LDAP

General Information

Forward Enterprise supports two different types of LDAP server:

• Active Directory
• Other LDAP

LDAP accounts will be treated differently from LOCAL accounts:

• LDAP users cannot be created manually. Note that a user account will appear in the application after the user’s first successful login.
• The email address field is optional for LDAP users and will be undefined initially if not provided by the LDAP server.
• Username and password are read-only for LDAP users.

Configuration and Testing

1. Navigate to Settings --> Accounts --> External authentication and click on the Enable button in the LDAP section to enable LDAP authentication.

2. Select LDAP server type between Active Directory and Other LDAP

Active Directory Configuration

Configure each Active Directory server setting appropriately:

• Hostname or IP: The Active Directory server hostname or IP address to authenticate users to.
• Port (optional): The TCP port number that the Active Directory application is running on for the above-specified server. LDAP servers use port 389 for LDAP protocol and 636 for LDAPS protocol by default.
• Domain: The Active Directory Domain name.
• LDAPS: Optionally provide a TLS certificate in X509 format by enabling the Use LDAPS toggle button and providing the certificate in the TLS certificate section. The TLS certificate section can take a chain of certificates as well - that is, a chain in X509 format which is just a sequence of certificates back to back.
• BaseDN: The Active Directory base Distinguished Name.
• Accept any domain: When enabled, usernames with any domain suffixes will be allowed to try logging in. This allows users to log in even if their account (User Principal Name) has a different domain than the LDAP server.

Active Directory Testing

1. Test the connection with the Active Directory server by clicking on the Test connection button.

2. Test an Active Directory user by clicking on the Test user query button, provide Username, Password and click on Test. Optionally, provide Email attribute and/or select Accept any domain.

Other LDAP Configuration

Configure each LDAP server setting appropriately:

• Hostname or IP: The LDAP server hostname or IP address to authenticate users to.
• Port: The TCP port number that the LDAP application is running on for the above-specified server. LDAP servers use port 389 for LDAP protocol and 389 for LDAP+StartTLS protocol by default.
• StartTLS: Optionally provide a TLS certificate in X509 format by enabling the Use StartTLS toggle button and providing the certificate in the TLS certificate section. The TLS certificate section can take a chain of certificates as well - that is, a chain in X509 format which is just a sequence of certificates back to back.
• BaseDN: The LDAP base Distinguished Name.
• Bind DN (optional): The LDAP Bind Distinguished Name. A Bind DN is an object that you bind to inside LDAP to give you permissions to do whatever you're trying to do. Some LDAP instances don't allow anonymous binds, or don't allow certain operations to be conducted with anonymous binds, so you must specify a bind DN to obtain an identity to perform that operation.
• Password (optional): The LDAP Bind Distinguished Name password.

Other LDAP Testing

1. Test the connection with the LDAP server by clicking on the Test connection button.

2. Provide Username attribute, UserDN and, optionally, Email attribute in the Users section and then test an LDAP user query by clicking on the Test user query button.

3. Provide Name attribute, Member attribute and Group DN in the Groups section and then test an LDAP user query by clicking on the Test group query button.