LDAP
LDAP authentication enables UDMG to integrate with your existing enterprise identity systems, such as Microsoft Active Directory or OpenLDAP. You can configure LDAP authentication separately for Users, Accounts, or both. Each can connect to a different directory provider if needed.
Once configured, Users and Accounts authenticate using their LDAP credentials, reducing administrative overhead, ensuring consistent access policies, and enhancing overall security.
In UDMG, there are two distinct Configuration Items that require authentication, Users and Accounts, but LDAP does not have this concept. From the perspective of the LDAP server, there is no difference between Users and Accounts (everything is a 'user'). To distinguish between the UDMG-specific concept of a User, and the generic user on an LDAP server, this doc uses two terms: "UDMG User" and "LDAP user".
LDAP Configuration
LDAP is configured at the Domain level, meaning it can only be used to authenticate UDMG Users and Accounts within the specific Domain. If you want to use the same LDAP provider across multiple Domains, it must be configured separately in each Domain.
To configure LDAP settings for UDMG Users and Accounts in your Domain, follow these steps:
- From the Sidebar, click General > Domain.
- Click User LDAP Authentication or Account LDAP Authentication.
- Fill out the fields for the new LDAP settings using the Field Descriptions table as a guide.
- Click Save.
Only Admin Users can configure Account and User LDAP authentication.
Field Descriptions
| Name | Description | Specifications | Required |
|---|---|---|---|
| LDAP Host | The host and optional port of the LDAP server (e.g., ldap.example.com:389). | If the port isn't supplied, it will be guessed based on the TLS configuration. | Yes |
| Description | Optional description for this LDAP configuration. | No | |
| Use SSL/TLS Connection | A toggle switch to enable or disable SSL/TLS. If SSL/TLS enabled, the root certificate installed on the system will be used. | Default value: Enabled. | Yes |
| Bind Credentials | The Credential containing the password for the Bind DN. The connector uses these Credentials to search for UDMG Users and Account Groups. | Must reference an already created Username and Password. | Yes |
| Base DN | The Base DN from where to start the LDAP user search. For example, dc=udmg,dc=local. | Yes | |
| User ID Attribute | The LDAP attribute containing the UDMG Username/Account Name to map. | Yes | |
| User Filter | The LDAP filter applied when searching the directory for LDAP user entries (e.g., (objectClass=person)). If the field contains an * ((objectClass=*)), then both LDAP user and LDAP group entries are pulled into UDMG. | Yes | |
| UDMG to LDAP Attribute Mapping | Map LDAP fields to UDMG User fields. Enter the exact attribute name from your LDAP provider for each UDMG field.
| No |
Managing an LDAP Configuration
Viewing LDAP Configuration Details
To view the details of an LDAP configuration, follow these steps:
- From the Sidebar, click General > Domain.
- Click the User LDAP Authentication or Account LDAP Authentication card you want to view.
LDAP configuration details include all parameters given in the Field Descriptions table above, plus the following read-only metadata:
LDAP Configuration Metadata
| Name | Description |
|---|---|
| UUID | Universally Unique Identifier of this LDAP configuration. |
| Version | Version number of the latest configuration of the LDAP configuration. |
| Created | Date and time this LDAP configuration was created. |
| Updated | Date and time this LDAP configuration was last updated. |
LDAP Test
After configuring an LDAP provider, you can test the connection to UDMG.
Click the Test LDAP button above the LDAP Details. You will see a popup that says whether the system was able to connect and, if the connection was successful, the number LDAP users retrieved that match the User Filter.
Testing the LDAP connection does not synchronize the LDAP server with UDMG. The test simply reports the status of the connection.
LDAP Sync
UDMG Users and Accounts are automatically synchronized with the LDAP server every day at midnight by default. You can also trigger a Sync manually via the Sync LDAP button (next to the Test LDAP button).
During an LDAP Sync, UDMG compares the LDAP users returned from the LDAP server with the UDMG Users and Accounts in the UDMG database. If any LDAP users do not have corresponding UDMG Users/Accounts, new User/Account records will be generated in UDMG automatically. See the tabs below for a detailed overview of this process for UDMG Users and Accounts.
The UDMG Account Group referenced in the Account LDAP configuration must be created and match exactly before the Account LDAP sync or the sync will not work.
- Users
- Accounts
This diagram describes the process of synchronizing LDAP users with UDMG Users. It covers checking for existing UDMG Users, creating new Users, and updating User information.
