Help Center Help Articles Professional Support Community RMA & Warranty Downloads Tech Specs

UniFi Identity - Integrate AD/LDAP with UniFi Identity

UniFi Identity lets you connect and import users from LDAP, Active Directory (AD), or Microsoft Entra ID. This integration allows users to sign in to their UniFi Console using their existing directory credentials.

Notes:

  • This feature is currently in Early Access. 
  • Entra ID currently does not support Delegated Authentication. 
  • For a successful user import to Identity, the AD, LDAP, or Entra ID user must have a first name, last name, and email address.
    • If a user's first or last name in AD, LDAP, or Entra ID is empty, the import to Identity will fail. Currently, no error notification is provided in such cases.
  • If an AD, LDAP, or Entra ID user's first and last name, or email address, matches an existing UniFi OS user, their accounts will be merged when imported to Identity.

    • If the UniFi OS user's email is linked to a UI SSO Account, the email address from Entra ID will not replace it during the import.
    • If the UniFi OS user's email is not linked to a UI SSO Account, the email address from Entra ID will  replace it during the import.
    • If multiple users in AD, LDAP, or Entra ID have the same first name, last name, and email address that match a UniFi OS user, only the first user will be imported successfully. The rest will fail to import. To avoid this, modify the user's name in UniFi OS, UI Account, or AD/LDAP, or change the email in Microsoft 365.

Requirements

  • UniFi OS 4.1

Integrate LDAP with UniFi Identity

  1. Go to your OS Settings > Admins & Users > Identity Endpoint > Directory Integration.
  2. Click Set Up and select LDAP from the Type dropdown menu.
  3. Fill in the required LDAP information.
    • LDAP Server: Enter your LDAP domain name or IP address.
    • Use SSL Connection: Enable SSL connection if your LDAP server requires it. 
    • Root DN: Enter your domain in DN format. For example, if your domain is "example.com", enter dc=example,dc=com.
    • Bind DN: Enter the distinguished name of the bind LDAP user that is used to connect to the LDAP directory by the agent. For example, cn=admin,cn=users,dc=example,dc=com.
    • Password: Enter the password of the LDAP bind user.
  4. Click Add.
  5. Select Sync Scope.
    • All: Import all users from your directory.
    • Specific OUs: Import only users that belong to the selected Organizational Units (OUs).
  6. Click Start Syncing.

Integrate Google Secure LDAP with UniFi Identity

To create a client using Google's secure LDAP service, follow the instructions here.

  1. On your UniFi OS, select any application and click Settings > Admins & Users > Identity Endpoint > Directory Integration.
  2. Click Set Up and select Google Secure LDAP from the Type dropdown menu.
  3. Fill in the required LDAP information.
    • Hostname: Enter the hostname of your Google Secure LDAP, such as ldap.google.com.
    • Port: Enter 389 for LDAP with StartTLS enabled and 636 for LDAPS with SSL/TLS enabled.
    • Root DN: Enter your domain in DN format. For example, if your domain is "example.com", enter dc=example,dc=com.
    • Username and Password: Generate a username and password in the Google Admin console.
      1. Sign in to your Google Admin console and go to Apps > LDAP > select a client > Authentication > GENERATE NEW CREDENTIALS.
      2. You can find the password in the Access credentials window. See Generate access credentials for details.
  4. Upload the Client Certificate and Key File.
    1. Sign in to your Google Admin console and go to Apps > LDAP > select a client > Authentication > GENERATE NEW CERTIFICATES.
    2. Download the certificate from the Certificates window.
    3. Extract the .zip file to two separate files: .crt and .key.
    4. Go back to Identity, upload the .crt file to the Client Certificate field, and upload the .key file to the Key File field.
  5. Click Add.
  6. Select Sync Scope.
    • All: Import all users from your directory.
    • Specific OUs: Import only users that belong to the selected Organizational Units (OUs).
  7. Click Start Syncing.

Integrate JumpCloud LDAP with UniFi Identity

  1. On your UniFi OS, select any application and click Settings > Admins & Users > Identity Endpoint > Directory Integration.
  2. Click Set Up and select JumpCloud LDAP from the Type dropdown menu.
  3. Fill in the required LDAP information.
    • Hostname: ldap.jumpcloud.com
    • Use SSL Connection: This is ticked by default.
    • Port: 636 is entered by default.
    • Base DN: ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
    • Bind DN: Enter the distinguished name of the bind LDAP user that is used to connect to the LDAP directory by the agent. For example,  uid=LDAP_BIND_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com. LDAP_BIND_User is your Jumpcloud username.
    • Password: Enter the password of the LDAP bind user.
  4. Click Add.
  5. Select Sync Scope.
    • All: Import all users from your directory.
    • Specific OUs: Import only users that belong to the selected Organizational Units (OUs).
  6. Click Start Syncing.

