An LDAP integration does not import all of the user accounts from the directory service.
Hub only creates a user account when an unregistered user first logs in to Hub or a connected service.
When LDAP authentication is enabled, Hub checks the directory service for each login attempt.
Users who have been removed from the directory service cannot log in to Hub.
Hub provides pre-configured authentication modules for LDAP, OpenLDAP, and Active Directory.
You can configure a module to use the standard LDAP scheme or LDAPS over SSL.
Enable LDAP Authentication
To allow users stored in a directory service to log in to Hub, enable an LDAP authentication module.
Before you start, verify the following requirements:
You have Create Auth Module and Update Auth Module permissions in Hub.
If you want to authenticate over SSL, you have imported the trusted SSL certificate and key store.
For more information, see SSL Key Stores.
To enable the module, follow these steps.
In the Access Management section of the Administration menu, select Auth Modules.
From the Add Module
drop-down list, select the option that corresponds to the directory service you want to enable.
You can select LDAP, OpenLDAP, or Active Directory.
The Add Module dialog opens in the sidebar.
In the Add Module dialog, enter values for the following settings:
Enter a name for the authentication module.
Enter the server address of the directory service.
Enter the number of the port used to communicate with the directory service.
The default port for standard LDAP is 389.
The default port for LDAPS is 636.
Select this option to authenticate over SSL.
Enter the domain components that define the top-level LDAP DN where user accounts are
For example, if your company uses the domain mycompany.com, enter the
top-level LDAP DN dc=mycompany,dc=com.
The value entered in this field is added to the LDAP URL and cannot contain unsafe
If you use organizational units to manage users, create separate auth modules for each
Include the organizational unit in the search base to create a unique LDAP URL for each
LDAP authentication modules do not support recursive search in the LDAP tree.
The LDAP authentication module is enabled.
The Auth Modules
page displays the settings for the LDAP authentication module.
The module is pre-configured with standard settings that are based on the information you
provided in the Add Module dialog.
For additional information about the settings on this page, see LDAP Authentication Module.
Test the Connection to your Directory Service
To verify that the LDAP authentication module is connected to your directory service, test the connection.
Click the Test Login button.
dialog, enter the credentials of a user who is stored in your directory service:
In the Login field, enter the domainusername.
In the Password field, enter the password.
Click the Test Login button.
Hub searches for the specified user account in the directory service.
If the user is found, a success notification is displayed.
If you get an error, check your user credentials and server URL.
Use the following settings to configure how Hub connects to your directory service.
Displays the name of the application or service that is enabled for third-party authentication in
Stores the name of the authentication module. Use this setting to distinguish this module from other
Displays the current status of the module. This status indicates whether the module is currently
enabled or disabled.
Links to the Audit Events page in Hub. There, you can view a list of changes
that were applied to this authentication module.
Stores the LDAP URL of the directory service used to authenticate a login request in Hub.
The LDAP URL uses the format ldap://host:port/DN. Enter the full distinguished name (DN)
of the directory where user accounts are stored.
Stores the query used to bind with the directory service. This query looks up the distinguished name
of the user to be authenticated.
The username is referenced with an expression. The expression maps a substitution variable to the
attribute that stores the username in the directory service.
The attribute you select determines which query is used in the filter string.
The value entered as the username on the login page is trimmed before it replaces the substitution
If the user specifies a domain, it is discarded. For example, a username with the value WORKGROUP\smith
is trimmed to smith.
To specify a domain, enter the domain name as a static value. For example, WORKGROUP\%u.
Stores the expression used to filter for a specific user.
The substitution variable in the expression is replaced with the value entered as the username on
the login page.
The value entered in this field locates the authenticated user in the directory service.
Selects the key store that is used by your trusted SSL certificate.
Enables creation of Hub accounts for unregistered users who log in with an account that is stored in
the connected directory service.
Hub uses the email address to determine whether the user has an existing account.
All LDAP authentication modules must allow user creation. If user creation is denied, unregistered
users are shown an error.
Use the following settings to map attributes stored in your directory service to user accounts in Hub.
Stores the name of the LDAP attribute that contains the name of the user.
Stores the name of the LDAP attribute that contains the username.
Stores the name of the LDAP attribute that contains the email address.
Stores the name of the the LDAP attribute that contains the username for a Jabber account.
VCS User Name
Stores the name of the LDAP attribute that contains the username for the version control system.
Use this setting to add users to a group when they log in with an account that is stored in the connected
You can select one or more groups.
New users that auto-join a group inherit all of the permissions assigned to this group.
We recommend that you add users to at least one group.
Otherwise, a new user is only granted the permissions that are currently assigned to the
All Users group.
Select SSL Key: No Key