LDAP Profiles – Configure Directory Server Connections
Overview
Section titled “Overview”The LDAP Profiles page manages connections to directory servers (LDAP, Active Directory, eDirectory, and others) for user authentication. Each profile defines how MideyeServer connects to a directory, which attributes identify users and their phone numbers, how groups are resolved, and what authentication methods are used.
LDAP profiles are referenced by RADIUS Clients to enable directory-based user lookup during authentication. The list page displays real-time connection status indicators for each configured profile.
Access & Permissions
Section titled “Access & Permissions”Required Role: ROOT, SUPER_ADMIN, or ADMIN (to create, edit, delete, clone, or test connections)
Navigation: Home → Directory Settings → LDAP Profiles
| Role | View | Create / Edit / Delete | Clone | Test / Lookup |
|---|---|---|---|---|
| ROOT | ✅ | ✅ | ✅ | ✅ |
| SUPER_ADMIN | ✅ | ✅ | ✅ | ✅ |
| ADMIN | ✅ | ✅ | ✅ | ✅ |
| OPERATOR | ✅ | ❌ | ❌ | ✅ (lookup only) |
Features & Configuration
Section titled “Features & Configuration”Data Grid Columns
Section titled “Data Grid Columns”| Column | Description | Visibility |
|---|---|---|
| Server Name | Profile name with live connection status indicator (green/red) | Always |
| Host Name | Directory server hostname or IP address | Default |
| Port | Connection port (389 for LDAP, 636 for LDAPS) | Default |
| NPS Server | Associated Network Policy Server (clickable link) | Hidden by default |
| Action | Edit, Delete, Search User, Clone buttons | Always |
Action Buttons
Section titled “Action Buttons”| Action | Description | Role Required |
|---|---|---|
| Edit | Open the 7-tab edit form | Admin |
| Delete | Delete the profile | Admin |
| Clone | Create a duplicate profile | Admin |
| Search User | Look up a user in the directory | Any authenticated |
Create / Edit Form
Section titled “Create / Edit Form”The form has seven tabs and validates the LDAP connection on save.
Tab 1: General
Section titled “Tab 1: General”Core connection settings for the directory server.
| Field | Type | Required | Validation | Default | Description |
|---|---|---|---|---|---|
| Server Name | Text | Yes | Max 255, unique | — | Unique name for this profile |
| Server Product | Select | Yes | — | ACTIVE_DIRECTORY | Directory server type |
| Host Name | Text | Yes | Max 255; cannot be IP when SSL enabled | — | Server hostname or IP |
| Port | Number | Yes | Min: 1, Max: 65535 | 389 | Connection port |
| DN | Text | Yes | Max 255 | — | Bind distinguished name |
| Password | Password | Yes | Max 255 | — | Bind password |
| Use SSL | Checkbox | No | — | Off | Enable LDAPS (auto-changes port to 636) |
| Skip Certificate Validation | Checkbox | No | — | Off | Skip SSL certificate verification (shown when SSL enabled) |
| Search Base | Multi-tag input | Yes | Min: 1 entry | — | Base DN(s) for user searches |
| NPS Server | Select | No | — | None | Associated Network Policy Server |
Server Product Values:
| Value | Description |
|---|---|
| ACTIVE_DIRECTORY | Microsoft Active Directory |
| E_DIRECTORY | Novell eDirectory |
| SUN_DIRECTORY_SERVER | Oracle/Sun Directory Server |
| LOTUS_DOMINO | IBM Lotus Domino |
| OPEN_LDAP | OpenLDAP |
| OTHER | Other LDAP server |
Server Product Behavioral Differences
Section titled “Server Product Behavioral Differences”The Server Product selection controls two things: which LDAP connection class the backend uses for authentication, and which UI tabs are available in the editor. In practice, the codebase treats this as a binary choice — Active Directory versus everything else.
