LDAP attribute provider

Overview

Configure Maverics to source attributes for claims, headers and authorization rules using LDAP protocol.

Identity Fabric→LDAP Attribute Provider→Configure Identity Fabric→Select as attribute provider in user flow

Steps

Go to Identity Fabric and select LDAP attribute provider from list
Configure the Identity Fabric for your LDAP instance
Setup an attribute provider in a user flow
1. Select your LDAP identity fabric in the Attribute Provider section.
2. Select the Identity Provider that is being used for authentication
3. Select the attribute provided by the IDP that will be mapped to the OUD Search Key to look up attributes
Using it in a user flow
- Authorization - select attributes from your LDAP provider for roles or attribute based policies
- Claims & Headers - select attributes from your LDAP provider to be included in OIDC claims, SAML assertions, or Proxy App headers

Configure Identity Fabric

LDAP attribute providers only pull user attributes, groups, and other attributes using the LDAP protocol, and cannot be used as an identity provider or authentication service. Maverics requires the following information for LDAP attribute providers.

Use a Secret Provider
Production settings ought to implement a secret management system. Maverics connects with multiple secret management systems, which keep secrets that Orchestrator instances retrieve during startup. To cite a secret from your provider, enclose the name in angle brackets. (e.g. <app client-id>)
Learn more about Secret Providers

Attribute	Description	Example
Name	A friendly name for your LDAP attribute provider.	`ldap-example`
URL	The URL of the LDAP server that Maverics connects with.	`ldap://node1.ldap.com` `ldap://node2.ldap.com`
Service Account Username	The username used to connect to the LDAP server.	`uid=admin,ou=Admins,o=Example,c=US`
Service Account Password	The password used to connect to the LDAP server.	<examplePassword>
Attribute Delimiter	(Optional) The delimiter used to separate multi-valued attributes. This field is only necessary if an attribute is multi-valued. If no value is provided, a default of "," will be used for the delimiter.	`^`,`,`
Base DN	Specifies the location in which to perform the LDAP search.	`ou=People,o=Example,c=US`
OUD Search Key	Key to filter on during query and bind operations.	`uid` , `mail`

Attribute

Description

Example

Name

A friendly name for your LDAP attribute provider.

ldap-example

URL

The URL of the LDAP server that Maverics connects with.

ldap://node1.ldap.com

ldap://node2.ldap.com

Service Account Username

The username used to connect to the LDAP server.

uid=admin,ou=Admins,o=Example,c=US

Service Account Password

The password used to connect to the LDAP server.

Attribute Delimiter

(Optional) The delimiter used to separate multi-valued attributes. This field is only necessary if an attribute is multi-valued. If no value is provided, a default of "," will be used for the delimiter.

^,,

Base DN

Specifies the location in which to perform the LDAP search.

ou=People,o=Example,c=US

OUD Search Key

Key to filter on during query and bind operations.

uid , mail

JSON deployed to an orchestrator

{
  "connectors": [
    {
      "type": "ldap",
      "enableAuthentication": true,
      "usernameSearchKey": "uid",
      "baseDN": "ou=Engineering,ou=People,dc=example,dc=com",
      "authenticationSearchScope": "singleLevel",
      "serviceAccountUsername": "cn=exampleUsername,dc=example,dc=com",
      "serviceAccountPassword": "<examplePassword>"
    }
  ]
}