# LDAP ## Overview Veza provides a generic LDAP integration to connect to directory services that support the Lightweight Directory Access Protocol (LDAP). This integration enables you to discover users, groups, and their relationships within your LDAP directory and map them to the Veza access graph. The LDAP integration provides centralized identity discovery, group membership analysis, cross-system identity correlation, and organizational context. The generic nature of this integration allows it to work with any LDAPv3-compliant directory service, including OpenLDAP, Red Hat Identity Manager, Oracle Unified Directory, IBM Directory Server, and ForgeRock Directory Services. ## Prerequisites To configure a new LDAP integration, you will need: * The LDAP server hostname or IP address and port (typically 389 for LDAP or 636 for LDAPS) * A username and password for an LDAP user with read access to the directory * For LDAPS (recommended): SSL/TLS certificate used by the LDAP server * The base DN for the directory search (example: `dc=example,dc=com`) * An [Insight Point](/4yItIzMvkpAvMVFAamTf/integrations/connectivity/insight-point.md) with network access to your LDAP server if not publicly accessible ## Required LDAP Operations The Veza LDAP connector performs these operations on your directory: **Authentication**: Binds to the LDAP server using the configured service account credentials. **User Discovery**: Executes subtree searches from the Base DN to find all entities matching the specified Users Object Class (e.g., `person`, `inetOrgPerson`). **Group Discovery**: Performs subtree searches to identify group entities using configurable object classes (default: `groupOfUniqueNames`, also supports `groupOfNames` and others), and extracts membership information using the appropriate member attribute. **Attribute Reading**: Retrieves specific attributes from discovered users and groups to populate the Veza access graph with identity and relationship data. ### Required Attributes The integration reads these attributes from your LDAP directory: | Entity Type | Required Attributes | Optional Attributes | Purpose | | ----------- | ------------------------------ | ------------------------------------ | ------------------------------------------------ | | **Users** | `dn`, `cn` or `uid` | `displayName`, `email`, `mail`, `sn` | Identity, naming, contact information | | **Groups** | `dn`, `cn`, member attribute\* | N/A | Group identity and membership relationships | | **Custom** | User-configured | Varies by implementation | Extended user properties and organizational data | \*The member attribute is automatically determined based on the group object class: `uniqueMember` for `groupOfUniqueNames`, `member` for `groupOfNames`, or can be explicitly configured. ## Configuration Configure the LDAP integration in Veza to connect to your directory server and begin discovering identity data. 1. In Veza, go to the **Integrations** page. 2. Click **Add Integration** and search for "LDAP". Click on the LDAP tile to open the integration configuration. 3. Complete the required configuration parameters detailed below. 4. Click **Create Integration** to save and create the integration. 5. Monitor the initial extraction in the **Integrations** page to ensure successful data discovery. ### Configuration Parameters | Parameter | Required | Type | Description | | ---------------------------- | -------- | -------------------- | ----------------------------------------------------------------------------------------- | | **Insight Point** | No | Selection | Choose whether to use the default data plane or a deployed Insight Point | | **IDP Name** | Yes | String | The name of the LDAP IDP provider (internal identifier) | | **LDAP URL** | Yes | String | LDAP server URL (e.g., `ldaps://ldap.example.com:636` or `ldap.example.com:389`) | | **Base DN** | Yes | String | Starting point for directory searches (e.g., `dc=example,dc=com`) | | **Bind DN or User** | Yes | String | Username for LDAP authentication (format: `cn=admin,dc=example,dc=com` or username) | | **Bind Password** | Yes | String (Secret) | Password for the bind user | | **CA Certificate** | No | Base64 File (Secret) | SSL/TLS certificate for secure LDAP connections | | **Users Object Class** | Yes | String | The objectClass that defines users (e.g., `person`, `inetOrgPerson`) | | **Groups Object Class** | No | String | The objectClass for groups (default: `groupOfUniqueNames`, also supports `groupOfNames`) | | **Group Member Attribute** | No | String | Attribute containing group members (auto-detected by default: `uniqueMember` or `member`) | | **Included Groups** | No | String | Semicolon-separated list of DN nodes (and their children) to include. Empty includes all | | **Custom String Properties** | No | String | Semicolon-separated list of additional string user attributes to extract | | **Custom Number Properties** | No | String | Semicolon-separated list of additional numeric user attributes to extract | | **Custom Date Properties** | No | String | Semicolon-separated list of additional date/timestamp user attributes to extract | | **Custom Bool Properties** | No | String | Semicolon-separated list of additional boolean user attributes to extract | | **Provider Icon** | No | Base64 File | Custom icon for the integration in Veza | **Mapping Configuration**: Define how identities or groups map to each other. This optional section allows you to configure [custom identity mappings](/4yItIzMvkpAvMVFAamTf/integrations/configuration/custom-identity-mappings.md) between your LDAP directory and other integrated systems. ### Configuration Best Practices **LDAP URL Format**: If no protocol is specified, `ldaps://` is automatically added for security. Always use LDAPS when possible for encrypted communication. **Multiple Object Classes**: For Users Object Class, you can specify multiple classes separated by commas (e.g., `person,inetOrgPerson`) to accommodate mixed environments. **Group Object Class Flexibility**: The integration supports different LDAP group implementations. By default, it uses `groupOfUniqueNames` with `uniqueMember` attributes, but can be configured for `groupOfNames` with `member` attributes, or other custom group schemas. This enables compatibility with various LDAP implementations including Red Hat Identity Manager. **Custom Properties**: All custom property lists use semicolon (`;`) separators. For optimal performance, only gather essential custom attributes. **Included Groups**: Use full DN format with semicolon separators (e.g., `ou=Engineering,dc=example,dc=com;ou=Sales,dc=example,dc=com`) to limit scope and improve extraction performance. ### Custom Properties The LDAP integration supports extracting custom user attributes beyond the standard LDAP schema. To include custom attributes during discovery, specify them by name and data type in the integration configuration. For example, if your LDAP directory includes a custom attribute for employee `department`, you can use this information for [attribute filters](/4yItIzMvkpAvMVFAamTf/features/search/filters.md) by adding it to the configuration. **Configuration**: Add custom attribute names (semicolon-separated) to the appropriate field based on data type: * **Custom String Properties**: Text-based attributes (e.g., `department`, `title`, `telephoneNumber`) * **Custom Number Properties**: Numeric attributes (e.g., `employeeNumber`, `uidNumber`) * **Custom Date Properties**: Date/timestamp attributes (e.g., `accountExpires`, `pwdLastSet`) * **Custom Bool Properties**: Boolean attributes (e.g., `accountEnabled`, `accountLocked`) The specified attributes will appear on Access Graph entities after the next extraction, enabling Search, Rules, and Access Reviews based on the values. ### Red Hat Identity Manager Red Hat Identity Manager (IdM) uses `groupOfNames` object class with `member` attributes instead of the default `groupOfUniqueNames` with `uniqueMember`. Configure the Veza integration with these specific settings: * **Groups Object Class**: `groupOfNames` * **Group Member Attribute**: `member` (or leave blank for auto-detection) ## Advanced Configuration Options **Filtering and Scoping**: Use the "Included Groups" parameter to limit extraction scope to specific organizational units. This improves performance and focuses the integration on relevant directory sections. **Performance Optimization**: For large directories with 100,000+ users, use "Included Groups" to limit scope to relevant organizational units, limit custom properties to essential attributes only, and monitor extraction performance through the Veza integrations dashboard. See [LDAP Integration Reference](/4yItIzMvkpAvMVFAamTf/integrations/integrations/ldap/reference.md) for detailed information about supported entities and schema variations. See [LDAP Server Configuration Examples](/4yItIzMvkpAvMVFAamTf/integrations/integrations/ldap/examples.md) for platform-specific LDAP server setup guidance. ## Lifecycle Management The LDAP integration supports Lifecycle Management as both a Source of Identity and a Target System. You can use your LDAP directory to trigger LCM policy actions and as a target for automated user and group management, including provisioning, deprovisioning, attribute synchronization, and group membership management. For configuration steps, supported actions, and required permissions, see [LDAP Lifecycle Management](/4yItIzMvkpAvMVFAamTf/integrations/integrations/ldap/provisioning.md). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/ldap.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.