> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# LDAP Attribute Provider

The LDAP Attribute Provider connector integrates the Maverics Orchestrator with LDAP-based directory services for attribute lookups -- retrieving user attributes for header injection, claim enrichment, or authorization decisions without performing LDAP bind authentication.

<Note>
  **Console terminology:** In the Maverics Console, this section is called
  **Identity Fabric**. The YAML configuration uses the `connectors` key to define
  identity provider integrations.
</Note>

## Overview

The LDAP Attribute Provider functions as a read-only attribute source. Unlike the [LDAP Authentication](/reference/orchestrator/identity-fabric/ldap) connector, the attribute provider does not authenticate users -- it retrieves user attributes from the directory using a service account. This is useful when authentication is handled by a separate identity provider (e.g., OIDC or SAML) and you need to enrich the user's session with directory attributes.

## Use Cases

* **Unified SSO with LDAP-sourced attributes** -- Enrich cloud IdP sessions with on-premises directory data (department, title, group memberships) so applications receive consistent headers and claims regardless of where authentication happens
* **Authorization from directory group memberships** -- Retrieve LDAP group memberships to drive fine-grained authorization decisions in Orchestrator policies, bridging access control between legacy directories and modern apps
* **Cross-directory identity enrichment** -- Combine OIDC or SAML authentication from one provider with attribute lookups from an LDAP directory, enabling applications to access identity data that spans multiple systems
* **Simplify IdP migration with attribute continuity** -- During IdP consolidation, maintain access to on-premises directory attributes even after shifting authentication to a cloud provider

## Setup

<Tabs>
  <Tab title="Console UI">
    To create an LDAP Attribute Provider connector in the Maverics Console:

    1. Navigate to **Identity Fabric** in the Console sidebar.
    2. Click **Create** and select **LDAP Attribute Provider**.
    3. Enter a **Name** for the connector.
    4. Enter the **URL** of the LDAP server (e.g., `ldaps://ldap.example.com:636`).
    5. Enter the **Base DN** for LDAP searches (e.g., `dc=example,dc=com`).
    6. Enter the **Service Account Username** (bind DN used to connect to the server).
    7. Enter the **Service Account Password**.
    8. Optionally set an **Attribute Delimiter** for multi-valued attributes (default: `,`).
    9. Enter the **OUD Search Key** -- the attribute used for looking up user and group data.
    10. Click **Save**.
  </Tab>

  <Tab title="Configuration">
    ```yaml maverics.yaml theme={null}
    connectors:
      - name: ldap-attrs
        type: ldap
        url:
          - "ldaps://ldap.example.com:636"
        serviceAccountUsername: "cn=admin,dc=example,dc=com"
        serviceAccountPassword: <vault.ldap_password>
        baseDN: "dc=example,dc=com"
        usernameSearchKey: uid
        tls: ldap-tls
    ```

    ## Configuration Reference

    | Key                      | Type      | Required | Description                                                                                                                                            |
    | ------------------------ | --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
    | `name`                   | string    | Yes      | Unique connector identifier referenced by app policies and attribute providers                                                                         |
    | `type`                   | string    | Yes      | Must be `ldap`                                                                                                                                         |
    | `url`                    | string\[] | Yes      | LDAP server URLs -- supports `ldap://` (port 389) and `ldaps://` (port 636); multiple URLs enable failover                                             |
    | `serviceAccountUsername` | string    | Yes      | Bind DN for the service account (e.g., `cn=admin,dc=example,dc=com`)                                                                                   |
    | `serviceAccountPassword` | string    | Yes      | Service account password -- use secret reference syntax `<namespace.key>`                                                                              |
    | `baseDN`                 | string    | Yes      | Base DN for LDAP searches (e.g., `dc=example,dc=com`)                                                                                                  |
    | `usernameSearchKey`      | string    | No       | LDAP attribute used for username lookup (e.g., `uid`, `cn`)                                                                                            |
    | `attributeDelimiter`     | string    | No       | Delimiter for multi-valued LDAP attributes (default: `","`)                                                                                            |
    | `tls`                    | string    | No       | Named TLS profile for LDAP connection                                                                                                                  |
    | `healthCheck`            | object    | No       | Health check monitoring configuration (see [Identity Fabric Configuration Reference](/reference/orchestrator/identity-fabric#configuration-reference)) |

    For the complete connector field reference including health check details, see [Identity Fabric Configuration Reference](/reference/orchestrator/identity-fabric#configuration-reference).
  </Tab>
</Tabs>

## Troubleshooting

* **Test LDAP connectivity from the Orchestrator host** -- Use `ldapsearch` or a similar tool to verify the Orchestrator can reach the LDAP server on the configured port
* **Verify the service account has read permissions on the baseDN** -- The bind DN must have sufficient permissions to search the subtree and read the configured attributes
* **Check attribute names in application claims and headers** -- LDAP attribute names referenced in application claims, headers, or policy attributes must match the directory schema exactly. Common sources of confusion: `mail` vs `email`, `cn` vs `commonName`
* **For LDAPS, ensure the TLS profile includes the correct CA certificate** -- If the LDAP server uses a private CA, the TLS profile must include the CA certificate via `caFile`

## Related Pages

<CardGroup cols={2}>
  <Card title="LDAP Authentication" icon="folder-tree" href="/reference/orchestrator/identity-fabric/ldap">
    LDAP connector for user authentication via bind operations
  </Card>

  <Card title="Active Directory" icon="microsoft" href="/reference/orchestrator/identity-fabric/activedirectory">
    LDAP-based connector for Microsoft Active Directory
  </Card>

  <Card title="Identity Fabric" icon="id-badge" href="/reference/orchestrator/identity-fabric">
    Overview of all identity providers
  </Card>

  <Card title="Oracle Universal Directory" icon="database" href="/reference/orchestrator/identity-fabric/oracle-oud">
    Oracle OUD directory integration
  </Card>
</CardGroup>