Integrate Microsoft Entra ID with UniFi Identity

To integrate Microsoft Entra ID with Identity, please first create an application for Identity in your Microsoft Entra admin center.

  1. On your UniFi OS, select any application and click Settings > Admins & Users > Identity Endpoint > Directory Integration.
  2. Click Set Up and select Microsoft Entra ID from the Type dropdown menu.
  3. Fill in the required Entra ID information.
  4. Click Add.
  5. Select Sync Scope.
    • All: Import all users from your directory.
    • Specific Groups: Import only users that belong to the selected groups.
  6. Click Start Syncing.

Integrate Active Directory with UniFi Identity

  1. On your UniFi OS, select any application and click Settings > Admins & Users > Identity Endpoint > Directory Integration.
  2. Click Set Up and select Microsoft Entra ID from the Type dropdown menu.
  3. Fill in the required Active Directory information.
    • AD Server: Enter your AD server's hostname.
    • Use SSL Connection: Tick the checkbox based on your AD server’s security protocol.
    • Port: Enter your AD server’s port number.
    • Base DN: Enter your AD domain name. For example, dc=example,dc=com.
    • Username and Password: Enter your AD domain admin credentials. To obtain your username, please run the following command in your domain controller.
      dsquery user -name [NAME]
  4. Click Add.
  5. Select Sync Scope.
    • All: Import all users from your directory.
    • Specific OUs: Import only users that belong to the selected Organizational Units (OUs).
  6. Click Start Syncing.

Configure Directory Settings

  1. On your UniFi OS, select any application and click Settings > Admins & Users > Identity Endpoint > Directory Integration.
  2. Click the Settings icon and select Settings in the prompted panel.
  3. Set Schedule Sync to determine how often you want UniFi Identity to import users from AD/LDAP. To disable automatic user imports, select Never.
  4. Set Sync Scope:
    • All: Import all users from your directory.
    • Specific OUs (for AD and LDAP): Import only users that belong to the selected Organizational Units (OUs).
    • Specific Groups (for Entra ID): Import only users that belong to the selected groups.
  5. Create Group Mapping rules to import directory users to predefined groups in UniFi OS based on the rules they meet.
Notes:
  • When Specific OUs or Specific Groups are selected, only users in those synced groups will be imported into UniFi Identity according to the sync schedule. Changes to synced groups, such as deletions or name changes in the directory, are updated in real-time.
    • Without Group Mapping: Users in synced groups are imported without group assignments. Admins must assign groups manually.
    • With Group Mapping: Users are automatically assigned to corresponding UniFi Identity groups and gain access to all associated resources.

Modify LDAP's Configuration and Provisioning

Note: Only LDAP has configurations and provisioning settings.

  1. Go to your OS Settings > Admins & Users > Identity Services > Directory Integration.
  2. Click the Settings icon and go to Settings > LDAP Configurations or Provisioning.

View Sync Tasks Details

  1. On your UniFi OS, select any application and click Settings > Admins & Users > Identity Endpoint > Directory Integration.
  2. Click the Settings icon > Insights and click a sync activity.
Actions Description
Newly Synced If a user’s email, first name, and last name in the integrated directory do not match those of an Identity user, the system will create a new account for this user using their email.
Merged If a user’s email, first name, and last name in the integrated directory partially match those of an Identity user, the system will merge the information of the two accounts.
Reactivated If a user is deactivated in Identity but active in the integrated directory, the user will be reactivated in UniFi Identity during the next sync.
Deactivated

If a non-admin user is active in Identity but deactivated in the integrated directory, they will be deactivated in UniFi Identity during the next sync.

  • Users not imported from the integrated directory will not be deactivated in the next sync.
  • Users with admin roles or those manually upgraded to admin roles will not be deactivated in the next sync.
Failed
  • If multiple users in the integrated directory share the same email address, only one user will be synced, while the others will be marked as "Failed."
  • If a directory user is missing any attributes required by the attribute mapping, they will be marked as "Failed."
Updated Users are merged and their profile information is updated.

Deactivate, Reactivate, and Remove Directory Integration

  1. On your UniFi OS, select any application and click Settings > Admins & Users > Identity Endpoint > Directory Integration.
  2. Click the Settings icon and select Settings in the prompted panel.
  3. Click Deactivate to stop syncing users from the directory to UniFi OS. The configurations will remain intact, but syncing will cease. 
  4. Once deactivated, you can either Reactivate or Remove it. If removed, it cannot be used again unless it is reconfigured.
Was this article helpful?
4 out of 4 found this helpful