authelia/docs/content/en/integration/ldap/introduction.md

---
title: "LDAP"
description: "An introduction into integrating Authelia with LDAP."
lead: "An introduction into integrating Authelia with LDAP."
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
menu:
  integration:
    parent: "ldap"
weight: 710
toc: true
---

## UNDER CONSTRUCTION

This section is still a work in progress.

## Configuration

### OpenLDAP

**Tested:**
* Version: [v2.5.13](https://www.openldap.org/software/release/announce_lts.html)
* Container `bitnami/openldap:2.5.13-debian-11-r7`

Create within OpenLDAP, either via CLI or with a GUI management application like
[phpLDAPadmin](http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page) or [LDAP Admin](http://www.ldapadmin.org/)
a basic user with a complex password.

*Make note of its CN.* You can also create a group to use within Authelia if you would like granular control of who can
login, and reference it within the filters below.

### Authelia

In your Authelia configuration you will need to enter and update the following variables -
* url `ldap://OpenLDAP:1389` - servers dns name & port.
  *tip: if you have Authelia on a container network that is routable, you can just use the container name*
* server_name `ldap01.example.com` - servers name
* base_dn `DC=example,DC=com` - common name of domain root.
* groups_filter `DC=example,DC=com` - replace relevant section with your own domain in common name format, same as base_dn.
* user `authelia` - username for Authelia service account
* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account

```yaml
  ldap:
    address: 'ldap://OpenLDAP:1389'
    implementation: custom
    timeout: 5s
    start_tls: false
    tls:
      server_name: ldap01.example.com
      skip_verify: true
      minimum_version: TLS1.2
    base_dn: DC=example,DC=com
    additional_users_dn: OU=users
    users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
    additional_groups_dn: OU=groups
    groups_filter: (&(member=UID={input},OU=users,DC=example,DC=com)(objectClass=groupOfNames))
    user: UID=authelia,OU=service accounts,DC=example,DC=com
    password: "SUPER_COMPLEX_PASSWORD"
    attributes:
      distinguished_name: 'distinguishedName'
      username: 'uid'
      mail: 'mail'
      member_of: 'memberOf'
      group_name: 'cn'
```
Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with
Authelia taking the email attribute for users straight from the 'mail' attribute within the LDAP object.

### FreeIPA

**Tested:**
* Version: [v4.9.9](https://www.freeipa.org/page/Releases/4.9.9)
* Container: `freeipa/freeipa-server:fedora-36-4.9.9`

Create within FreeIPA, either via CLI or within its GUI management application `https://server_ip` a basic user with a
complex password.

*Make note of its CN.* You can also create a group to use within Authelia if you would like granular control of who can
login, and reference it within the filters below.

### Authelia

In your Authelia configuration you will need to enter and update the following variables -
* url `ldap://ldap` - servers dns name. Port will assume 389 as standard. Specify custom port with `:port` if needed.
* server_name `ldap01.example.com` - servers name
* base_dn `DC=example,DC=com` - common name of domain root.
* groups_filter `DC=example,DC=com` - replace relevant section with your own domain in common name format, same as base_dn.
* user `authelia` - username for Authelia service account
* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account

```yaml
 ldap:
    address: 'ldaps://ldap.example.com'
    implementation: custom
    timeout: 5s
    start_tls: false
    tls:
      server_name: ldap.example.com
      skip_verify: true
      minimum_version: TLS1.2
    base_dn: dc=example,DC=com
    additional_users_dn: CN=users,CN=accounts
    users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
    additional_groups_dn: OU=groups
    groups_filter: (&(member=UID={input},CN=users,CN=accounts,DC=example,DC=com)(objectClass=groupOfNames))
    user: UID=authelia,CN=users,CN=accounts,DC=example,DC=com
    password: "SUPER_COMPLEX_PASSWORD"
    attributes:
      distinguished_name: 'distinguishedName'
      username: 'uid'
      mail: 'mail'
      member_of: 'memberOf'
      group_name: 'cn'
```
Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with
Authelia taking the email attribute for users straight from the 'mail' attribute within the LDAP object.