By default, UDMG Users created via LDAP Sync are given the Read-only Role. If they need additional access, the Domain Admin can change the User's role.
Sync Result
After the Sync completes, you will see a popup that says whether the Sync was a success and the number of LDAP users synced. Four metrics are given:
| Name | Description |
|---|---|
| Processed | Number of UDMG Users synced. |
| Skipped | Number of LDAP users found whose corresponding UDMG User did not need to be updated or created. |
| Failed | Number of LDAP users that failed to sync (due to some system failure). |
| Total | Total number of LDAP users returned by the LDAP server. |
These metrics only count UDMG Users with Login Method = LDAP.
This diagram describes the process of synchronizing Accounts from an LDAP server into the UDMG system. It covers checking for existing Accounts, creating new Accounts, and handling Account Group access.
Sync Result
After the Sync completes, you will see a popup that says whether the Sync was a success and the number of LDAP users synced. Four metrics are given:
| Name | Description |
|---|---|
| Processed | Number of LDAP users synced. |
| Skipped | Number of LDAP users without a matching Account Group, or Accounts that already exist in UDMG. |
| Failed | Number of LDAP users that failed to sync (due to some system failure). |
| Total | Total number of LDAP users returned by the LDAP server. |
These metrics only count UDMG Users and Accounts with Login Method = LDAP.
LDAP Sync Interval
You can configure the Sync interval for UDMG Users and Accounts in the ldap block in the Configuration File.
ldap {
ldapAccountSyncInterval = "24h"
ldapUserSyncInterval = "1h"
}
The arguments are described below:
| HCL Argument Name | Description | Value Type | Default Value |
|---|---|---|---|
ldap.ldapAccountSyncInterval | Defines how often UDMG synchronizes LDAP users that are linked to UDMG Users. Leave empty ( Allowed time units:
| string | "1h" |
ldap.ldapUserSyncInterval | Defines how often UDMG synchronizes LDAP users that are linked to UDMG Accounts. Leave empty (
| string | "1h" |
Editing LDAP-Provisioned UDMG Users and Accounts
To edit the details of an LDAP-provisioned UDMG User or Account, follow these steps:
- From the Sidebar, click General > Users or General > Accounts.
- Click the Username of the Configuration Item you want to edit.
- Click the Edit button above the User or Account details.
- For UDMG Users, only the Require Two-factor Authentication (TOTP) and Role fields are editable.
- For UDMG Accounts, only the Description, Account Groups, and Credentials fields are editable.
Editing LDAP Configuration Details
To edit the details of an LDAP configuration, follow these steps:
- From the Sidebar, click General > Domain.
- Click the User LDAP Authentication or Account LDAP Authentication card you want to view.
- Click the Edit button above the LDAP configuration details.
Deleting LDAP-Provisioned UDMG Users and Accounts
To delete an LDAP-provisioned UDMG User or Account, follow these steps:
- From the Sidebar, click General > Users or General > Accounts.
- Click the Username of the Configuration Item you want to delete.
- Click the Delete button above the details.
- You will be asked to confirm the deletion. Click Delete.
Deleting an LDAP-provisioned UDMG User or Account removes them from the list, but they will reappear if they authenticate again. To permanently prevent access, first remove the LDAP user (or Account) from the enterprise identity system, and optionally delete them from the UDMG User or Account page.
Deleting an LDAP Configuration
Deleting an LDAP configuration is straightforward; however, you must plan what to do with any orphaned UDMG Users or Accounts that have already been provisioned. Those options include:
| Option | When to Choose | Result |
|---|---|---|
| Delete the Users or Accounts | No plans to migrate to a new configuration, or don't want to preserve the records. | Users or Accounts are removed from UDMG; if they authenticate later via an active LDAP configuration, they will be re-provisioned. |
| Retain as orphaned | You need the records for auditing but do not want Users or Accounts to log in. | Users or Accounts remain visible but cannot authenticate; even with a new LDAP configuration, their usernames remain tied to the deprecated LDAP configuration. |
To delete an LDAP configuration, follow these steps:
- From the Sidebar, click General > Domain.
- Click the User LDAP Authentication or Account LDAP Authentication card.
- Click the Delete button above the LDAP configuration details.
- You will be asked to confirm the deletion. Click Delete.
Deleting an LDAP configuration blocks new login attempts for associated Users or Accounts. Existing sessions remain active until they expire or the User or Account logs out.