LDAP/AD as an external authentication provider
You can integrate multiple LDAP servers to authenticate users in the Platform by importing the user information from LDAP/AD to the local Platform database (identity store). The imported user information is read-only (username, email, first name, last name, and other mapped attributes are unchangeable). Passwords are not imported and password validation is performed on the LDAP server.
Synchronization of LDAP/AD users to the Platform
By default, you perform synchronization on demand:
- Full synchronization
- Synchronization of changed and new users
However, you can define periodic synchronization on the provider configuration page by setting a time (in seconds) after which the sync is repeated. Also, for a better performance, you can set a limit to the number of users to be imported from LDAP/AD to the Platform within a single transaction.
Tip: The best way to handle syncing is to click Synchronize all users when you first create the LDAP/AD provider, and then set up a periodic sync of changed users.
For details, see Configure LDAP/AD as an authentication provider.
LDAP mappers are listeners that are triggered by the LDAP provider at various points, for example:
- When a user logs in via LDAP and needs to be imported.
- At the time of the Platform initiated registration.
- When a user is queried from the Admin Console.
You can map LDAP user attributes into the Platform common user model. When you create an LDAP authentication provider, the system automatically provides a set of built-in mappers for this provider (username, email, first name, and last name). You can change this set and create a new mapper, update existing ones, or delete them.
For details, see Configure LDAP mappers.