Backend connection handling:
| Behavior | ACTIVE_DIRECTORY | All Other Products |
|---|---|---|
| Connection class | ActiveDirectoryConnection (subclass) | LdapConnection (base class) |
| Nested group search | AD-specific tokenGroups / objectSID binary attribute resolution | Standard DN-based memberOf matching |
| Remote access check | Reads AD msNPAllowDialin attribute to deny/allow dial-in access | No-op — the check never runs |
| Auth error handling | Parses AD-specific LDAP error sub-codes (e.g., 0x773 password-must-reset, 0x532 password-expired). Optionally allows login despite these conditions. | Simple exception — locks user (if locking enabled) and rejects authentication |
| Framed IP Address | Reads msRADIUSFramedIPAddress (AD-specific attribute) and includes it in the RADIUS response | Same code runs but the attribute will not exist on non-AD servers |
Recommended attribute defaults by directory type:
The default attribute values are optimized for Active Directory. When connecting to a different directory type, adjust the following fields on the User Attributes and Group Attributes tabs:
| Attribute | Active Directory | eDirectory | Sun Directory | Lotus Domino | OpenLDAP |
|---|---|---|---|---|---|
| Object Class | person | Person | person | inetOrgPerson | inetOrgPerson |
| User ID Attributes | sAMAccountName; userPrincipalName | uid | uid | uid | uid |
| Mobile Phone Attributes | mobile | telephoneNumber | telephoneNumber | mobile | mobile |
| Group Class | group | groupOfNames | groupofuniquenames | groupOfNames | groupOfNames |
| Group Member | member | uniqueMember | uniqueMember | member | member |
Special Features:
- Fetch Search Base — Tests the connection and auto-populates the search base from the directory
- Lookup User — Opens a dialog to search for a user in the directory
- Fetch Certificate — Retrieves and displays the SSL certificate from the server (SSL mode only), with option to save it
Tab 2: User Attributes
Section titled “Tab 2: User Attributes”Defines which LDAP attributes map to MideyeServer user properties.
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| Object Class | Text | Yes | person | LDAP object class for user entries |
| User ID Attributes | Multi-tag input | Yes | sAMAccountName, userPrincipalName | LDAP attributes containing the username |
| Mobile Phone Attributes | Multi-tag input | Yes | mobile | LDAP attributes containing the phone number |
| Token Number Attribute | Text | Yes | ipPhone | LDAP attribute for hardware token serial numbers |
| TOTP Secret Cipher Attribute | Text | No | — | LDAP attribute storing encrypted TOTP secrets |
| Enable RADIUS Translation | Checkbox | No | Off | Enable attribute-to-RADIUS-attribute translation |
| Enable Log Attributes | Checkbox | No | Off | Log LDAP attributes during authentication |
| Log Attributes List | Text | No | — | Comma-separated list of attributes to log (shown when logging enabled) |
| Log Level | Select | No | INFO | Log level for attribute logging (TRACE, DEBUG, INFO, WARN, ERROR) |
| Write Attributes in DB | Checkbox | No | Off | Persist logged attributes to the database |
The Verify button next to the TOTP Secret Cipher field tests write access to the specified LDAP attribute.
Tab 3: Group Attributes
Section titled “Tab 3: Group Attributes”Configures LDAP group membership resolution.
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| Groups | Dynamic list | No | — | LDAP group DNs to check for membership. Click “Add new group…” to add entries |
| Group Class | Text | Yes | group | LDAP object class for group entries |
| Group Member | Text | Yes | member | LDAP attribute identifying group members |
Tab 4: Authentication
Section titled “Tab 4: Authentication”Controls default authentication behavior for users in this directory.
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| Default Auth Type | Select | Yes | TOUCH_MOBILE | Default MFA method for directory users |
| Default Message Type | Select | Yes | FLASH_SMS | OTP delivery method |
| Read Optional Attributes | Checkbox | No | Off | Read per-user auth type from the directory |
| Auth Type Attribute | Text | No | pager | LDAP attribute for per-user auth type (shown when Read Optional enabled) |
| Message Type Attribute | Text | No | — | LDAP attribute for per-user message type |
| Department Attribute | Text | No | — | LDAP attribute for department info |
| Password Compare | Text | No | — | LDAP attribute for local password comparison |
| Lock LDAP Users | Checkbox | No | On | Enable account locking after failed attempts |
| Max Failed Attempts | Number | Yes | 10 | Failed attempts before locking (Min: 1, Max: 100) |
| Minutes Locked | Number | Yes | 1 | Lock duration in minutes. -1 = permanent lock (Min: -1, Max: 1440) |
Authentication Type Values:
| Value | Description |
|---|---|
| PASSWORD | Password only (single factor) |
| MOBILE | SMS OTP to mobile phone |
| TOKEN | Hardware token OTP |
| CONCAT | Password + OTP concatenated |
| PLUS | Mideye Plus app signing |
| TOUCH | Touch approval notification |
| TOUCH_PLUS | Touch with Plus fallback |
| TOUCH_MOBILE | Touch with SMS fallback |
Tab 5: Active Directory
Section titled “Tab 5: Active Directory”Active Directory–specific settings. This tab is disabled when Server Product is not ACTIVE_DIRECTORY or OTHER.
