Active Directory Auth Module

Active Directory authentication module lets users log in to Space with credentials that are stored in an external directory service. This authentication module is pre-configured for Microsoft Active Directory. You can configure a module to use the standard LDAP scheme or LDAPS over SSL.

The Active Directory authentication module does not import all of the user accounts from the directory service. Space only creates a user account when an unregistered user first logs in to Space.

When Active Directory authentication is enabled, Space checks the directory service for each login attempt. Users who have been removed from the directory service cannot log in to Space.

Prerequisites

If you want to connect to the directory service over SSL, import the trusted SSL certificate for your Active Directory service before you enable the authentication module. If there are any intermediate certificates that sit between the SSL certificate and the root CA certificate, you need to upload a file that contains the full certificate chain.

The option to import a trusted SSL certificate is not supported in the settings for the Active Directory authentication module. Instead, you need to access the Trusted SSL Certificates page and import it there.

For more information, see Trusted SSL Certificates.

Enable Active Directory Authentication

To allow users stored in Microsoft Active Directory to log in to Space, enable an Active Directory authentication module.

To enable Active Directory authentication:

On the main menu, click Administration and choose Auth Modules.
Click New auth module. The New Auth Module dialog opens
From the Type drop-down list, select Active Directory.

In the New Auth Module dialog, enter values for the following settings:

Setting	Description
Status	Choose Active to enable the module.
Key	Give this authentication module a unique identifier.
Name	Give this authentication module a human-readable name to distinguish this module from other authentication modules in the Auth Modules list.
Server URL	Stores the LDAP URL of the directory service used to authenticate a login request in Space. The LDAP URL uses the format `ldap://host:port/DN`. Enter the full distinguished name (DN) of the directory where user accounts are stored.
SSL keystore	Choose a custom SSL keystore for LDAPS connections.
Bind DN	Stores the value that is used to bind with the directory service.
Bind password	The password of the Bind account.
Filter	TStores an expression that locates the record for a specific user in the LDAP service. The substitution variable in the expression is replaced with the value entered as the username or email on the login page.
Connection timeout	Sets the period of time to wait to establish a connection to the authorization service. The default setting is 5000 milliseconds (5 seconds).
Read timeout	Sets the period of time to wait to read and retrieve user profile data from the authorization service. The default setting is 5000 milliseconds (5 seconds).
LDAP referral	Choose Follow to allow the authentication module to follow requests from the service to locate additional information in the LDAP directory.
User registration	On — Accounts in the Space organization will be created automatically for unregistered users who log in using Active Directory authentication module. Off — Active Directory logins will be only available to users who already have an account in the Space organization.

Configure the Attribute Mapping.

When Space finds a record in the LDAP service that matches a filter, it fetches values from the LDAP attributes that are specified for each field and copies them to the user profile in Space. Use the following settings to define the filter criteria and map attributes that are stored in your directory service to user accounts in Space.

Field	Description
Login	Required. Maps to the LDAP attribute that stores the value to copy to the Login field in the Space profile. For Active Directory, the default value is `sAMAccountName`. Do not change the default values unless you absolutely have to. If you do change the default value, the field must specify an attribute of the LDAP record that uniquely identifies a user account. Also, if the default value is changed, on the first next attempt to log in with the LDAP credentials, a new credentials record may be added to the Logins section of the user profile.
Full name	Maps to the LDAP attribute that stores the value to copy to the Full name field in the Space profile.
Email	Maps to the LDAP attribute that stores the value to copy to the Email field in the Space profile.
Groups	memberOf

Test the Connection to your Active Directory Service

To verify that the Active Directory authentication module is connected to your Active Directory service, test the connection.

To test the connection:

Click the Test Login button.
In the Test Settings dialog, enter the credentials of a user who is stored in your Active Directory service:
- In the Login field, enter the domainusername.
- In the Password field, enter the password.
Click the Test Login button.
- Space searches for the specified user account in the Active Directory service. If the user is found, a success notification is displayed. If you get an error, check your user credentials and server URL.

Last modified: 07 July 2023