Configuration for Zitadel

In Zitadel, go to Instance > Settings for instance-wide LDAP setup or <Organization Name> > Settings for organization-wide LDAP setup.

Identity Providers Setup

Click Identity Providers and select Active Directory/LDAP.

Replace every instance of dc=example,dc=com with your configured domain. Group filter is not supported in Zitadel at the time of writing.

Connection

Name: The name to identify your identity provider
Servers: ldaps://<FQDN or Host IP>:<Port for LADPS> or ldap://<FQDN or Host IP>:<Port for LADP>
BaseDn: dc=example,dc=com
BindDn: cn=admin,ou=people,dc=example,dc=com. It is recommended that you create a separate user account (e.g, bind_user) instead of admin for sharing Bind credentials with other services. The bind_user should be a member of the lldap_strict_readonly group to limit access to your LDAP configuration in LLDAP.
Bind Password: <user password>

User binding

Userbase: ou=people,dc=example,dc=com
User filters: uid. mail will not work.
User Object Classes: inetOrgPerson

LDAP Attributes

ID attribute: uid
displayName attribute: cn
Email attribute: mail
Given name attribute: givenName
Family name attribute: lastName

optional

The following section applied to Zitadel only, nothing will change on LLDAP side.

Account creation allowed [x]
Account linking allowed [x]

Either one of them or both of them must be enabled

DO NOT enable Automatic update if you haven't setup a smtp server. Zitadel will update account's email and sent a verification code to verify the address. If you don't have a smtp server setup correctly and the email adress of ZITADEL Admin is changed, you are permanently locked out.

Enable Identity Provider

After clicking Save, you will be redirected to Identity Providers page.

Enable the LDAP by hovering onto the item and clicking the checkmark (set as available)

Under Settings, select Login Behavior and Security

Under Advanced, enable External IDP allowed

2.1 KiB Raw Blame History