Question

LDAP Module - How to import LDAP users into Mendix and allow them to authenticate against LDAP in one single step?

0

Hi all, Using the LDAP module, we have 3 options to synchronize the users with our LDAP provider. However, none seems to do what I am looking for, which is to import a set of users that exist in the LDAP server to our Mendix database (so we can have them as local users), but also for the users to be authenticated against the LDAP server, using their LDAP password. As far as I am aware, I only have one way to achieve this, which is the “authenticate users against AD and create the user account if it doesn't exist” LDAP type. But, this only creates the users in Mendix after the users try to log in the first time. This will, however, show an error message to the user, because although the account details were imported into Mendix, the user doesn't have a role associeted to him. So, only after assigning a role to this user, will the login be successful (not exactly what we're looking for). The other option is "import users from AD". However this will just import the users. It doesn't allow the users to be authenticated using the LDAP server. At least I didn't figure out a way to achieve this (tried fiddling around with available options, but no luck). Am I missing something and what I need is possible, or is there no way to currently do this? Many thanks Gonçalo

asked 2017-01-25

Goncalo Marcos

1 answers

Jasper van der Hoek · Accepted Answer · 2017-01-25

All options always authenticate against the AD, no matter which configuration option you choose the module will always authenticate against the AD. passwords simply cannot be copied.

The option authenticate, does authenticate only nothing is being passed back from the ad. The module assumes a user exists, it assumes the user name matches with AD, and simply passes the username and password to the AD.

"import users from AD" is an import that happens on a scheduled interval and creates the users prior to signup. This will still do the authentication against the AD, but does a lookup in the system.user table prior to authentication.

If you choose the import option you should also use the group mapping option. The group mapping allows you to evalutate the ldap user groups, and based on the AD group it belongs to it assigns the role. If you want to assign the same role to all users, you could choose the root domain and based on that group assign the common user role.