LDAP Authentication

The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services. It allows the sharing of information about users and therefore can act as an identity provider (IDP) for authentication.

Pyramid supports three LDAP centric technologies:

Microsoft Active Directory - the predominant on-premises IDP solution used by many organizations
Azure Directory Services - the cloud centric version of Active Directory
Open LDAP - the open source, generic version of LDAP

LDAP Authentication Flow for Users

Each user typically logs into Pyramid via forms or basic authentication with their LDAP username and password. Pyramid then send this information to the LDAP directory for authentication which returns a token (usually Kerberos), to affirm that the user has legitimate access. With Active Directory, Windows authentication is possible (which is an automated, seamless experience), allowing users to login without providing explicit credentials.

General LDAP Setup

Whether you have just installed Pyramid or you are migrating from one Authentication Provider to another, you will need to Change Provider. After which, you will need to convert your existing users to the new LDAP provider.

The following details are then typically required

Domain Name: Provide the NetBios Domain name. The domain is usually a short name. \
LDAP Address: This should be provided in the format LDAP://DC=X,DC=Y,DC=z.
Port: The LDAP server port.
Secure Model: Indicate if you are using the "LDAPS" protocol

User Provisioning Settings

User provisioning is available for most LDAP providers, especially MS Active Directory. These details are used by Pyramid to query the Authentication Provider and are required to enable add user through search and group roles in provisioning. The details for provisioning are already set with the main LDAP details described above.

Initial Domain User

A domain user account is required to log into the domain to check user credentials. This user is usually part of the domain itself, but it can be another user from a different domain in the forest if needed.

User Name - the name of an account with rights to traverse the LDAP database
Password: the user's password

Feedback

Couldn't find what I was looking for

Help was confusing, unclear or incomplete

Instructions didn't work