2. Configure access permissions

After adding the LDAP client, you'll need to configure the access permissions for the client. The Access permissions page, which is displayed automatically after adding the LDAP client, includes three sections where you can do the following:

  • Specify the LDAP client’s access level for verifying user credentials—When a user tries to sign in to the application, this setting specifies which organizational units the LDAP client can access to verify the user’s credentials. Users who aren’t in a selected organizational unit can’t sign in to the application. 
  • Specify the LDAP client’s access level for reading user information—This setting specifies which organizational units the LDAP client can access to retrieve additional user information.
  • Specify whether the LDAP client can read group information—This setting specifies whether the LDAP client can read group details and check a user’s group memberships for purposes such as a user’s role in the application.

Later, you can return to the Access permissions page to make changes to these settings. For more details and instructions, see the sections below.

Important: Certain LDAP clients such as Atlassian Jira and SSSD perform a user lookup to get more information about a user during user authentication. To make sure user authentication works correctly for such LDAP clients, you'll need to turn on Read user information for all organizational units where Verify user credentials is turned on. 

Specify the LDAP client’s access level for verifying user credentials

Use this option if the LDAP client needs to authenticate users against Cloud Directory.

When a user tries to sign in to the application, the Verify user credentials setting specifies which organizational units the LDAP client can access to verify the user’s credentials. Users who aren’t in a selected organizational unit can’t sign in to the application.

By default, this setting is set to No access. If this LDAP client is used by your entire company, you can change the setting to Entire domain to allow access for users throughout the domain, or you can choose specific organizational units.

To choose specific organizational units that an LDAP client can access to verify the user’s credentials:

  1. Under Verify user credentials, click Selected organizational units.
  2. Under Included organizational units, click Add.
  3. In the Included organizational units window, check the boxes for specific organizational units. You can also use the search field at the top of the window to search for organizational units.
  4. Click SAVE.

Note: Changes made to this setting can take up to 24 hours to take effect.

Specify the LDAP client’s access level for reading user information

Use this option if the LDAP client requires read-only access to perform user lookups. 

The Read user information setting specifies which organizational units the LDAP client can access to retrieve additional user information. By default, this setting is set to No access. You can change the setting to Entire domain, or you can choose specific organizational units.

To choose specific organizational units the LDAP client can access to retrieve additional user information:

  1. Under Read user information, click Selected organizational units.

  2. Do one of the following:

    Click Add. In the Included organizational units window, check the boxes for specific organizational units. You can also use the search field at the top of the window to search for organizational units.

    --OR--

    Click Copy from Verify user credentials.

  3. Click SAVE.

Specify whether the LDAP client can read group information

Use this option if the LDAP client requires read-only access to perform group lookups. 

The Read group information setting specifies whether the LDAP client can check a user’s group memberships for purposes such as authorizing a user’s role in the application. 

Important: Certain LDAP clients such as Atlassian Jira and SSSD perform a group lookup to get more information about a user's group membership during user authentication/authorization. To make sure user authentication works correctly for such LDAP clients, you'll need to turn on Read group information.

Next steps

After you finish configuring access permissions, click ADD LDAP CLIENT.

Next, you'll need to download the generated certificate, connect the LDAP client to the Secure LDAP service, and then switch the service status to On for the LDAP client.

For your next steps, see 3. Download the generated certificate.

Related articles

Was this helpful?
How can we improve it?