UniFi Identity Enterprise - Integrate LDAP with UniFi Identity Enterprise

UniFi Identity Enterprise administrators can enable and configure Directory Integration to import users from Lightweight Directory Access Protocol (LDAP) to UniFi Identity Enterprise and allow users to sign in to their Identity Enterprise Workspace using their LDAP credentials.

Requirements

Before you can integrate your LDAP with UniFi Identity Enterprise, make sure:

  1. You have subscribed to the Identity Enterprise Standard Plan or have applied for a plan add-on.
    • Use your owner account to sign in to Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud) and go to Settings > Plan & Billing to subscribe to the Identity Enterprise Standard Plan.
    • Use your owner account to sign in to Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud) and go to Settings > Plan & Billing > Feature Usage > Apply for Plan Add-On to apply for a free trial of this feature.
  2. You have updated your Identity Enterprise Agent to v1.54.1 or later.
  3. You have an LDAP server. Refer to Microsoft's documentation for more details.

Integrate LDAP with UniFi Identity Enterprise

  1. Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
  2. Click Directory Integration > Add Directory or New Directory based on whether this is the first time a directory is added to UniFi Identity Enterprise.
  3. Select the LDAP Directory in the Type field.
  4. Fill in the required LDAP information.
  5. In the advanced settings, configure your LDAP integration manually or automatically.
  6. Enter an LDAP user's email and click Test Configuration to ensure that the user properties and group memberships you expect will be effectively fetched from your LDAP instance.
  7. Click Add.

Integrate JumpCloud LDAP with UniFi Identity Enterprise

Notes

  • Make sure you have met the requirements mentioned above.
  • Make sure you have updated your Identity Enterprise Agent to v1.54.1 or later.
  • Refer to Using JumpCloud's LDAP-as-a-Service to learn more about the required settings.
  1. Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
  2. Go to Organization > Directory Integration and click Add Directory.
  3. Select "JumpCloud LDAP" from the Type field.
  4. Select on which UniFi Console you want to set up this service.
  5. Enter the required information:
    • Hostname: ldap.jumpcloud.com
    • Use SSL Connection: Ticked by default.
    • Port: 636 entered by default.
    • Root DN: ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
    • Base DN: uid=LDAP_BIND_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
    • Password: Enter the password of the LDAP binding user.
  6. Configure the advanced settings by selecting "Auto" or "Manual". Refer to Configure LDAP Integration below for details.
  7. Click Add.

Integrate Google Secure LDAP with UniFi Identity Enterprise

Notes

  • Make sure you have met the requirements mentioned above.
  • Make sure you have updated your Identity Enterprise Agent to v1.54.1 or later.
  • To create a client using Google's secure LDAP service, follow the instructions here.
  1. On your Identity Enterprise Manager, go to Organization > Directory Integration and click Add Directory.
  2. Select "Google Secure LDAP" from the Type field.
  3. Select on which UniFi Console you want set up this service.
  4. Enter the required information:
    • Hostname: Enter the hostname of Google Secure LDAP. For example: ldap.google.com.
    • Use SSL Connection: Ticked by default.
    • SSL Port:
      • 389 for LDAP with StartTLS enabled.
      • 636 for LDAPS (SSL/TLS enabled).
    • Root DN: Your domain in DN format. For example: if your domain is "example.com", please enter dc=example,dc=com.
    • Username and Password: Generate a username and password in the Google Admin console:
      1. Sign in to your Google Admin console.
      2. Go to Apps > LDAP.
      3. Select a client.
      4. Click the Authentication card.
      5. Click GENERATE NEW CREDENTIALS. You can then view the password in the Access credentials window. Refer to Generate access credentials for details.
  5. Upload the client certificate and key file.
    1. Download the certificates:
      1. Sign in to your Google Admin console.
      2. Go to Apps > LDAP.
      3. Select a client.
      4. Click the Authentication card.
      5. Click GENERATE NEW CERTIFICATES.
      6. Download the certificate from the Certificates window.
    2. Extract the .zip file to two separate files: .crtand .key.
    3. Go back to Identity Enterprise Agent, upload the .crt file to the Client Certificate field and upload the .key file to the Key File field.
  6. Configure the advanced settings by selecting "Auto" or "Manual". Refer to Configure LDAP Integration below for details.
  7. Click Add.

Configure LDAP Integration Settings

After you have integrated your LDAP with UniFi Identity Enterprise, you will need to configure LDAP integration by going to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud) > Organizations > Directory Integration and selecting the LDAP directory.

General Information

  • Name this directory.
  • LDAP Version: Select your vendor.
    • Vendor-specific configuration templates are provided and their settings are pre-populated. If your LDAP vendor is not on the list, complete the configuration fields manually.
    • Because each LDAP environment is unique, please confirm the default values using an LDAP browser such as Apache Directory Studio.
    • All configuration fields must contain values.

LDAP Settings

  • LDAP Version: Select an LDAP version to pre-populate the fields below.
  • Unique Identifier Attribute: Specify the unique immutable attribute of all LDAP objects that will be imported (users and groups). Only objects possessing this attribute can be imported into your UniFi Identity Enterprise organization. UniFi Identity Enterprise populates this field automatically based on your chosen LDAP version. You can change the auto-populated value during the initial setup. If your LDAP server implements RFC, make sure to enter entryuuid in this field. For AD LDS, use objectguid.
  • User Search Base: The DN of the container for user searches (that is, the root of the user subtree). This is the base DN of the container that holds all users to be imported to your UniFi Identity Enterprise organization.
  • User Object Class: The objectClass of a user that UniFi Identity Enterprise uses in its query when importing users. For example, inetorgperson, posixaccount, posixuser.
  • User Object Filter: By default, UniFi Identity Enterprise auto-populates this field with the objectClass (objectClass=\<objectClass name>). This must be a valid LDAP filter.
  • Group Search Base: The DN of the container for group searches (that is, the root of the group subtree) that holds all groups to be imported to your UniFi Identity Enterprise organization.
  • Group Object Class: The objectClass of a group that UniFi Identity Enterprise uses in its query when importing groups. For example, groupofnamesgroupofuniquenamesposixgroup.
  • Group Object Filter: By default, UniFi Identity Enterprise auto-populates this field with the objectClass of the group (objectClass=\<objectClass name>).
  • Member Attribute: The attribute containing all the member DNs.
  • User Attribute (Optional)UniFi Identity Enterprise uses the member attribute on the group object to determine the user group memberships at runtime. Unless your group object and group filter are respectively posixGroup and (objectclass=posixGroup), leave the user attribute field empty. In the case where you are using posixGroup, we recommend that you configure the member attribute value to memberuid and the user attribute value to UniFi Identity Enterprise.
  • Example Email: Verify the settings by entering the email here to confirm that the required user attributes and group memberships can be properly obtained from LDAP.

Validate LDAP Settings

  1. Before updating your configuration, validate your settings by entering an email to confirm that the user properties and group memberships you expect will be properly fetched from your instance.
  2. Click Test Configuration.
  3. Click Save when the configuration test is successful.
Note: You can modify the configurations in the Provisioning > Integration tab when the integration configuration is completed.
Was this article helpful?
0 out of 1 found this helpful