.. _ldap-integration: LDAP authentication --------------------------------- .. _19.3.4|VOSS-704: .. _21.2|EKB-10651: Overview ........ Automate supports LDAP authentication and can be used either standalone (LDAP-authentication-only) or in conjunction with LDAP syncing of users: ======================================== =========================================================== LDAP sync and authentication * Users are synced in from LDAP. * LDAP authenticates these users. * LDAP user sync is available for Active Directory (AD) and OpenLDAP. LDAP authentication-only (standalone) * Users are added locally or are synced in from CUCM. * LDAP authenticates these users. * Not available for OpenLDAP. * Requires Automate version 10.6(3) or later. ======================================== =========================================================== .. note:: * Automate provides LDAP server support for case-insensitive search base DNs. For example, on an LDAP server, the following search base DNs are equal: * CN=Users,DC=example,DC=com * cn=Users,dc=example,dc=com LDAP authentication workflow .............................. 1. User provides their credentials in the Automate system Login page. 2. Authentication request is sent to the relevant LDAP server(s), based on the user's authentication setup: =================================== ================================================================= Default authentication setup Matching username and password * Automate username and password must match the username and password in the LDAP server (based on the LDAP field chosen for *username*). * Once authenticated, the LDAP username is mapped to Automate user to determine access, role, and so on. Alternative authentication setup Non-matching username and password Automate supports authentication for mapping non-matching usernames. This is useful where the username in Automate and the UC apps is different to the username in LDAP. For example, if the LDAP username is bobsmith but the username in Automate is bsmith, then choose LDAP as the authentication type and set the LDAP username (bobsmith in this case) to match the username of bsmith in Automate. You would do this via the LDAP authentication attribute, such as sAMAccountName, mail, or userPrincipalName (which define the field where the username is sourced from, and which is used to authenticate the user.) =================================== ================================================================= .. note:: For LDAP authentication, the password rules of the Automate credential policy don't apply as the password is managed in the LDAP directory. Other credential policy rules are applied (such as session length), as these are managed in Automate. .. rubric:: Related topics * :ref:`set-up-ldap-for-user-synchronization` * :ref:`set-up-ldap-for-authentication-only`