LDAP authentication replaces the default email-based authentication mechanism for the UpGuard UI. Any account administrator can confirgure LDAP settings before an UpGuard employee enables LDAP authentication.
If you are interested in integrating with your Single Sign On Identity Provider, please refer to our article on Single Sign On.
What Do I Need?
Before configuring LDAP, you will need the following:
- The distinguished name (DN) of an OU that contains your user accounts
- The distinguished name (DN) of a CN (security group) that contains users that will be able to login to UpGuard
- The distinguished name (DN) and password of a user that can query LDAP (referred to as the bind user)
Setting up LDAP
The LDAP settings are found in the
Appliance Settings page, which is available by clicking your organization name in the top right corner of the UpGuard UI and selecting
If you do not see the LDAP section in the settings page, add
?show_ldap to the URL.
|LDAP Host||The hostname of your LDAP server|
|LDAP Port||The port to connect over|
|SSL On?||Flag determining if SSL will be used for the connection|
|LDAP Attribute||The unique identifier for users. Use “sAMAccountName” for Active Directory|
|Users Base DN||The lowest level OU containing all user records|
|Users Group DN||The CN of the specific group you have set up to grant access to UpGuard|
|Bind Account DN||The user UpGuard will use to query LDAP|
|Bind Account Password||The password for the bind user|
Enabling LDAP Authentication
Enabling LDAP must be done by an UpGuard employee. Please contact your Account Manager or UpGuard Support to schedule an appointment.
We require an UpGuard Engineer to enable LDAP to mitigate the risk of the configuration being incorrect and an account administrator accidentally locking themselves out of an appliance.
Things to Note
- With LDAP integration set up, access to your UpGuard account will be determined by membership of the group specified in the above form (Users Group DN).
- Users in this group will have Member access by default. Administrators can change this from the Users page.
- Behind the scenes, UpGuard is still using the email address to drive user roles, so the LDAP user must have an email address associated with it.
Emergency Bypass User
Although you may want all your users to authenticate against an LDAP/AD server, there may be special occasions you still need to access your UpGuard appliance when the auth server is down or broken (especially if you monitor the health of your auth server with UpGuard Core).
UpGuard Core can be enabled to elect one or more users as LDAP Emergency Bypass Users which are user accounts that are allowed to log into the appliance with an email address and password.
Enabling this feature requires assistance from an UpGuard Engineer, so please contact UpGuard Support or your Account Manager to schedule an appointment.
LDAP Test Fails
There should be an error message shown if the LDAP test fails. For specific errors:
- Timeout: This is usually a firewall blocking the LDAP port
UpGuard Login Fails via LDAP
Verify that your bind user works outside of UpGuard. Using a tool like
ldp.exe on a Windows AD Controller, verify that you can bind to the
Bind Account DN from your UpGuard settings.