| Field | Type | Default | Description |
|---|---|---|---|
| Check Remote Access Flag | Checkbox | Off | Check the AD “dial-in” remote access permission |
| Allow Password Reset | Checkbox | Off | Allow password reset through RADIUS |
| Allow Password Expired | Checkbox | Off | Allow authentication when AD password is expired |
| Search Nested Groups | Checkbox | Off | Recursively search nested group memberships |
| Use Framed IP Address | Checkbox | Off | Include Framed-IP-Address attribute from AD |
Tab 6: Number Correction
Section titled “Tab 6: Number Correction”Automatic phone number formatting for directory-sourced numbers.
| Field | Type | Default | Description |
|---|---|---|---|
| Auto Correction | Checkbox | Off | Enable automatic phone number correction |
| International Prefix | Text | +46 | Country code prefix to add (shown when auto-correction enabled) |
| Remove Leading Zero | Checkbox | On | Strip leading zero from national numbers |
| Keep Parentheses | Checkbox | Off | Preserve parentheses in phone numbers |
Tab 7: Advanced
Section titled “Tab 7: Advanced”Connection timeout and performance settings.
| Field | Type | Required | Validation | Default | Description |
|---|---|---|---|---|---|
| Connect Timeout | Number (seconds) | Yes | Min: 1, Max: 10 | 2 | Connection timeout in seconds |
| Read Timeout | Number (seconds) | Yes | Min: 1, Max: 10 | 10 | Read operation timeout in seconds |
Dialogs
Section titled “Dialogs”User Lookup Dialog
Section titled “User Lookup Dialog”Search for a user in the configured directory to verify connectivity and attribute mapping.
- Enter a username.
- Click Search.
- If found, the user’s LDAP attributes are displayed.
Fetch Certificate Dialog
Section titled “Fetch Certificate Dialog”Available when SSL is enabled. Connects to the directory server and retrieves its SSL certificate.
- Certificate details are displayed (subject, issuer, validity).
- Enter a certificate alias.
- Click Save to store the certificate in MideyeServer’s trust store.
TOTP Attribute Verification Dialog
Section titled “TOTP Attribute Verification Dialog”Tests that MideyeServer can write to the specified TOTP secret LDAP attribute.
- Enter a test username.
- Click Verify.
- Displays success or failure with error details.
Common Use Cases
Section titled “Common Use Cases”Connecting to Active Directory
Section titled “Connecting to Active Directory”- Click Add New.
- Set Server Product to ACTIVE_DIRECTORY.
- Enter the hostname and port (389 or 636 for SSL).
- Enter the bind DN (e.g.,
CN=svc-mideye,OU=Service,DC=corp,DC=local) and password. - Click Fetch Search Base to auto-detect the base DN, or enter manually.
- On the User Attributes tab, verify the default AD attributes are correct.
- On the Authentication tab, set the default MFA method.
- Click Save (connection is tested automatically).
Enabling User Locking
Section titled “Enabling User Locking”- Edit the LDAP profile.
- Go to the Authentication tab.
- Enable Lock LDAP Users.
- Set Max Failed Attempts (e.g., 5) and Minutes Locked (e.g., 15).
- Save.
- Locked users appear on the Locked Users page.
Setting Up RADIUS Attribute Translation
Section titled “Setting Up RADIUS Attribute Translation”- Edit the LDAP profile.
- Go to the User Attributes tab.
- Enable Enable RADIUS Translation.
- Save.
- Configure translation rules on the RADIUS Translation page.
Troubleshooting
Section titled “Troubleshooting”| Issue | Possible Cause | Resolution |
|---|---|---|
| Connection indicator red | Server unreachable or wrong credentials | Verify hostname, port, bind DN, and password |
| SSL connection fails | Certificate not trusted | Fetch and save the certificate, or enable Skip Certificate Validation for testing |
| Users not found | Wrong search base or object class | Verify search base and object class on the User Attributes tab |
| Cannot save — connection test fails | Server unreachable during validation | Check network connectivity to the directory server |
| Phone numbers incorrect | Number format issues | Configure auto-correction on the Number Correction tab |
| Group membership not resolved | Wrong group class or member attribute | Verify Group Class and Group Member attributes on the Group Attributes tab |
Related Pages
Section titled “Related Pages”- RADIUS Clients — Assign LDAP profiles to RADIUS clients
- Entra ID Profiles — Configure Microsoft Entra ID directories
- RADIUS Translation — Map LDAP attributes to RADIUS response attributes
- Locked Users — View and unlock users locked by failed authentication attempts
- Network Policy Servers — Configure NPS servers for delegated authentication