# Active Directory & LDAP

Connect ExaVault to Active Directory or another LDAP directory to centralize authentication and directory data. Configuring the LDAP connection lets ExaVault use your LDAP server for user authentication only. If you want ExaVault to create and manage users and groups from Active Directory, also complete the AD sync settings on the same screen.

## How The LDAP Screen Works

The LDAP screen configures the connection to your LDAP or Active Directory server.

That same connection can serve two jobs.

* LDAP authentication validates a user’s password against your directory at sign-in time. You still create and manage those users in ExaVault. 
* Active Directory sync uses the LDAP connection to import users and groups from Active Directory. Active Directory becomes the source of truth for synced users and groups.

If you only need centralized password validation, [configure LDAP Authentication](#configuring-ldap-servers) and stop there.

If you also need automatic user and group provisioning, [configure Active Directory Sync](#configuring-active-directory-sync), which requires more information.

## How LDAP Authentication Works

LDAP Authentication occurs when an [ExaVault user configured for *Active Directory & LDAP*](#configure-a-user-to-use-ldap-authentication) attempts to log in.

ExaVault authenticates by binding to your LDAP server with the username the user enters and the password they provide.

ExaVault only attempts LDAP authentication for users that already exist in ExaVault and are configured to use LDAP authentication. If the user does not exist locally, ExaVault rejects the login attempt without contacting your LDAP server.

ExaVault supports multiple LDAP servers per site. When a user logs in who has their *Authentication* set to *Active Directory & LDAP*, ExaVault tries each [configured LDAP server](#configuring-ldap-servers). When authentication fails against one server, ExaVault attempts the next server in order.

After a successful LDAP bind, ExaVault still enforces ExaVault account checks. An account that is valid in your LDAP but expired or disabled cannot log in to ExaVault.

## How Active Directory Sync (AD Sync) Works

Active Directory sync adds automatic user and group provisioning to your LDAP configuration. Use this when you already need LDAP or Active Directory connectivity and you want Active Directory to control user lifecycle and group membership in ExaVault.

Active Directory sync manages user and group records. It does not validate user passwords at sign-in time.

ExaVault sync starts from the Active Directory security group that you choose. ExaVault finds that group by matching its Active Directory Common Name (CN) to the configured Group in the [LDAP Server Configuration](#ldap-screen-configuration-fields).

ExaVault imports all direct members of that group. ExaVault also imports nested groups by processing group membership recursively.

ExaVault treats Active Directory as the source of truth for synced objects.

* ExaVault creates or updates groups it finds in Active Directory.
* ExaVault creates or updates users it finds in Active Directory.
* ExaVault disables previously synced users that do not appear in the current sync.
* ExaVault deletes previously synced groups that do not appear in the current sync.

ExaVault treats synced groups as AD-managed groups. ExaVault removes non-synced users from AD-managed groups during sync.

ExaVault ignores machine accounts.

## LDAP Configuration Screen

<table><thead><tr><th>Field</th><th>Details</th><th width="100">Used for</th></tr></thead><tbody><tr><td>AD/LDAP Server Name</td><td>Human-readable name for your LDAP server</td><td>LDAP &#x26; <br>AD Sync</td></tr><tr><td>AD/LDAP Server</td><td>Address of your LDAP server, starting with <code>ldap://</code> or <code>ldaps://</code></td><td>LDAP &#x26; <br>AD Sync</td></tr><tr><td>Port</td><td>Port number for the server. Usually Port <code>389</code> for <code>ldap://</code> or Port <code>636</code> when using TLS/SSL</td><td>LDAP &#x26; <br>AD Sync</td></tr><tr><td>Security Level</td><td>What kind of encryption is used for the server. Choices are <code>None</code>, <code>SSL</code> or <code>TLS</code>.</td><td>LDAP &#x26; <br>AD Sync</td></tr><tr><td><a href="#username-prefix-and-username-suffix">Username Prefix</a></td><td>Text to add before the username when querying the server.</td><td>LDAP &#x26; <br>AD Sync</td></tr><tr><td><a href="#username-prefix-and-username-suffix">Username Suffix</a></td><td>Text to add after the username when querying the server.</td><td>LDAP &#x26; <br>AD Sync</td></tr><tr><td>Group</td><td>The common name (CN) of an AD Security Group. Only users and sub-groups that are members of this group will be imported. Defaults to ExaVault.</td><td>AD Sync</td></tr><tr><td>Service account username</td><td>Service account </td><td>AD Sync</td></tr><tr><td>Service account password</td><td>Password for service account.</td><td>AD Sync</td></tr><tr><td>Base DN</td><td>The base DN from which all LDAP searches are performed. Example:<br><code>DC=corp,DC=example,DC=com</code></td><td>LDAP &#x26; AD Sync</td></tr><tr><td>User E-mail Field</td><td>Whether to map users by UPN or Email.</td><td>AD Sync</td></tr><tr><td>Certificate Name</td><td>Filename of a client certificate placed in <code>/etc/ssl/</code>.</td><td>LDAP &#x26; <br>AD Sync</td></tr></tbody></table>

### Username Prefix & Username Suffix

The Username Prefix and Username Suffix fields are used to format the bind username when querying the LDAP server during authentication.

ExaVault concatenates them in the order `Username Prefix` + `Username` + `Username Suffix` to form the bind username used for the LDAP query.

ExaVault supports 3 different styles of bind username formats you can choose from:

* NetBIOS domain format: set *Username Prefix* to `DOMAIN\` and leave *Username Suffix* empty.&#x20;
* UPN format: leave *Username Prefix* empty and set *Username Suffix* to `@your-domain`.
* Distinguished name format: set *Username Prefix* and *Username Suffix* so the result is a full DN. example: set Username Prefix to `uid=` and Username Suffix to `,ou=people,dc=example,dc=org` to get the full DN.

## Configuring LDAP Servers

To configure LDAP authentication, you will need:

* Server Details: Address, port number, and encryption method (None, SSL, or TLS).
* User Mapping: Whether to use the Local Email or UserID as the UPN.
* Binding Strings: The specific Prefix and Suffix strings used to format the UPN for your directory.

Add the information on the *LDAP* screen under *Admin Settings*. Complete the fields listed as "LDAP & AD Sync" in the [Configuration](#ldap-configuration-screen) table.

## Configuring Active Directory Sync

Active Directory sync uses the LDAP server configuration for connectivity. Complete the fields needed for LDAP authentication on the *LDAP* Screen in *Admin Settings:*

* Server Details: Address, port number, and encryption method (None, SSL, or TLS).
* User Mapping: Whether to use the Local Email or UserID as the UPN.
* Binding Strings: The specific Prefix and Suffix strings used to format the UPN for your directory.

The sync process also requires service account info and the Active Directory group name.

Supply the *Service account username* used to bind to Active Directory during the sync. It also uses the [*Username Prefix* & *Username Suffix*](#username-prefix-and-username-suffix) during the bind.

Set the *Group* name to the Common Name (CN) of the Active Directory security group that will be synced to ExaVault. Only users and sub-groups that are members of this group will be imported into ExaVault.

## Configure A User To Use LDAP Authentication

To use LDAP Authentication for a user, add their user record within ExaVault, and set their *Authentication* to *Active Directory & LDAP*. Don't assign a password within ExaVault, because their credentials will be sent to the LDAP server during authentication.