LDAP

Menu path: Configuration > Policies and Access Control > Authentication Sources > Internal > LDAP, or Google Workspace LDAP, or Edirectory.

This form of authentication uses one or more LDAP domain controllers (as defined by the Associated Realms parameter) to authenticate a user. LDAP is used by A3 to interface with Active Directory. Special preparation is necessary to utilize a Google Workspace.

The fields in an AD/LDAP definition in the General tab are:

Field Name	Usage	Example
Name	The name of the authentication source.	CorpAD
Description	Optional description of the source.	Corporate AD authentication
Host	A comma-separated list of host name or IP addresses of the AD/LDAP controllers to be queried, along with the port to be used and the type of encryption to be applied. The default port for LDAP is 389 and can change based on the type of encryption used. The choices for encryption are None, SSL, and Start TLS.	ad.company.com,ad1.company.com:389 None
Dead Duration	The amount of time, in seconds, before the server is considered as non-responsive and retried. When specifying multiple LDAP servers or a DNS name pointing to multiple IPs, this option can be used to offer more consistent fail over. A value of 0 disables this feature.	60
Connection Timeout	The timeout, in seconds, for connection establishment to the directory.	1
Request Timeout	The timeout, in seconds, for a request acknowledgment from the directory.	5
Response Timeout	The timeout, in seconds, for a response from the directory.	10
Base DN	The base location in the directory where search queries will be performed.	CN=Users,DC=ah-lab,DC=com
Scope	Specifies the extent of the search. The choices are: Base object - only the object at the Base DN One level - only the objects at the same level as the Base DN Subtree - all objects beneath the Base DN Children - the immediate children of the Base DN	Subtree
User Name Attribute	The name of the attribute within the records to match against, chosen from a list of attributes. Usually sAMAccountName.	sAMAccountName
Search Attributes	Other attributes that can be used as the username, chosen from a list of attributes. The radiusd server should be restarted using Status>Services if this changes.
Append Search Attributes LDAP filter	Only used for the generic LDAP definition.
Email Attribute	The name of the attribute with the user's email address.	mail
Bind DN	The user account that performs the lookup in distinguished name (DN) format. For Google Workspace integration, this is the access credential's user name provided in Google Workspace LDAP Integration, step 1.	CN=A3User,CN=Users,DC=ah-lab,DC=com
Password	The password for the Bind DN. Buttons are provided for visibility and test. The button tests if the settings and password are correct. For Google Workspace integration, this is the access credential's password provided in Google Workspace LDAP Integration, step 1.	password
Cache Match	If enabled, A3 will cache the results of a matching rule.
Monitor	If enabled, A3 will ping the AD server periodically to ensure that it is online and responsive.
Shuffle	If there are multiple LDAP/AD servers to query, a random server will be chosen for every lookup request.
Associated Realms	The realms associated with the AD authentication source. Realms are discussed in Domains and Realms.	default,null
Authentication Rules	Indicates when the authentication is triggered and the actions to be performed when the authentication is satisfied. Authentication rules are covered in detail in Authentication Rules.
Administration Rules	Indicates the administrative actions to be performed when the authentication is satisfied. Administration rules are covered in detail in Administration Rules.

The fields in an AD/LDAP definition in the Client Certificate tab are: