2. Configure access permissions

After adding the LDAP client, you'll need to configure the access permissions for the client. The Access permissions page, which is displayed automatically after adding the LDAP client, includes three sections where you can do the following:

• Specify the LDAP client’s access level for verifying user credentials—When a user tries to sign in to the application, this setting specifies which organizational units the LDAP client can access to verify the user’s credentials. Users who aren’t in a selected organizational unit can’t sign in to the application. 
• Specify the LDAP client’s access level for reading user information—This setting specifies which organizational units and groups the LDAP client can access to retrieve additional user information.
• Specify whether the LDAP client can read group information—This setting specifies whether the LDAP client can read group details and check a user’s group memberships for purposes such as a user’s role in the application.

Later, you can return to the Access permissions page to make changes to these settings. For more details and instructions, see the sections below.

Important: Certain LDAP clients such as Atlassian Jira and SSSD perform a user lookup to get more information about a user during user authentication. To make sure user authentication works correctly for such LDAP clients, you'll need to turn on Read user information for all organizational units where Verify user credentials is turned on. 

Specify the LDAP client’s access level for verifying user credentials

Use this option if the LDAP client needs to authenticate users against Cloud Directory.

When a user tries to sign in to the application, the Verify user credentials setting specifies the user accounts within selected organizational units and groups the LDAP client can access to verify the user's credentials. Users who aren't in a selected organizational unit or group—OR users in the exclude groups category—can't sign in to the application. (You can configure access permissions to include or exclude groups.)

By default, this setting is set to No access for organizational units and groups.  If this LDAP client is used by your entire company, you can change the setting to Entire domain to allow access for users throughout the domain, or you can choose specific organizational units or groups.

Note: Changes made to this setting can take up to 24 hours to take effect.

To choose organizational units that an LDAP client can access to verify the user credentials:

1. Under Verify user credentials, click Selected organizational units, groups, and excluded groups.
2. Under Included organizational units, click Add or Edit.
3. In the Included organizational units window, choose specific organizational units that you want to include.
4. Click SAVE.

To include groups that an LDAP client can access to verify the user credentials:

1. Under Verify user credentials, click Selected organizational units, groups, and excluded groups.
2. Under Included Groups, click Add or Edit.
3. In the Find and select groups window, choose specific groups that you want to include.
4. Click DONE.

To exclude groups from verifying the user credentials:

1. Under Verify user credentials, click Selected organizational units, groups, and excluded groups.
2. Under Excluded Groups, click Add or Edit.
3. In the Find and select groups window, choose specific groups that you want to exclude.
4. Click DONE.

Note: To quickly view the list of organizational units that are included, or to view the list of groups that are included or excluded, hover over the above settings.

Specify the LDAP client’s access level for reading user information

Use this option if the LDAP client requires read-only access to perform user lookups. 

The Read user information setting specifies which organizational units the LDAP client can access to retrieve additional user information. By default, this setting is set to No access. You can change the setting to Entire domain, or you can choose Selected organizational units.

To choose organizational units the LDAP client can access to retrieve additional user information:

1. Under Read user information, click Selected organizational units.

2. Do one of the following:

   Click Add. In the Included organizational units window, check the boxes for specific organizational units. You can also use the search field at the top of the window to search for organizational units.

   --OR--

   Click Copy from "Verify user credentials".

3. (Optional) Specify which attributes this client can access to read a user's information. Choose from system attributes, public custom attributes, and private custom attributes. For more details, see Specify which attributes you'd like to make available for the LDAP client.

4. Click SAVE.

Specify which attributes you'd like to make available for the LDAP client

There are 3 types of attributes:

• System attributes—Default user attributes available for all user accounts—for example, Name, Email and Phone.

  Note: You can't disable this option.

• Public custom attributes—Custom user attributes that are marked as visible to the organization.
• Private custom attributes—Custom user attributes that are marked as visible only to the user and administrators. Use caution when using private custom attributes, as you're exposing private information to the LDAP client.

Custom attribute naming requirements and guidelines:

• Names for custom attributes can contain only alphanumeric text and hyphens.
• There should be no duplicate attribute names across all custom schemas.
• If the custom attribute name matches with an existing system attribute, we will return the system attribute value.

Important: If attribute names don't adhere to the above guidelines, the attribute values in question are excluded from the LDAP response.

For more details and instructions about setting up custom attributes, see Create custom attributes for user profiles.

Specify whether the LDAP client can read group information

Use this option if the LDAP client requires read-only access to perform group lookups. 

The Read group information setting specifies whether the LDAP client can check a user’s group memberships for purposes such as authorizing a user’s role in the application. 

Important: Certain LDAP clients such as Atlassian Jira and SSSD perform a group lookup to get more information about a user's group membership during user authentication/authorization. To make sure user authentication works correctly for such LDAP clients, you'll need to turn on Read group information.

Next steps

After you finish configuring access permissions, click ADD LDAP CLIENT.

Next, you'll need to download the generated certificate, connect the LDAP client to the Secure LDAP service, and then switch the service status to On for the LDAP client.

For your next steps, see 3. Download the generated certificate.

Related articles

• About the Secure LDAP service
• Secure LDAP schema
• Manage LDAP clients
• Audit logs for the Secure LDAP service
• Secure LDAP service: Error code descriptions
• FAQs: Secure LDAP service