OBSERVE. ANALYZE. ACT.
Support Login

System Management ยท Version 26.2

LDAP Server

Display and configure the external LDAP or LDAPS authentication server for local sign-in.

UI Path: System Settings > LDAP Server ID: config_system_auth_ldap
Workflow
  1. Open System Settings and choose LDAP Server.
  2. Review the LDAP server address, port, protocol, base DN, user attributes, and default group mapping.
  3. Enter optional one-time test credentials when validating the server settings.
  4. Apply the workflow and verify the result with show system auth ldap.

Overview

Use LDAP Server to configure an external LDAP, LDAP with StartTLS, or LDAPS server for user authentication. The LDAP settings define where the appliance connects, how it searches for users, and which local user group is assigned when LDAP group information is not available.

The same settings are available from the CLI through:

config system auth ldap
show system auth ldap

Typical Uses

Use this topic when the appliance should authenticate users against a directory service instead of relying only on local user passwords.

Typical examples:

Show LDAP settings:    show system auth ldap
Display from config:   config system auth ldap
Enable LDAPS:
  config system auth ldap enable true name corp_ldap ip 10.0.0.20 port 636 protocol ldaps base_dn DC=example,DC=com
Set default group:
  config system auth ldap default_group_enable true default_group_name administrator

Prerequisites

  • Confirm that you have administrator permission to change authentication settings.
  • Record the current settings with show system auth ldap.
  • Confirm the LDAP server address, port, protocol, and base DN.
  • Confirm which LDAP attributes provide the user name and group ID.
  • Create or verify the local default user group before assigning it.
  • Keep at least one local administrator account available in case the external server is unreachable.
  • Use quotes for values that contain spaces.

Workflow

  1. Open System Settings.
  2. Choose LDAP Server.
  3. Review Enable LDAP Server, server connection settings, base DN, user attributes, and default group mapping.
  4. Enter optional one-time test credentials when needed.
  5. Apply the workflow.
  6. Verify the saved settings in the web view or with show system auth ldap.

Expected Behavior

The workflow displays the current LDAP settings and applies the selected changes to the saved authentication configuration.

When Enable LDAP Server is disabled, the configuration is retained but the server is not used for authentication. When enabled, LDAP authentication depends on the configured server being reachable and the directory attributes matching the user records.

Username for Test and Password for Test User are one-time workflow inputs. They are cleared after the workflow completes and are not saved in the LDAP configuration.

In The Web UI

Review LDAP Settings

  1. Open System Settings.
  2. Choose LDAP Server.
  3. Review the server name, IP address, port, protocol, base DN, user-name attribute, group-ID attribute, and default group setting.
  4. Apply no changes if you only need to inspect the current settings.

Configure LDAP Authentication

  1. Set Enable LDAP Server.
  2. Enter Server Name.
  3. Enter Server IP Address.
  4. Set LDAP Service Port.
  5. Select LDAP Service Protocol.
  6. Enter Base DN.
  7. Set Attr. Name for POSIX User Name.
  8. Set Attr. Name for User Group ID.
  9. Enable Enable Default Group if users without a mapped group should use a fallback local group.
  10. Select Default User Group Name when default group mapping is enabled.
  11. Enter optional one-time test credentials.
  12. Apply the workflow.

Check From The CLI

Use either command below to display the current LDAP settings:

config system auth ldap
show system auth ldap

The config form without additional fields is display-only. It does not modify the configuration.

CLI Help Reference

Display the authentication command nodes:

config system auth ?

Expected command nodes:

ldap            - Setup LDAP Server
password-policy - User Password and Login Rules
radius          - Setup RADIUS Server
tacacs          - Setup TACACS+ Server

Display the LDAP fields:

config system auth ldap ?

Expected fields:

<Enter>              - Display current settings
enable               - Enable to use LDAP server to authenticate user
name                 - Server name
ip                   - Server IP address
port                 - LDAP service port
protocol             - LDAP service protocol
base_dn              - Base Distinguished Name
username_attr        - Attribute name for user name
gid_attr             - Attribute name for User Group ID
default_group_enable - Use the default group name
default_group_name   - Default user group name if Group ID is not found from gid method
test_username        - Username for testing, only use one time to verify configuration, not saved
test_password        - Password for the test user

Change From The CLI

Enable LDAPS with a base DN:

config system auth ldap enable true name corp_ldap ip 10.0.0.20 port 636 protocol ldaps base_dn DC=example,DC=com

Use LDAP with StartTLS:

config system auth ldap protocol ldap_with_starttls port 389

Configure user and group attributes:

config system auth ldap username_attr uid,cn gid_attr gidNumber

Enable a default local user group:

config system auth ldap default_group_enable true default_group_name administrator

Disable LDAP authentication while retaining the saved server settings:

config system auth ldap enable false

Field Reference

CLI Field UI Field Type Or Values Notes
enable Enable LDAP Server Boolean Enables or disables LDAP authentication.
name Server Name String Operator-facing name for the LDAP server.
ip Server IP Address IP address or host string LDAP server address.
port LDAP Service Port Integer from 1 to 65536 Common values are 389 for LDAP and StartTLS, 636 for LDAPS.
protocol LDAP Service Protocol ldap, ldap_with_starttls, or ldaps Selects plain LDAP, StartTLS, or LDAPS.
base_dn Base DN String Directory search base, such as DC=example,DC=com.
username_attr Attr. Name for POSIX User Name String Attribute list used to identify the user name.
gid_attr Attr. Name for User Group ID String Attribute list used to identify the LDAP group ID.
default_group_enable Enable Default Group Boolean Allows fallback to a local group.
default_group_name Default User Group Name Existing local user group Used when LDAP group ID mapping does not find a local group.
test_username Username for Test (Empty to skip) String One-time workflow input; not saved.
test_password Password for Test User Password string One-time workflow input; not saved.

Confirmation And Rollback

Applying the workflow saves the LDAP configuration. To roll back, reapply the previous values recorded from show system auth ldap.

If LDAP authentication prevents expected sign-in, use a local administrator account and disable LDAP with:

config system auth ldap enable false

Notes

  • The valid CLI path is config system auth ldap; config system ldap is not a command node.
  • test_group is a workflow section label and is intentionally hidden from CLI help.
  • Test credentials are one-time values and are cleared after the workflow.
  • External authentication still depends on local user group authorization.

Troubleshooting

LDAP Users Cannot Sign In

Verify enable, ip, port, protocol, base_dn, username_attr, and gid_attr. Confirm the appliance can reach the LDAP server and that at least one local administrator account remains available.

Users Sign In But Have The Wrong Access

Review Default User Group Name and the LDAP group ID mapping. Confirm the target local user group exists and has the intended workflow access.

The LDAP Command Is Not Found

Use config system auth ldap. The LDAP server workflow is mounted under system auth.

  • Use User Groups to configure local authorization for LDAP users.
  • Use User Management to keep a local administrator account available.
  • Use Password and Login Rules for local password and login lockout policy.

Related Topics

System Settings Authentication User Groups Password Policy l01sh