Active Directory / LDAP

Sign users in against your own directory. Verified in the sandbox against a real Samba AD domain controller.

▶ Single sign-on via OpenID Connect, federated through Keycloak to Active Directory.
▶ The same directory over SAML 2.0 — signed assertion verified by the server.

The control server does standard LDAP: bind as a service account → search for the user → re-bind as the user → map attributes → just-in-time provision and issue a session. Configure it under System Setup → LDAP / Active Directory:

Field Example (Active Directory)
Server URLldaps://dc.corp.example:636
Bind DNCN=svc-tripwire,OU=Service,DC=corp,DC=example
Base DNDC=corp,DC=example
User filter(&(objectClass=user)(sAMAccountName=%s))
Email / Name attrmail / displayName
Admin group DNmembers get the admin role

Enable the ldap module, then users sign in via POST /auth/ldap/login.

OIDC / SAML

The System Setup screen also has OpenID Connect and SAML forms. LDAP/AD is the recommended SSO path today.

Configuration Verification