Active Directory Authentication (Advanced)
This article covers the authentication of users over Active Directory. The advanced setup is very similar to the general LDAP setup, so please first read LDAP Authentication.
Step 1: Choose an authentication type
When creating a new authentication method, choose Microsoft Active Directory from the dropdown list. In doing so, all special settings are adjusted to Active Directory LDAP.
Step 2: Setup
Domain / LDAP URI
Please refer to LDAP Authentication for more information about these fields.
Login Scheme
For more information about the
Login Schemefield, please read the article Login Scheme first.
Group Mapping
Please refer to LDAP Authentication for more information about these fields.
Expert Settings
Choosing a bind method
As bind Method you can choose between bind directly by the login credentials and bind by given username and password. As for the bind with anonymous user method, you have to explicitly allow this on any Active Directory server. So this is not recommended.
Method 1: Bind directly by the login credentials
Active Directory LDAP servers allow the user to bind with both the destinguishedName or the userPrincipalName attribute. Usually the userPrincipalName is the username (sAMAccountName) glued with an @ to the AD domain name.
Assume your AD domain name is example.com. Below are a few examples how to set up the authentication method for different outcomes:
| Login Scheme | Bind Scheme | Example Login | Constructed Bind DN | Authenticated? | Notes |
|---|---|---|---|---|---|
{username} |
{username}@{domain} |
alice |
alice@example.com |
yes | default setup |
{username} |
{username} |
alice |
alice |
no | |
{username} |
{username}@{domain} |
alice@example.com |
alice@example.com@example.com |
no | |
{username}@{domain} |
{username}@{domain} |
alice |
none | no | |
{username}@{domain} |
{username}@{domain} |
alice@example.com |
alice@example.com |
yes | |
{username}@{domain} |
{username}@{domain} |
alice@other_domain |
none | no | |
{username}@other_doman |
{username}@{domain} |
alice@other_domain |
alice@example.com |
yes | rewriting of the domain |
{username}@other_doman |
{username}@{domain} |
alice@example.com |
none | no |
Method 2: Bind anonymously
This method will not work unless you have explicitly allowed this in you AD configuration.
Method 3: Bind by given username and password
For this you have to provide credentials of an account that has the permission to browse the AD directory. The advantage of this method is that only that specific user needs permissions to browse the LDAP directory - the login user itself does not need any permissions.
A common setup could look like this:
loginAttribute = 'mail';
bindAttribute = 'userPrincipalName';
With that configuration, the user is able to login with his/her E-Mail address deposited in the AD directory (this is not default) in the mail attribute.
For Active Directory the
Bind Attributecan only be eitheruserPrincipalNameordistinguishedName.