4.3.2

LDAP authentication

For LDAP Authentication (including Active Directory), select Use LDAP for authentication and configure the fields that appear as below.

  1. Server URI: address of your LDAP server (must begin with ldap:// or ldaps://)

  2. Bind DN: the username of the LDAP account to use for user lookups, for example: "admin_svc".

    • If your LDAP server does not require authentication, set this to an empty string using a pair of double quote marks ( "" )

  3. Bind Password: the password for the Bind DN account

    • Use an empty string (as above) if your server does not require authentication

  4. Search DN (a.k.a. Base DN): the DN that Dash Enterprise will use to search for users when authenticating

    • Usually related to the LDAP server’s domain name; e.g. server.ad.your-company.com will have a Base DN of "CN=Users,DC=server,DC=ad,DC=your-company,DC=com"

    • To use the Global Catalog Server:

      • With LDAP: append :3268 to your LDAP Server URI (e.g. ldap://ad.your.company:3268)

      • With LDAPS: append :3269 to your LDAP Server URI

  5. (Optional) Group DN: usually the same as the Search DN

    • Dash Enterprise will search this tree for valid user groups

  6. May be left blank if not using LDAP group sharing with Dash apps

  7. (Optional) Restrict LDAP login based on group membership: enable this only if you want members of a specified LDAP group to be able to log in

    • Requires the full DN of the group

    • Advanced group checking (including AND, OR, and NOT operations) is supported

  8. (Optional) Install a Self-Signed TLS/SSL Certificate for LDAP option if your LDAP server uses a self-signed certificate

    • Not recommended: You may check Disable LDAP Auth Certificate Checking to bypass this option; however, this exposes your authentication to man-in-the-middle attacks

  9. (Optional) Check Use Custom Search Filter box and specify a new Search Filter or Group Filter if needed

  10. (Optional) Check Restrict licenses based on LDAP/SAML group membership and enter a group name (the full DN is not required here)

    • Note: If any of the LDAP specifications require the use of a single quote, the quote must be escaped in such a way that it can be parsed via a Python YAML interpreter and exported within a Bash script

      • Any single quote must be represented as follows: ''"''"''

      • Example: CN=User's,DC=ad,DC=plot,DC=ly must be entered as CN=User''"''"''s,DC=ad,DC=plot,DC=ly

  11. (Optional) For testing purposes only, check Enable authentication logs to make authentication logs available via a secret URL

    • NOT recommended for production use, since authentication logs may contain confidential data

PreviousBuilt-in local authenticationNextSAML authentication

Last updated