Skip to content

Active Directory Auth Plugin

The Active Directory auth plugin connects Konduo Enterprise login to Active Directory or a generic LDAP directory. It only implements the auth_provider interface; authorization and role policy remain owned by Konduo RBAC.

Highlights

  • Supports auto, active_directory, and generic_ldap modes with RootDSE-based detection and LDAP fallback.
  • Exposes username/password login, external account profiles, and externally managed password policy.
  • Supports LDAPS, StartTLS, CA bundles, and client certificate based mTLS.
  • Reports bind, base DN search, TLS posture, access filters, and external ID strategy in health metadata without exposing secrets.

Before Registration

  • Prepare LDAP URL, bind DN, bind password, base DN, and user search filter.
  • Prepare a CA certificate or valid server certificate chain when TLS verification is enabled.
  • Keep test users and a local recovery administrator when login gates depend on AD groups or LDAP attributes.

Operations Tips

  • If auto mode resolves as generic LDAP unexpectedly, inspect RootDSE responses and the configured directory mode.
  • Authentication success and RBAC assignment are separate. Validate Konduo role mapping after the login gate passes.
  • insecure_skip_verify only disables server certificate verification; it does not replace client certificates required by the directory server.