UniFi Identity - Integrate AD/LDAP with UniFi Identity
UniFi Identity lets you connect and import users from LDAP, Active Directory (AD), or Microsoft Entra ID. This integration allows users to sign in to their UniFi Console using their existing directory credentials.
Notes:
- This feature is currently in Early Access.
- Entra ID currently does not support Delegated Authentication.
-
For a successful user import to Identity, the AD, LDAP, or Entra ID user must have a first name, last name, and email address.
- If a user's first or last name in AD, LDAP, or Entra ID is empty, the import to Identity will fail. Currently, no error notification is provided in such cases.
-
If an AD, LDAP, or Entra ID user's first and last name, or email address, matches an existing UniFi OS user, their accounts will be merged when imported to Identity.
- If the UniFi OS user's email is linked to a UI SSO Account, the email address from Entra ID will not replace it during the import.
- If the UniFi OS user's email is not linked to a UI SSO Account, the email address from Entra ID will replace it during the import.
- If multiple users in AD, LDAP, or Entra ID have the same first name, last name, and email address that match a UniFi OS user, only the first user will be imported successfully. The rest will fail to import. To avoid this, modify the user's name in UniFi OS, UI Account, or AD/LDAP, or change the email in Microsoft 365.
Requirements
- UniFi OS 4.1
Integrate LDAP with UniFi Identity
- Go to your OS Settings > Admins & Users > Identity Endpoint > Directory Integration.
- Click Set Up and select LDAP from the Type dropdown menu.
- Fill in the required LDAP information.
- LDAP Server: Enter your LDAP domain name or IP address.
- Use SSL Connection: Enable SSL connection if your LDAP server requires it.
- Root DN: Enter your domain in DN format. For example, if your domain is "example.com", enter dc=example,dc=com.
- Bind DN: Enter the distinguished name of the bind LDAP user that is used to connect to the LDAP directory by the agent. For example, cn=admin,cn=users,dc=example,dc=com.
- Password: Enter the password of the LDAP bind user.
- Click Add.
- Select Sync Scope.
- All: Import all users from your directory.
- Specific OUs: Import only users that belong to the selected Organizational Units (OUs).
- Click Start Syncing.
Integrate Google Secure LDAP with UniFi Identity
To create a client using Google's secure LDAP service, follow the instructions here.
- On your UniFi OS, select any application and click Settings > Admins & Users > Identity Endpoint > Directory Integration.
- Click Set Up and select Google Secure LDAP from the Type dropdown menu.
- Fill in the required LDAP information.
- Hostname: Enter the hostname of your Google Secure LDAP, such as ldap.google.com.
- Port: Enter 389 for LDAP with StartTLS enabled and 636 for LDAPS with SSL/TLS enabled.
- Root DN: Enter your domain in DN format. For example, if your domain is "example.com", enter dc=example,dc=com.
-
Username and Password: Generate a username and password in the Google Admin console.
- Sign in to your Google Admin console and go to Apps > LDAP > select a client > Authentication > GENERATE NEW CREDENTIALS.
- You can find the password in the Access credentials window. See Generate access credentials for details.
- Upload the Client Certificate and Key File.
- Sign in to your Google Admin console and go to Apps > LDAP > select a client > Authentication > GENERATE NEW CERTIFICATES.
- Download the certificate from the Certificates window.
- Extract the .zip file to two separate files: .crt and .key.
- Go back to Identity, upload the .crt file to the Client Certificate field, and upload the .key file to the Key File field.
- Click Add.
- Select Sync Scope.
- All: Import all users from your directory.
- Specific OUs: Import only users that belong to the selected Organizational Units (OUs).
- Click Start Syncing.
Integrate JumpCloud LDAP with UniFi Identity
- On your UniFi OS, select any application and click Settings > Admins & Users > Identity Endpoint > Directory Integration.
- Click Set Up and select JumpCloud LDAP from the Type dropdown menu.
- Fill in the required LDAP information.
- Hostname: ldap.jumpcloud.com
- Use SSL Connection: This is ticked by default.
- Port: 636 is entered by default.
- Base DN: ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
- Bind DN: Enter the distinguished name of the bind LDAP user that is used to connect to the LDAP directory by the agent. For example, uid=LDAP_BIND_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com. LDAP_BIND_User is your Jumpcloud username.
