are trying to connect to Active Directory, check "LDAP server is Active Directory". Make sure to read [#example-active-directory-configuration](#example-active-directory-configuration "mention") for a working example.
{% hint style="info" %}
You can find more brief explanations for these settings on this [page](https://docs.defguard.net/features/ldap-and-active-directory-integration/settings-table).
{% endhint %}
After you save your LDAP settings, you can check if your Defguard instance can connect and authenticate to your LDAP server via the "Test" button.
{% hint style="warning" %}
Testing your connection doesn't mean the whole configuration is correct. Currently, Defguard only verifies if a connection can be made and the provided credentials are correct.
{% endhint %}
After enabling the LDAP integration, you will gain the ability to log in to Defguard through LDAP. Additionally, all your Defguard user changes after you enable the integration will be propagated to LDAP. This is a simple one-way (Defguard -> LDAP) synchronization.
## Example configurations
### Example Active Directory configuration
This is an example configuration for a default Active Directory setup on a Windows Server 2022. The most important aspect is setting the "LDAP server is Active Directory" setting, as AD support won't work otherwise. Additionally, `ldaps` has been configured as AD requires an encrypted connection in order for Defguard to be allowed to send user passwords, which is critical if you expect to create users/set passwords through Defguard.
The "cn" attribute has been configured as the user's RDN as that's what used in the user's DN in our example setup (`cn=user1,cn=users,dc=ad,dc=example,dc=com`). This is different from the username attribute, which will be mapped directly to the Defguard username.
### Example OpenLDAP configuration
This is an example configuration for an OpenLDAP server integrated with Samba (hence `sambaSamAccount` object class). The `inetOrgPerson` has been set as the user structural class which adds attributes to the LDAP user like `email` or `mobile`. `simpleSecurityObject` class has been added for the ability to set passwords in LDAP.
## Known issues
### Multiple nested OUs
Multiple nested organizational units are supported in Defguard 1.4.0 and above.
If you are using an older version of Defguard, using the integration with multiple nested organizational units may currently lead to some unexpected behavior. The following issues are known to occur:
* If you have duplicate user RDNs across multiple OUs a database error may occur: `Duplicate key violates unique constraint 'unique_ldap_rdn'` , causing issues with two-way synchronization. This would happen in the following scenario:
* `CN=user1,OU=ou1,OU=ou,DC=example`
* `CN=user1,OU=ou2,OU=ou,DC=example`
* Limiting synchronization to selected groups may not work if your user's DN doesn't match the user search base:
* Search base: `OU=ou,DC=example`
* User's DN: `CN=user1,OU=ou1,OU=ou,DC=example`
In this example, the user's DN has deeper nesting than the search base, preventing matching them during the group members lookup.
To fix this problem, you should limit the search base to one organizational unit only, if possible.
### User not able to login when synchronization groups are defined, despite being a member
There is a [know bug](https://github.com/DefGuard/defguard/issues/1906) where the capitalization of the groupname attribute matters. As a workaround try changing the letter case of that attribute (cn -> CN).
### One way LDAP -> Defguard synchronization
This mode is currently [not officially supported](https://github.com/DefGuard/defguard/issues/2011) but can be achieved by following a workaround:
1. Create a dedicated LDAP read-only user that will be used to connect (bind) to your LDAP/AD server. Provide the user credentials in the Connection settings.
2. Configure the integration and enable the two way synchronization, making sure to select the LDAP authority mode ([two-way-ldap-and-active-directory-synchronization](https://docs.defguard.net/features/ldap-and-active-directory-integration/two-way-ldap-and-active-directory-synchronization "mention")).
By doing this, the integration will try to synchronize both ways but because of the read only user will be able to synchronize only in the desired (LDAP -> Defguard) direction.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.defguard.net/features/ldap-and-active-directory-integration/configuration.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
.png?alt=media)
