LDAP

The LDAP connector integrates the Maverics Orchestrator with LDAP-based directory services — including OpenLDAP and other LDAP-compliant directories. For Microsoft Active Directory environments, see the dedicated Active Directory connector.

Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The LDAP connector (type: ldap) supports both LDAP and LDAPS (LDAP over TLS) protocols for secure directory integration. It can perform authentication via LDAP bind operations, attribute lookups for authorization decisions, and user attribute retrieval for header injection or claim enrichment. The connector includes attributeMapping to translate between LDAP attribute names and Orchestrator-friendly names.

Use Cases

Legacy directory integration — Connect applications to existing LDAP directories without modifying the application
Attribute lookups — Retrieve user attributes from LDAP for header injection, claim enrichment, or authorization decisions
LDAP authentication — Authenticate end users via LDAP bind operations against the directory

Configuration

Console UI
Configuration

Console UI documentation is coming soon. This section will walk you through configuring this component using the Maverics Console’s visual interface, including step-by-step screenshots and field descriptions.

LDAP configuration screen in Maverics Console

maverics.yaml

connectors:
  - name: ldap
    type: ldap
    url:
      - "ldaps://ldap.example.com:636"
    serviceAccountUsername: "cn=admin,dc=example,dc=com"
    serviceAccountPassword: <vault.ldap_password>
    baseDN: "dc=example,dc=com"
    usernameSearchKey: uid
    enableAuthentication: true
    userAttributes:
      - cn
      - email
      - memberOf
    attributeMapping:
      email: mail
      name: cn
    tls: ldap-tls

Configuration Reference

Key	Type	Required	Description
`name`	string	Yes	Unique connector identifier referenced by app policies and attribute providers
`type`	string	Yes	Must be `ldap`
`url`	string[]	Yes	LDAP server URLs — supports `ldap://` (port 389) and `ldaps://` (port 636); multiple URLs enable failover
`serviceAccountUsername`	string	Yes	Bind DN for the service account (e.g., `cn=admin,dc=example,dc=com`)
`serviceAccountPassword`	string	Yes	Service account password — use secret reference syntax `<namespace.key>`
`baseDN`	string	Yes	Base DN for LDAP searches (e.g., `dc=example,dc=com`)
`usernameSearchKey`	string	No	LDAP attribute used for username lookup (e.g., `uid` for OpenLDAP, `sAMAccountName` for AD)
`userRDNKey`	string	No	Relative Distinguished Name key for user entries
`enableAuthentication`	boolean	No	Enable LDAP bind authentication for end users
`loginUrl`	string	No	URL for the LDAP login form
`authenticationSearchScope`	string	No	LDAP search scope for authentication queries
`userAttributes`	string[]	No	LDAP attributes to retrieve during searches (e.g., `["cn", "mail", "memberOf"]`)
`objectClasses`	string[]	No	Object classes for the LDAP search filter (e.g., `["inetOrgPerson"]`)
`attributeMapping`	map	No	Map Orchestrator attribute names to LDAP attribute names (e.g., `email: "mail"`)
`attributeDelimiter`	string	No	Delimiter for multi-valued LDAP attributes (default: `","`)
`groupBaseDN`	string	No	Base DN for group searches
`groupSearchFilter`	string	No	LDAP filter for group membership queries
`customLogin.templateFile`	string	No	Path to a custom HTML login form template
`tls`	string	No	Named TLS profile for LDAP connection
`healthCheck`	object	No	Health check monitoring configuration (see Identity Fabric Configuration Reference)

For the complete connector field reference including health check details, see Identity Fabric Configuration Reference.

The LDAP connector supports attributeMapping to translate between LDAP attribute names and Orchestrator attribute names. For example, mapping email: "mail" allows you to reference the attribute as ldap.email in header templates and policy rules, even though the LDAP directory stores it as mail. OIDC-based connectors do not have this field — they use claims directly from the OIDC token.

Troubleshooting

Test LDAP connectivity from the Orchestrator host — Use ldapsearch or a similar tool to verify the Orchestrator can reach the LDAP server on the configured port. Network firewalls or DNS issues are common causes of connection failures.
Verify the service account has read permissions on the baseDN — The bind DN specified in serviceAccountUsername must have sufficient permissions to search the baseDN subtree and read the attributes listed in userAttributes.
For LDAPS, ensure the TLS profile includes the correct CA certificate — If the LDAP server uses a private CA, the TLS profile referenced by the tls field must include the CA certificate via caFile. Self-signed certificates require insecureSkipVerify: true (not recommended for production).
Check attribute names in mapping — LDAP attribute names are case-insensitive in the protocol but must match the directory schema. Common sources of confusion: mail vs email, cn vs commonName, sAMAccountName vs uid.

Active Directory

LDAP-based connector optimized for Active Directory environments

Identity Fabric

Overview of all identity providers

Identity Fabric

Complete field reference for all connector types

Continuity

IdP failover connector

Console Administration

Orchestration

Overview

Use Cases

Configuration

Configuration Reference

Troubleshooting

Active Directory

Identity Fabric

Identity Fabric

Continuity

Console Administration

Orchestration

​Overview

​Use Cases

​Configuration

​Configuration Reference

​Troubleshooting

​Related Pages

Active Directory

Identity Fabric

Identity Fabric

Continuity

Overview

Use Cases

Configuration

Configuration Reference

Troubleshooting

Related Pages