- Password: Enter the password of the LDAP bind user.
- Click Add.
- Select Sync Scope.
- All: Import all users from your directory.
- Specific OUs: Import only users that belong to the selected Organizational Units (OUs).
- Click Start Syncing.
Integrate Microsoft Entra ID with UniFi Identity
To integrate Microsoft Entra ID with Identity, please first create an application for Identity in your Microsoft Entra admin center.
- On your UniFi OS, select any application and click Settings > Admins & Users > Identity Endpoint > Directory Integration.
- Click Set Up and select Microsoft Entra ID from the Type dropdown menu.
- Fill in the required Entra ID information.
- Directory Domain: Enter the primary domain assigned to your Microsoft Entra ID instance.
- Application (Client) ID: Get the Application (client) ID while creating an application for UniFi Identity in the Microsoft Entra admin center.
- Client Secret: Get the client secret by following the steps here.
- Click Add.
- Select Sync Scope.
- All: Import all users from your directory.
- Specific Groups: Import only users that belong to the selected groups.
- Click Start Syncing.
Integrate Active Directory with UniFi Identity
- On your UniFi OS, select any application and click Settings > Admins & Users > Identity Endpoint > Directory Integration.
- Click Set Up and select Microsoft Entra ID from the Type dropdown menu.
- Fill in the required Active Directory information.
- AD Server: Enter your AD server's hostname.
- Use SSL Connection: Tick the checkbox based on your AD server’s security protocol.
- Port: Enter your AD server’s port number.
- Base DN: Enter your AD domain name. For example, dc=example,dc=com.
-
Username and Password: Enter your AD domain admin credentials. To obtain your username, please run the following command in your domain controller.
dsquery user -name [NAME]
- Click Add.
- Select Sync Scope.
- All: Import all users from your directory.
- Specific OUs: Import only users that belong to the selected Organizational Units (OUs).
- Click Start Syncing.
Configure Directory Settings
- On your UniFi OS, select any application and click Settings > Admins & Users > Identity Endpoint > Directory Integration.
- Click the Settings icon and select Settings in the prompted panel.
- Set Schedule Sync to determine how often you want UniFi Identity to import users from AD/LDAP. To disable automatic user imports, select Never.
- Set Sync Scope:
- All: Import all users from your directory.
- Specific OUs (for AD and LDAP): Import only users that belong to the selected Organizational Units (OUs).
- Specific Groups (for Entra ID): Import only users that belong to the selected groups.
- Create Group Mapping rules to import directory users to predefined groups in UniFi OS based on the rules they meet.
Notes:
|
Modify LDAP's Configuration and Provisioning
Note: Only LDAP has configurations and provisioning settings.
- Go to your OS Settings > Admins & Users > Identity Services > Directory Integration.
- Click the Settings icon and go to Settings > LDAP Configurations or Provisioning.
View Sync Tasks Details
- On your UniFi OS, select any application and click Settings > Admins & Users > Identity Endpoint > Directory Integration.
- Click the Settings icon > Insights and click a sync activity.
Actions | Description |
Newly Synced | If a user’s email, first name, and last name in the integrated directory do not match those of an Identity user, the system will create a new account for this user using their email. |
Merged | If a user’s email, first name, and last name in the integrated directory partially match those of an Identity user, the system will merge the information of the two accounts. |
Reactivated | If a user is deactivated in Identity but active in the integrated directory, the user will be reactivated in UniFi Identity during the next sync. |
Deactivated |
If a non-admin user is active in Identity but deactivated in the integrated directory, they will be deactivated in UniFi Identity during the next sync.
|
Failed |
|
Updated | Users are merged and their profile information is updated. |
Deactivate, Reactivate, and Remove Directory Integration
- On your UniFi OS, select any application and click Settings > Admins & Users > Identity Endpoint > Directory Integration.
- Click the Settings icon and select Settings in the prompted panel.
- Click Deactivate to stop syncing users from the directory to UniFi OS. The configurations will remain intact, but syncing will cease.
- Once deactivated, you can either Reactivate or Remove it. If removed, it cannot be used again unless it is reconfigured.