### lldap

**Tested:**
* Version: [v0.4.0](https://github.com/nitnelave/lldap/releases/tag/v0.4.07)

Create within lldap, a basic user with a complex password, and add to the group "lldap_password_manager"
You can also create a group to use within Authelia if you would like granular control of who can login, and reference it
within the filters below.

### Authelia

In your Authelia configuration you will need to enter and update the following variables -
* url `ldap://OpenLDAP:1389` - servers dns name & port.
  *tip: if you have Authelia on a container network that is routable, you can just use the container name*
* base_dn `DC=example,DC=com` - common name of domain root.
* user `authelia` - username for Authelia service account.
* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account,

```yaml
ldap:
    address: 'ldap://lldap:3890'
    implementation: custom
    timeout: 5s
    start_tls: false
    base_dn: dc=example,DC=com
    additional_users_dn: OU=people
    # To allow sign in both with username and email, one can use a filter like
    # (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
    users_filter: (&({username_attribute}={input})(objectClass=person))
    additional_groups_dn: OU=groups
    groups_filter: (member={dn})
    # The username and password of the admin or service user.
    user: UID=authelia,OU=people,DC=example,DC=com
    password: "SUPER_COMPLEX_PASSWORD"
    attributes:
      distinguished_name: 'distinguishedName'
      username: 'uid'
      mail: 'mail'
      member_of: 'memberOf'
      group_name: 'cn'
```
Following this, restart Authelia, and you should be able to begin using lldap integration for your user logins, with
Authelia taking the email attribute for users straight from the 'mail' attribute within the LDAP object.

## See Also

[Authelia]: https://www.authelia.com
[Bitnami OpenLDAP]: https://hub.docker.com/r/bitnami/openldap/
[FreeIPA]: https://www.freeipa.org/page/Main_Page
[lldap]: https://github.com/nitnelave/lldap
feat: major documentation refresh (#3475) This marks the launch of the new documentation website. 2022-06-15 07:51:47 +00:00			`---`
			`title: "LDAP"`
			`description: "An introduction into integrating Authelia with LDAP."`
			`lead: "An introduction into integrating Authelia with LDAP."`
docs: update dates (#3615) 2022-06-28 05:27:14 +00:00			`date: 2022-06-15T17:51:47+10:00`
feat: major documentation refresh (#3475) This marks the launch of the new documentation website. 2022-06-15 07:51:47 +00:00			`draft: false`
			`images: []`
			`menu:`
			`integration:`
			`parent: "ldap"`
			`weight: 710`
			`toc: true`
			`---`

docs: fix ldap section (#4075) 2022-09-25 19:19:11 +00:00			`## UNDER CONSTRUCTION`
feat: major documentation refresh (#3475) This marks the launch of the new documentation website. 2022-06-15 07:51:47 +00:00
docs: fix ldap section (#4075) 2022-09-25 19:19:11 +00:00			`This section is still a work in progress.`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00
			`## Configuration`

			`### OpenLDAP`
docs: fix ldap section (#4075) 2022-09-25 19:19:11 +00:00
			`Tested:`
			`* Version: [v2.5.13](https://www.openldap.org/software/release/announce_lts.html)`
			* Container `bitnami/openldap:2.5.13-debian-11-r7`

			`Create within OpenLDAP, either via CLI or with a GUI management application like`
			`[phpLDAPadmin](http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page) or [LDAP Admin](http://www.ldapadmin.org/)`
			`a basic user with a complex password.`

