Skip to main content

Active Directory with LDAP

Learn how to configure Active Directory with LDAP as an identity provider for Prophecy.

Overview

Here are the basics steps to follow connect Prophecy with your LDAP:

  1. Log in to Prophecy as an admin user.
  2. Navigate to the SSO tab of the Prophecy Settings page.
  3. Under Authentication Provider, select LDAP.
  4. Fill out the rest of the information and click Save. More information about the available fields can be found below.

Host and Certs

ParameterDescription
HostHost and optional port of the LDAP server in the form host:port. If the port is not supplied, it will be guessed based on "Disable SSL" and "Start TLS" flags.
Disable SSLRequired if the LDAP host is not using TLS (port 389). This option inherently leaks passwords to anyone on the same network.
Skip Certificate VerificationIf a custom certificate isn't provided, this option can be used to turn on TLS certificate checks.
CertificatesUpload trusted Root certs, client certs, and client keys.

Binds

ParameterDescription
Bind Distinguished NameThe distinguished name for an application service account. The connector uses these credentials to search for users and groups.
Bind PasswordThe distinguished password for an application service account. The connector uses these credentials to search for users and groups.
Username PromptThe attribute to display in the provided password prompt.
ParameterDescription
Base Distinguished NameBaseDN to start the search from.
FilterOptional filter to apply when searching the directory.
User NameUsername attribute used for comparing user entries.
ID AttributeString representation of the user.
Email AttributeAttribute to map to Email.
Name AttributeMaps to display name of users.
ParameterDescription
Base Distinguished NameBaseDN to start the search from.
FilterOptional filter to apply when searching the directory.
Name AttributeMaps to display name of users.

Configured LDAP Groups API

You can use the Configured LDAP Groups API to retrieve all config data for your LDAP groups.

Example:

curl 'https://<prophecy-env-url>/api/idp/getAllIDPsConfig' \
-H 'Content-Type: application/json;charset=utf-8' \
-H 'cookie: prophecy-token=<prophecy-access-token>'
Response:
{
"data": {
"config": [
{
"id": "cp_ldap",
"type": "ldap",
"name": "",
"idp": "others",
"resourceVersion": "",
"idpConfig": {
"host": "host-name-here:host-port",
"insecureNoSSL": true,
"insecureSkipVerify": true,
"startTLS": false,
"rootCA": "",
"clientCert": "",
"clientKey": "",
"rootCAData": "",
"clientCertData": "",
"clientKeyData": "",
"bindDN": "*****",
"bindPW": "*****",
"usernamePrompt": "cn",
"userSearch": {
"baseDN": "dc=example,dc=org",
"filter": "(objectClass=person)",
"username": "cn",
"scope": "",
"idAttr": "DN",
"emailAttr": "mail",
"nameAttr": "cn",
"preferredUsernameAttr": "",
"emailSuffix": ""
},
"groupSearch": {
"baseDN": "ou=users,dc=example,dc=org|ou=newusers,dc=example,dc=org",
"filter": "(objectClass=groupOfNames)",
"scope": "",
"userAttr": "",
"groupAttr": "",
"userMatchers": null,
"nameAttr": "cn"
}
}
},
{
"id": "cp_saml",
"type": "saml",
"name": "",
"idp": "okta",
"resourceVersion": "",
"idpConfig": {
"caData": "-----BEGIN CERTIFICATE-----\nCERT-HERE\r\n-----END CERTIFICATE-----\n",
"emailAttr": "email",
"entityIssuer": "issuer",
"groupsDelim": ", ",
"nameIDPolicyFormat": "persistent",
"redirectURI": "https://env-domain/api/oauth/samlCallback",
"ssoIssuer": "http://www.okta.com/TOKEN",
"ssoURL": "https://SSO-URL",
"usernameAttr": "name"
}
}
]
},
"success": true
}

User Matchers

This list contains field pairs that are used to match a user to a group. It adds a requirement to the filter that an attribute in the group must match the user's attribute value.