Generic LDAP
Description
The Generic LDAP connector scans any RFC-compliant LDAP directory — including OpenLDAP, NetIQ eDirectory, 389 Directory Server, Oracle Directory Server, and IBM Security Directory — to discover user entries, group entries, and group memberships. Unlike the Active Directory connector (which is optimised for AD-specific schema), this connector is fully configurable for any LDAP schema.
System Type Classification
| Field | Value |
|---|---|
| System Type | Directory Service |
| Default Scan Priority | 10 (scanned first) |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | Yes |
| Pro | Yes |
| Enterprise | Yes |
Supported Protocol
| Protocol | Port | Notes |
|---|---|---|
| LDAP | 389 TCP | Plaintext — development/testing only |
| LDAPS | 636 TCP | TLS — recommended for production |
What OrbisID Discovers
| Data | Source |
|---|---|
| User entries | Configurable LDAP search filter (default: `( |
| Account status (disabled) | pwdAccountLockedTime, nsAccountLock, loginDisabled attributes |
| Group entries | Configurable filter (default: groupOfNames, groupOfUniqueNames, posixGroup) |
| Group memberships | Configurable member attribute (member, uniqueMember, or memberUid) |
Connection Requirements
Credential Requirements
OrbisID performs a bind using the supplied credentials. The bind account must have read access to user and group entries under the configured base DN.
Recommended: Create a dedicated read-only service account (e.g., cn=orbisid-reader,dc=example,dc=com).
Credential Mapping
| OrbisID Field | LDAP Value |
|---|---|
credential.username | Bind DN (e.g., cn=admin,dc=example,dc=com) |
credential.password | Bind password |
System Attributes
| Attribute | Required | Default | Description |
|---|---|---|---|
ldapBaseDn | Yes | — | Base DN for all searches (e.g., dc=example,dc=com) |
ldapUseSsl | No | false | Set to true to connect via LDAPS (port 636) |
ldapUserFilter | No | `( | (objectClass=inetOrgPerson)(objectClass=person))` |
ldapGroupFilter | No | `( | (objectClass=groupOfNames)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))` |
ldapUsernameAttr | No | uid | Attribute that holds the username (use cn or sAMAccountName for some directories) |
ldapGroupMemberAttr | No | member | Attribute on group entries that lists members by DN (use memberUid for posixGroup) |
Network Requirements
| Requirement | Detail |
|---|---|
| Port 389 or 636 | Must be accessible from the OrbisID server or On-Premise Agent |
| LDAPS certificate | If using LDAPS, the directory server certificate must be trusted |
Configuration Steps
- Create or identify a read-only bind account in the directory
- Create a Credential in OrbisID:
- Username: Full bind DN (e.g.,
cn=orbisid-reader,ou=service,dc=example,dc=com) - Password: Bind password
- Username: Full bind DN (e.g.,
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., OpenLDAP – ldap.example.com) |
| Hostname / IP | LDAP server hostname or IP |
| Port | 389 (LDAP) or 636 (LDAPS) |
| OS Type | LDAP |
| System Type | Directory Service |
| Credential | The bind account credential |
- Add the required
ldapBaseDnsystem attribute and any optional schema configuration attributes - Click Test Connection to verify bind and connectivity
- Click Save
Schema Configuration
Different LDAP implementations use different attribute names. Common adjustments:
- OpenLDAP:
ldapUsernameAttr=uid,ldapGroupMemberAttr=member - eDirectory:
ldapUsernameAttr=cn,ldapGroupMemberAttr=member - posixGroup:
ldapGroupMemberAttr=memberUid(uid values, not DNs) - groupOfUniqueNames:
ldapGroupMemberAttr=uniqueMember
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
LDAP bind failed – invalid credentials | Wrong bind DN or password | Verify the full bind DN (including dc components) and password |
LDAP base DN not found | Wrong base DN | Check the base DN; test with an LDAP browser (Apache Directory Studio) |
Connection error | Port blocked or server not listening | Verify host, port, and firewall rules |
| No users found | Wrong user filter or wrong base DN | Test the search filter with an LDAP browser using the same base DN |
| No group memberships | Wrong member attribute | Check whether groups use member, uniqueMember, or memberUid and set ldapGroupMemberAttr accordingly |
| Certificate error (LDAPS) | Untrusted server certificate | Install the LDAP server's CA certificate on the OrbisID host, or switch to port 389 for testing |