LDAP Attribute Provider

The LDAP Attribute Provider connector integrates the Maverics Orchestrator with LDAP-based directory services for attribute lookups — retrieving user attributes for header injection, claim enrichment, or authorization decisions without performing LDAP bind authentication.

Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The LDAP Attribute Provider functions as a read-only attribute source. Unlike the LDAP Authentication connector, the attribute provider does not authenticate users — it retrieves user attributes from the directory using a service account. This is useful when authentication is handled by a separate identity provider (e.g., OIDC or SAML) and you need to enrich the user’s session with directory attributes.

Use Cases

Unified SSO with LDAP-sourced attributes — Enrich cloud IdP sessions with on-premises directory data (department, title, group memberships) so applications receive consistent headers and claims regardless of where authentication happens
Authorization from directory group memberships — Retrieve LDAP group memberships to drive fine-grained authorization decisions in Orchestrator policies, bridging access control between legacy directories and modern apps
Cross-directory identity enrichment — Combine OIDC or SAML authentication from one provider with attribute lookups from an LDAP directory, enabling applications to access identity data that spans multiple systems
Simplify IdP migration with attribute continuity — During IdP consolidation, maintain access to on-premises directory attributes even after shifting authentication to a cloud provider

Configuration

Console UI
Configuration

To create an LDAP Attribute Provider connector in the Maverics Console:

Navigate to Identity Fabric in the Console sidebar.
Click Create and select LDAP Attribute Provider.
Enter a Name for the connector.
Enter the URL of the LDAP server (e.g., ldaps://ldap.example.com:636).
Enter the Base DN for LDAP searches (e.g., dc=example,dc=com).
Enter the Service Account Username (bind DN used to connect to the server).
Enter the Service Account Password.
Optionally set an Attribute Delimiter for multi-valued attributes (default: ,).
Enter the OUD Search Key — the attribute used for looking up user and group data.
Click Save.

maverics.yaml

connectors:
  - name: ldap-attrs
    type: ldap
    url:
      - "ldaps://ldap.example.com:636"
    serviceAccountUsername: "cn=admin,dc=example,dc=com"
    serviceAccountPassword: <vault.ldap_password>
    baseDN: "dc=example,dc=com"
    usernameSearchKey: uid
    userAttributes:
      - cn
      - mail
      - memberOf
      - department
    attributeMapping:
      email: mail
      name: cn
    tls: ldap-tls

Configuration Reference

Key	Type	Required	Description
`name`	string	Yes	Unique connector identifier referenced by app policies and attribute providers
`type`	string	Yes	Must be `ldap`
`url`	string[]	Yes	LDAP server URLs — supports `ldap://` (port 389) and `ldaps://` (port 636); multiple URLs enable failover
`serviceAccountUsername`	string	Yes	Bind DN for the service account (e.g., `cn=admin,dc=example,dc=com`)
`serviceAccountPassword`	string	Yes	Service account password — use secret reference syntax `<namespace.key>`
`baseDN`	string	Yes	Base DN for LDAP searches (e.g., `dc=example,dc=com`)
`usernameSearchKey`	string	No	LDAP attribute used for username lookup (e.g., `uid`, `cn`)
`userAttributes`	string[]	No	LDAP attributes to retrieve during searches (e.g., `["cn", "mail", "memberOf"]`)
`attributeMapping`	map	No	Map Orchestrator attribute names to LDAP attribute names (e.g., `email: "mail"`)
`attributeDelimiter`	string	No	Delimiter for multi-valued LDAP attributes (default: `","`)
`tls`	string	No	Named TLS profile for LDAP connection
`healthCheck`	object	No	Health check monitoring configuration (see Identity Fabric Configuration Reference)

For the complete connector field reference including health check details, see Identity Fabric Configuration Reference.

Troubleshooting

Test LDAP connectivity from the Orchestrator host — Use ldapsearch or a similar tool to verify the Orchestrator can reach the LDAP server on the configured port
Verify the service account has read permissions on the baseDN — The bind DN must have sufficient permissions to search the subtree and read the configured attributes
Check attribute names in mapping — LDAP attribute names must match the directory schema. Common sources of confusion: mail vs email, cn vs commonName
For LDAPS, ensure the TLS profile includes the correct CA certificate — If the LDAP server uses a private CA, the TLS profile must include the CA certificate via caFile

LDAP Authentication

LDAP connector for user authentication via bind operations

Active Directory

LDAP-based connector for Microsoft Active Directory

Identity Fabric

Overview of all identity providers

Oracle Universal Directory

Oracle OUD directory integration

Console Administration

Orchestration

Overview

Use Cases

Configuration

Configuration Reference

Troubleshooting

LDAP Authentication

Active Directory

Identity Fabric

Oracle Universal Directory

Console Administration

Orchestration

​Overview

​Use Cases

​Configuration

​Configuration Reference

​Troubleshooting

​Related Pages

LDAP Authentication

Active Directory

Identity Fabric

Oracle Universal Directory

Overview

Use Cases

Configuration

Configuration Reference

Troubleshooting

Related Pages