# LDAP Authentication

# LDAP Login Configuration

### <span role="text">**Directory Server**</span>

In the top section, enter your LDAP server address using either the DNS name or IP address, followed by the port.

**Example:**  
`ldaps://global.corp.sadevio:636`

You may also define an optional secondary (fallback) LDAP server for redundancy.

---

### <span role="text">**Domain Bind Configuration**</span>

In the bottom section, you can configure one or more **Domain Bind** entries. These are used to construct the distinguished name (DN) for user lookup during authentication.

The system supports the following user identification formats:

- **Down-Level Logon Name**  
    `NetBIOSDomainName\sAMAccountName`  
    Example: `domain\username` or `username@domain`
- **User Principal Name (UPN)**  
    Example: `username@abc.com`
- **Distinguished Name (DN)**  
    Example: `CN=username,OU=Users,DC=abc,DC=com`
- **Object SID**  
    Example: `S-1-5-21-3623811015-3361044348-30300820-1013`

---

### <span role="text">**Dynamic User Variables**</span>

You can use placeholders in your Domain Bind configuration to dynamically insert user values:

- `${user_name}` → Inserts the username
- `${user_email}` → Inserts the user’s email address
- `${ad_user}` → Inserts the user’s ad user field

---

### <span role="text">**Example Domain Bind**</span>

<div class="relative w-full mt-4 mb-1" id="bkmrk-cn%3D%24%7Buser_name%7D%2Cou%3Ds"><div class=""><div class="relative"><div class="h-full min-h-0 min-w-0"><div class="h-full min-h-0 min-w-0"><div class="border border-token-border-light border-radius-3xl corner-superellipse/1.1 rounded-3xl"><div class="h-full w-full border-radius-3xl bg-token-bg-elevated-secondary corner-superellipse/1.1 overflow-clip rounded-3xl lxnfua_clipPathFallback"><div class="w-full overflow-x-hidden overflow-y-auto pe-11 pt-3"><div class="relative z-0 flex max-w-full"><div class="q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch ͼk ͼy" dir="ltr" id="bkmrk-cn%3D%24%7Buser_name%7D%2Cou%3Ds-1"><div class="cm-scroller"><div class="cm-content q9tKkq_readonly">CN=${user_name},OU=Staff,OU=Identities,DC=global,DC=corp,DC=sadevio</div></div></div></div></div></div></div></div></div><div class=""><div class="">  
</div></div></div></div></div>---

### <span role="text">**Notes**</span>

- Multiple Domain Bind entries can be added to support different login formats.
- The system will attempt each bind configuration until authentication succeeds.
- Ensure that your LDAP server supports LDAPS (recommended for secure communication)

[![image.png](https://help.sadevio.com/uploads/images/gallery/2026-04/scaled-1680-/image.png)](https://help.sadevio.com/uploads/images/gallery/2026-04/image.png)

# LDAP Authentication on-premise

When hosting the system on-premise, additional configuration is required to enable LDAP / Active Directory authentication.

---

### <span role="text">**Tomcat Service Account**</span>

The application server (Tomcat) must run under a user account that has permission to query the Active Directory.

- Configure the Tomcat service to run as a dedicated **Active Directory user**
- Ensure this user has: 
    - Read access to the directory
    - Permission to perform user lookups

---

### <span role="text">**LDAPS Certificate Configuration**</span>

If you are using **LDAPS (recommended)**, the LDAP server’s SSL certificate must be trusted by Java.

You must import the LDAP server certificate into the Java **keystore (truststore)** used by Tomcat.

---

### <span role="text">**Steps to Import Certificate**</span>

1. Export the SSL certificate from your LDAP / Domain Controller
2. Import the certificate into the Java keystore using:

<div class="relative w-full mt-4 mb-1" id="bkmrk-keytool--importcert-"><div class=""><div class="relative"><div class="h-full min-h-0 min-w-0"><div class="h-full min-h-0 min-w-0"><div class="border border-token-border-light border-radius-3xl corner-superellipse/1.1 rounded-3xl"><div class="h-full w-full border-radius-3xl bg-token-bg-elevated-secondary corner-superellipse/1.1 overflow-clip rounded-3xl lxnfua_clipPathFallback"><div class="w-full overflow-x-hidden overflow-y-auto"><div class="relative z-0 flex max-w-full"><div class="q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch ͼk ͼy" dir="ltr" id="bkmrk-keytool--importcert--1"><div class="cm-scroller"><div class="cm-content q9tKkq_readonly">keytool <span class="ͼu">-importcert</span> \  
<span class="ͼu">-alias</span> ldap-cert \  
<span class="ͼu">-file</span> ldap_certificate.crt \  
<span class="ͼu">-keystore</span> <span class="ͼt">$JAVA\_HOME</span>/lib/security/cacerts</div></div></div></div></div></div></div></div></div><div class=""><div class="">  
</div></div></div></div></div>3. Restart Tomcat after importing the certificate

---

### <span role="text">**Steps Using Portecle**</span>

1. Download and start **Portecle**
2. Open the Java keystore: 
    - Path:  
        `$JAVA_HOME/lib/security/cacerts`
3. Enter the keystore password  
    *(Note: the default password `cacerts` is often changed in secure environments)*
4. Import the LDAP / Active Directory certificate: 
    - Go to **Tools → Import Trusted Certificate**
    - Select your exported certificate file (e.g., `.crt`)
5. Assign an alias (e.g., `ldap-cert`)
6. Save the keystore
7. Restart Tomcat

---

### <span role="text">**Important Notes**</span>

- The default Java keystore password (`cacerts`) is **often changed** in secure environments  
    → Please confirm the correct password with your system administrator
- If the certificate is not trusted: 
    - LDAPS connections will fail
    - Authentication will not work
- Ensure the correct Java runtime is used (the one running Tomcat)

---

### <span role="text">**Recommendation**</span>

- Always use **LDAPS (port 636)** instead of plain LDAP for secure communication
- Use a **dedicated service account** rather than a personal user account