User LDAP Authentication
USP supports LDAP as an authentication source for Users. This feature enables authenticating to USP through an LDAP directory, providing centralized identity and access management for the USP Admin UI and USP REST API.
By configuring LDAP as an Auth Source, you can:
- Authenticate Users against an LDAP directory.
- Automatically provision Users on first successful login (Just-in-Time provisioning).
- Assign roles based on LDAP attribute values.
- Keep User details synchronized with LDAP on each login.
Only one LDAP service can be active at a time for authenticating Users. To use LDAP for authenticating Accounts, see Inbound Authentication Source in the Rules documentation.
Before You Begin
JIT Provisioning and Data Updates
USP supports Just-in-Time (JIT) provisioning for LDAP-authenticated Users, automatically creating Users in USP Manager the first time they successfully log in. This means there is no need to pre-create these Users.
On first login, USP queries the LDAP directory using the configured LDAP Connection and LDAP Query:
- If exactly one match is found, a new User is created with attributes populated from the LDAP attribute mappings. The role is assigned based on the configured Role Attribute (or defaulted to the Default Role Assignment value).
- If no match or multiple matches are found, the login is rejected.
On subsequent logins, USP updates the User's Name and Email if changes are detected in LDAP, and the Updated At timestamp is refreshed when updates occur (the Username remains immutable to ensure identity consistency).
If an LDAP user is removed from the LDAP directory, or if the entire User LDAP Authentication Auth Source is deleted from USP, the Users will remain listed in USP but will no longer be able to log in. To avoid losing access, make sure at least one User with Standard authentication and the Admin role exists before removing LDAP authentication.
Configuring User LDAP Authentication
Before configuring User LDAP Authentication, make sure the required LDAP Connection and LDAP Query have already been created.
To enable LDAP authentication for Users, follow these steps:
- From the Sidebar, click General > Auth Sources.
- Click the User LDAP Authentication card.
- Complete the details for LDAP using the Field Descriptions table as a guide.
- Click Save.
Field Descriptions
| Name | Description | Specifications | Required |
|---|---|---|---|
| LDAP Connection | The LDAP Connection used for User authentication. | Must reference an already-created LDAP Connection. | Yes |
| LDAP Query | The LDAP Query used for User authentication. | Must reference an already-created LDAP Query. | Yes |
| Email Attribute | The LDAP attribute used to identify the User's email address (typically mail). | Yes | |
| Name Attribute | The LDAP attribute used to identify the User's name or full name (typically cn). | Yes | |
| Role Attribute | The LDAP attribute used to identify the User's role. | The value must be either ADMIN or READONLY, otherwise the Default Role Assignment is applied. | Yes |
| Default Role Assignment | The default role assigned if USP cannot locate the LDAP Role Attribute or if its value doesn't match ADMIN or READONLY. | Yes |
Managing User LDAP Authentication
Testing User LDAP Authentication Connection
After configuring LDAP as an Auth Source, you can test the connection to USP by following these steps:
- From the Sidebar, click General > Auth Sources.
- Click the User LDAP Authentication card.
- Click the Test LDAP button above the User LDAP Authentication details.
Testing the LDAP connection does not synchronize the LDAP server with USP. The test just reports the status of the connection.
Editing User LDAP Authentication
To edit the User LDAP Authentication configuration, follow these steps:
- From the Sidebar, click General > Auth Sources.
- Click the User LDAP Authentication card.
- Click the Edit button above the User LDAP Authentication details.
- Edit the LDAP details using the Field Descriptions table as a guide.
- Click Save.
User LDAP Authentication Metadata
User LDAP Authentication details include all parameters given in the Field Descriptions table above, plus the following read-only metadata:
| Name | Description |
|---|---|
| Created At | Date and time this User LDAP Authentication was created. |
| Updated At | Date and time this User LDAP Authentication was last updated. |
Deleting User LDAP Authentication
Before deleting LDAP configuration, ensure that at least one User with Admin role and Standard authentication remains available. Otherwise, you may lose administrative access to USP Manager.
To delete User LDAP Authentication, follow these steps:
- From the Sidebar, click General > Auth Sources.
- Click the User LDAP Authentication card.
- Click the Delete button above the User LDAP Authentication details.
- You will be asked to confirm the deletion. Click Delete.
If User LDAP Authentication is deleted, existing LDAP-provisioned Users will remain visible in the Users list but will no longer be able to authenticate via LDAP. Similarly, deleting an LDAP-provisioned User from the list does not prevent them from logging in again (their User will be re-created upon successful authentication).