			`Make note of its CN. You can also create a group to use within Authelia if you would like granular control of who can`
			`login, and reference it within the filters below.`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00
			`### Authelia`

docs: fix ldap section (#4075) 2022-09-25 19:19:11 +00:00			`In your Authelia configuration you will need to enter and update the following variables -`
			* url `ldap://OpenLDAP:1389` - servers dns name & port.
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			`tip: if you have Authelia on a container network that is routable, you can just use the container name`
			* server_name `ldap01.example.com` - servers name
refactor: ldap filter (#4329) 2022-11-04 02:42:28 +00:00			* base_dn `DC=example,DC=com` - common name of domain root.
			* groups_filter `DC=example,DC=com` - replace relevant section with your own domain in common name format, same as base_dn.
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			* user `authelia` - username for Authelia service account
			* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account

			```yaml
			`ldap:`
feat(authentication): suport ldap over unix socket (#5397) This adds support for LDAP unix sockets using the ldapi scheme. In addition it improves all of the address related parsing significantly deprecating old options. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:39:17 +00:00			`address: 'ldap://OpenLDAP:1389'`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			`implementation: custom`
			`timeout: 5s`
			`start_tls: false`
			`tls:`
			`server_name: ldap01.example.com`
			`skip_verify: true`
			`minimum_version: TLS1.2`
refactor: ldap filter (#4329) 2022-11-04 02:42:28 +00:00			`base_dn: DC=example,DC=com`
			`additional_users_dn: OU=users`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			`users_filter: (&(\|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))`
refactor: ldap filter (#4329) 2022-11-04 02:42:28 +00:00			`additional_groups_dn: OU=groups`
			`groups_filter: (&(member=UID={input},OU=users,DC=example,DC=com)(objectClass=groupOfNames))`
			`user: UID=authelia,OU=service accounts,DC=example,DC=com`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			`password: "SUPER_COMPLEX_PASSWORD"`
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-06-18 04:40:38 +00:00			`attributes:`
			`distinguished_name: 'distinguishedName'`
			`username: 'uid'`
			`mail: 'mail'`
			`member_of: 'memberOf'`
			`group_name: 'cn'`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			```
docs: fix ldap section (#4075) 2022-09-25 19:19:11 +00:00			`Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with`
			`Authelia taking the email attribute for users straight from the 'mail' attribute within the LDAP object.`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00
			`### FreeIPA`
docs: fix ldap section (#4075) 2022-09-25 19:19:11 +00:00
			`Tested:`
			`* Version: [v4.9.9](https://www.freeipa.org/page/Releases/4.9.9)`
			* Container: `freeipa/freeipa-server:fedora-36-4.9.9`

			Create within FreeIPA, either via CLI or within its GUI management application `https://server_ip` a basic user with a
			`complex password.`

			`Make note of its CN. You can also create a group to use within Authelia if you would like granular control of who can`
			`login, and reference it within the filters below.`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00
			`### Authelia`

docs: fix ldap section (#4075) 2022-09-25 19:19:11 +00:00			`In your Authelia configuration you will need to enter and update the following variables -`
			* url `ldap://ldap` - servers dns name. Port will assume 389 as standard. Specify custom port with `:port` if needed.
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			* server_name `ldap01.example.com` - servers name
refactor: ldap filter (#4329) 2022-11-04 02:42:28 +00:00			* base_dn `DC=example,DC=com` - common name of domain root.
			* groups_filter `DC=example,DC=com` - replace relevant section with your own domain in common name format, same as base_dn.
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			* user `authelia` - username for Authelia service account
			* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account

			```yaml
			`ldap:`
feat(authentication): suport ldap over unix socket (#5397) This adds support for LDAP unix sockets using the ldapi scheme. In addition it improves all of the address related parsing significantly deprecating old options. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:39:17 +00:00			`address: 'ldaps://ldap.example.com'`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			`implementation: custom`
			`timeout: 5s`
			`start_tls: false`
			`tls:`
			`server_name: ldap.example.com`
			`skip_verify: true`
			`minimum_version: TLS1.2`
refactor: ldap filter (#4329) 2022-11-04 02:42:28 +00:00			`base_dn: dc=example,DC=com`
			`additional_users_dn: CN=users,CN=accounts`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			`users_filter: (&(\|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))`
refactor: ldap filter (#4329) 2022-11-04 02:42:28 +00:00			`additional_groups_dn: OU=groups`
			`groups_filter: (&(member=UID={input},CN=users,CN=accounts,DC=example,DC=com)(objectClass=groupOfNames))`
			`user: UID=authelia,CN=users,CN=accounts,DC=example,DC=com`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			`password: "SUPER_COMPLEX_PASSWORD"`
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-06-18 04:40:38 +00:00			`attributes:`
			`distinguished_name: 'distinguishedName'`
			`username: 'uid'`
			`mail: 'mail'`
			`member_of: 'memberOf'`
			`group_name: 'cn'`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			```
docs: fix ldap section (#4075) 2022-09-25 19:19:11 +00:00			`Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with`
			`Authelia taking the email attribute for users straight from the 'mail' attribute within the LDAP object.`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00
			`### lldap`
docs: fix ldap section (#4075) 2022-09-25 19:19:11 +00:00
			`Tested:`
			`* Version: [v0.4.0](https://github.com/nitnelave/lldap/releases/tag/v0.4.07)`

docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			`Create within lldap, a basic user with a complex password, and add to the group "lldap_password_manager"`
docs: fix ldap section (#4075) 2022-09-25 19:19:11 +00:00			`You can also create a group to use within Authelia if you would like granular control of who can login, and reference it`
			`within the filters below.`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00
			`### Authelia`

docs: fix ldap section (#4075) 2022-09-25 19:19:11 +00:00			`In your Authelia configuration you will need to enter and update the following variables -`
			* url `ldap://OpenLDAP:1389` - servers dns name & port.
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			`tip: if you have Authelia on a container network that is routable, you can just use the container name`
refactor: ldap filter (#4329) 2022-11-04 02:42:28 +00:00			* base_dn `DC=example,DC=com` - common name of domain root.
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			* user `authelia` - username for Authelia service account.
			* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account,

			```yaml
			`ldap:`
feat(authentication): suport ldap over unix socket (#5397) This adds support for LDAP unix sockets using the ldapi scheme. In addition it improves all of the address related parsing significantly deprecating old options. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:39:17 +00:00			`address: 'ldap://lldap:3890'`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			`implementation: custom`
			`timeout: 5s`
			`start_tls: false`
refactor: ldap filter (#4329) 2022-11-04 02:42:28 +00:00			`base_dn: dc=example,DC=com`
			`additional_users_dn: OU=people`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			`# To allow sign in both with username and email, one can use a filter like`
			`# (&(\|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))`
			`users_filter: (&({username_attribute}={input})(objectClass=person))`
refactor: ldap filter (#4329) 2022-11-04 02:42:28 +00:00			`additional_groups_dn: OU=groups`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			`groups_filter: (member={dn})`
			`# The username and password of the admin or service user.`
refactor: ldap filter (#4329) 2022-11-04 02:42:28 +00:00			`user: UID=authelia,OU=people,DC=example,DC=com`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			`password: "SUPER_COMPLEX_PASSWORD"`
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-06-18 04:40:38 +00:00			`attributes:`
			`distinguished_name: 'distinguishedName'`
			`username: 'uid'`
			`mail: 'mail'`
			`member_of: 'memberOf'`
			`group_name: 'cn'`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			```
docs: fix ldap section (#4075) 2022-09-25 19:19:11 +00:00			`Following this, restart Authelia, and you should be able to begin using lldap integration for your user logins, with`
			`Authelia taking the email attribute for users straight from the 'mail' attribute within the LDAP object.`
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00
			`## See Also`
docs: fix ldap section (#4075) 2022-09-25 19:19:11 +00:00
docs: ldap integration guides (#3920) 2022-09-25 18:50:54 +00:00			`[Authelia]: https://www.authelia.com`
			`[Bitnami OpenLDAP]: https://hub.docker.com/r/bitnami/openldap/`
			`[FreeIPA]: https://www.freeipa.org/page/Main_Page`
			`[lldap]: https://github.com/nitnelave/lldap`