The LDAP Organizational Identity Source Plugin is designed to integrate with an LDAP server.


Org Identity Source ModeSupport
Manual Search and LinkingSupported
Enrollment, AuthenticatedNot supported
Enrollment, ClaimNot supported
Enrollment, SearchSupported
Enrollment, SelectSupported
Org Identity Sync ModeSupport
FullSupported, with restrictions


This is a non-core plugin, see Installing and Enabling Registry Plugins for more information.

This plugin requires PHP 5.6 or later (for ldap_escape).

(info) PHP 7.2 or later is recommended when integrating with Active Directory (for JSON_INVALID_UTF8_SUBSTITUTE).


The LDAP Source Plugin supports both anonymous and authenticated binds.

Key Attribute

An attribute (the Key Attribute) containing a unique key is required. The value of this attribute should be persistent and not change under any circumstances. There should only ever be exactly one value for this attribute. While dn can be used, many LDAP deployments allow DNs to be changed, for reasons such as being based on a name, or a structural change of the LDAP server itself. If DNs are not persistent, then a different attribute (such as employeeNumber, if suitable) should be used.

Search Filter

By default, the Plugin will search for all records under the Base DN. However, under some circumstances it may be desirable to further filter searches, such as to exclude inactive entries. This is done by setting the Search Filter configuration. The Search Filter will be AND'd together with any search operation performed by the Plugin. Be sure to include the parentheses in the filter definition, and also to escape any special characters within the filter values.

An example search filter, to constrain searches against Active Directory to active users: (!(userAccountControl=514))

UID Attribute

The LDAP Source Plugin can select an arbitrary attribute from the LDAP record to assign to the Org Identity as an Identifier of type UID. This is intended as an interim capability until a more general solution is implemented (CO-1346).

Supported Attributes

The following attributes are currently supported by LdapSource:

LDAP AttributeOrg Identity Source Attribute
employeenumberIdentifier/identifier, type=Enterprise
givennameName/given, type=Official
lAddress/locality, type=Office
mailEmailAddress/mail, type=Official, verified
postalcodeAddress/postal_code, type=Office
snName/family, type=Official
stAddress/state, type=Office
streetAddress/street, type=Office
telephonenumberTelephoneNumber/number, type=Office


Full syncs are dependent on the LDAP server having sufficiently high search limits to allow the full directory to be read, or for binding to be performed with a Bind DN with unlimited search permission.

Wildcards are not supported in searches (though they are supported in the Search Filter). All searches will be prefix searches (ie: foo*).

See Also