ConductorOne provides identity governance and just-in-time provisioning for LDAP. Integrate your LDAP server with ConductorOne to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.
The LDAP connector supports provisioning posixAccount entries with automatic UID number assignment. When creating a new POSIX account, the connector can look up the highest uidNumber currently in use across all existing posixAccount entries in your directory and automatically assign the next available value.To use this feature, configure the following account provisioning mappings:
Automatic UID number calculation assigns uidNumber only. You must provide gidNumber manually in the Additional Attributes mapping. If you set Calculate the next valid UID Number to true, any uidNumber value provided in Additional Attributes is ignored.
Configuring the connector requires you to pass in credentials for LDAP. Gather these credentials before you move on.Here’s the set of credentials you’ll need when setting up the connector:
The username and password of an LDAP account
URL of the LDAP server, which can use either ldap: or ldaps: schemes, and optionally includes a port number
That’s it! Next, move on to the connector configuration instructions.
The Connector Administrator or Super Administrator role in ConductorOne
Access to the set of LDAP credentials generated by following the instructions above
Cloud-hosted
Self-hosted
Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.Cloud-hosted connector not currently available.
Follow these instructions to use the LDAP connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with ConductorOne, automatically syncing and uploading data at regular intervals. This data is immediately available in the ConductorOne UI for access reviews and access requests.
In ConductorOne, navigate to Integrations > Connectors > Add connector.
2
Search for Baton and click Add.
3
Choose how to set up the new LDAP connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
In the Settings area of the page, click Edit.
7
Click Rotate to generate a new Client ID and Secret.Carefully copy and save these credentials. We’ll use them in Step 2.
# baton-ldap-secrets.yamlapiVersion: v1kind: Secretmetadata: name: baton-ldap-secretstype: OpaquestringData: # ConductorOne credentials BATON_CLIENT_ID: <ConductorOne client ID> BATON_CLIENT_SECRET: <ConductorOne client secret> # LDAP credentials BATON_BIND_DN: <Username to bind to the LDAP server with> BATON_PASSWORD: <Password to bind to the LDAP server with> BATON_URL: <URL to the LDAP server, optionally including port number> # Optional: include if you want ConductorOne to provision access using this connector BATON_PROVISIONING: true
See the connector’s README or run --help to see all available configuration flags and environment variables.
Create a namespace in which to run ConductorOne connectors (if desired), then apply the secret config and deployment config files.
2
Check that the connector data uploaded correctly. In ConductorOne, click Apps. On the Managed apps tab, locate and click the name of the application you added the LDAP connector to. LDAP data should be found on the Entitlements and Accounts tabs.
That’s it! Your LDAP connector is now pulling access data into ConductorOne.
