LDAP authentication#
Overview#
Automate supports LDAP authentication and can be used either standalone (LDAP-authentication-only) or in conjunction with LDAP syncing of users:
LDAP sync and authentication |
|
LDAP authentication-only (standalone) |
|
Note
Automate provides LDAP server support for case-insensitive search base DNs. For example, on an LDAP server, the following search base DNs are equal:
CN=Users,DC=example,DC=com
cn=Users,dc=example,dc=com
LDAP authentication workflow#
User provides their credentials in the Automate system Login page.
Authentication request is sent to the relevant LDAP server(s), based on the user’s authentication setup:
Default authentication setup
Matching username and password
Automate username and password must match the username and password in the LDAP server (based on the LDAP field chosen for username).
Once authenticated, the LDAP username is mapped to Automate user to determine access, role, and so on.
Alternative authentication setup
Non-matching username and password
Automate supports authentication for mapping non-matching usernames. This is useful where the username in Automate and the UC apps is different to the username in LDAP. For example, if the LDAP username is bobsmith but the username in Automate is bsmith, then choose LDAP as the authentication type and set the LDAP username (bobsmith in this case) to match the username of bsmith in Automate. You would do this via the LDAP authentication attribute, such as sAMAccountName, mail, or userPrincipalName (which define the field where the username is sourced from, and which is used to authenticate the user.)
Note
For LDAP authentication, the password rules of the Automate credential policy don’t apply as the password is managed in the LDAP directory. Other credential policy rules are applied (such as session length), as these are managed in Automate.
Related topics