# Integration of LDAP Connectors

The LDAP Connector feature in CERTInext enables integration with enterprise LDAP and Active Directory (AD) environments for centralized authentication, user synchronization, role mapping, and attribute auto-population. By integrating LDAP or Active Directory, organizations can align CERTInext access management with existing enterprise identity infrastructure.

LDAP integration helps organizations:

* Centralize user authentication
* Enable Active Directory login
* Synchronize enterprise users automatically
* Map AD groups to CERTInext roles
* Auto-populate certificate request fields from directory attributes
* Enforce enterprise identity governance policies

Typical directory services supported include:

* Microsoft Active Directory
* OpenLDAP
* Azure AD DS
* Enterprise LDAP servers supporting LDAP/LDAPS protocols

## Accessing LDAP Connectors

To configure LDAP integration:

1. Navigate to **Integrations → LDAP Connectors**
2. Click **Create LDAP Connector**

<figure><img src="/files/3i9ZmcxHD6c1EGOSPSzk" alt=""><figcaption></figcaption></figure>

This opens the LDAP connector configuration page where connectivity and authentication settings are configured.

## LDAP Connector Configuration

The following fields are required when creating an LDAP connector.

### Connector Name

Defines a unique name for the LDAP connector.

Example:

```
Corporate AD Primary
```

This name is used internally within CERTInext.

### Host

Specifies the LDAP or Active Directory server hostname or IP address.

Example:

```
ad.corp.example.com
```

### Port

Defines the LDAP communication port.

Common values:

* `389` → LDAP
* `636` → LDAPS (Secure LDAP)

### Security Type

Defines the LDAP connection security protocol.

Available options include:

#### LDAP

Standard LDAP communication.

#### LDAPS

Encrypted LDAP communication over SSL/TLS.

> LDAPS is recommended for production environments.

### Base DN

Defines the directory search base location.

Example:

```
DC=corp,DC=example,DC=com
```

CERTInext uses this location to search users and groups within the directory.

### Authentication Type

Defines how CERTInext authenticates with LDAP.

Available options include:

#### Simple Bind

Uses a service account username and password.

#### GSSAPI (Kerberos)

Uses Kerberos-based authentication for secure enterprise authentication environments.

### Bind DN

Specifies the LDAP service account distinguished name.

Example:

```
CN=svc-ldap,OU=ServiceAccounts,DC=corp,DC=example,DC=com
```

This account is used by CERTInext to query LDAP/AD.

### Bind Password

Defines the password associated with the Bind DN service account.

The password is securely stored within CERTInext.

### Search Filter

Defines the LDAP query filter used to locate directory objects.

Example:

```
(objectClass=*)
```

Custom filters may be used to restrict synchronization to specific user types or organizational units.

### Connection Timeout (ms)

Defines the LDAP connection timeout value in milliseconds.

Example:

```
10000
```

### Read Timeout (ms)

Defines the LDAP read operation timeout value.

Example:

```
10000
```

### Description

Optional field used for administrative notes or connector identification.

## Testing the LDAP Connector

After entering all required details:

1. Click **Test Connection**
2. CERTInext validates:
   * LDAP connectivity
   * Authentication credentials
   * Directory accessibility
   * Search base access
   * Query execution

If validation succeeds, the connector can be saved and used for authentication and synchronization workflows.

## LDAP Group to CERTInext Role Mapping

CERTInext supports automatic mapping of Active Directory groups to CERTInext roles.

<figure><img src="/files/URDq3QKKmENq5SSmkxYr" alt=""><figcaption></figcaption></figure>

To configure role mapping:

1. Navigate to:\
   **Integrations → LDAP Connectors → AD Group-CERTInext Role Mapping**
2. Select the LDAP connector
3. Click **Fetch AD Groups**
4. Configure mappings between:
   * Active Directory groups
   * CERTInext roles
5. Assign priority values where multiple mappings exist
6. Click **Save Mappings**

### Supported Role Mapping Use Cases

LDAP group mapping enables organizations to:

* Automatically assign user roles
* Enforce least-privilege access
* Centralize access governance
* Simplify onboarding and offboarding

Example:

| AD Group         | CERTInext Role |
| ---------------- | -------------- |
| PKI\_Admins      | Administrator  |
| SSL\_Managers    | Manager        |
| Discovery\_Users | Discovery User |

## AD Attribute Mapping

CERTInext supports mapping LDAP attributes to certificate request fields.

This enables automatic population of certificate request information directly from Active Directory.

<figure><img src="/files/qp6D9Bz0RKn3es8BgIJc" alt=""><figcaption></figcaption></figure>

To configure attribute mapping:

1. Navigate to:\
   **Integrations → LDAP Connectors → AD Attribute Mapping**
2. Select the LDAP connector
3. Select the User Lookup Attribute
4. Configure field mappings
5. Save the mapping configuration

### User Lookup Attribute

Defines which LDAP attribute is used to identify users.

Example:

```
Email Address (mail)
```

### Supported Mapping Use Cases

Attribute mapping can auto-populate:

* Common Name (CN)
* Email Address
* Department
* Organization
* Organizational Unit
* User Principal Name
* DNS names

This reduces manual input and improves certificate request consistency.

## Active Directory Synchronization

LDAP integration can also support automatic user synchronization.

Supported synchronization capabilities include:

* Import AD users automatically
* Periodic synchronization
* User activation/deactivation sync
* Role synchronization
* Group-based provisioning

## Operational Flow

The LDAP integration workflow typically follows:

```
CERTInext → LDAP/AD Authentication → User Validation → Role Mapping → Platform Access
```

For certificate workflows:

```
CERTInext → LDAP Attribute Lookup → Auto-populate Request Fields → Certificate Issuance
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.certinext.io/documentation/certificate-authorities-and-trust-stores/integration-of-ldap-connectors.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.