# LDAP Integration

LDAP (Lightweight Directory Access Protocol) integration allows ONEWEB to **authenticate users against an enterprise directory service** such as **Active Directory**, **OpenLDAP**, or **Apache Directory**.

Starting with **ONEWEB 4.0**, LDAP can be configured at the application‑server level and used as part of the **centralized authentication strategy**, enabling organizations to manage identities consistently across systems.

***

### Purpose of LDAP Integration

LDAP integration is typically used to:

* Centralize user authentication in an enterprise directory
* Enforce corporate identity and access policies
* Reduce local user management and password duplication
* Support compliance requirements for identity governance
* Enable role‑based access control using directory groups

With LDAP integration, ONEWEB relies on the directory service as the **source of truth for user identity**.

***

### LDAP Connection Configuration

To configure LDAP authentication, a **security domain** must be defined on the application server (WildFly / JBoss).\
ONEWEB references this security domain during authentication.

***

#### Core LDAP Configuration Attributes

The following attributes are required to define an LDAP connection:

| Attribute                | Description                                                                   |
| ------------------------ | ----------------------------------------------------------------------------- |
| **security‑domain name** | Fixed value for ONEWEB 4.0: `LDAPAuthLocal` (referenced from `jboss-web.xml`) |
| **url**                  | LDAP server URL, e.g. `ldap://<Server IP>:<Port>`                             |
| **bindDN**               | Distinguished Name used to bind to the directory                              |
| **bindCredential**       | Password associated with the bindDN                                           |
| **baseCtxDN**            | Base DN from which user search begins                                         |
| **baseFilter**           | Filter used to locate user entries, e.g. `(uid={0})`                          |
| **rolesCtxDN**           | DN used to search for user roles                                              |
| **roleAttributeID**      | Attribute that represents role name                                           |
| **searchScope**          | Scope of search (default: `SUBTREE_SCOPE`)                                    |

***

### Configure LDAP Security Domain (WildFly / JBoss)

In **WildFly**, LDAP authentication is configured in `standalone.xml` under the `<profile>` → `<subsystem>` → `<security-domains>` section.

#### Example LDAP Security Domain Configuration

```
<security-domain name="LDAPAuthLocal" cache-type="default">
    <authentication>
        <login-module code="Remoting" flag="optional">
            <module-option name="password-stacking" value="useFirstPass"/>
        </login-module>

        <login-module code="LdapExtended" flag="required">
            <module-option name="java.naming.factory.initial"
                           value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url"
                           value="ldap://[IP Address]:[Port]"/>
            <module-option name="java.naming.security.authentication"
                           value="simple"/>

            <module-option name="bindDN"
                           value="CN=SystemAdmin,OU=People,dc=example,dc=com"/>
            <module-option name="bindCredential"
                           value="secret"/>

            <module-option name="baseCtxDN"
                           value="OU=Roles,dc=example,dc=com"/>
            <module-option name="baseFilter"
                           value="(sAMAccountName={0})"/>

            <module-option name="rolesCtxDN"
                           value="OU=People,dc=example,dc=com"/>
            <module-option name="roleFilter"
                           value="(member={1})"/>
            <module-option name="roleAttributeID"
                           value="sAMAccountName"/>
            <module-option name="roleAttributeIsDN"
                           value="true"/>

            <module-option name="roleRecursion"
                           value="1"/>
            <module-option name="defaultRole"
                           value="AllUser"/>

            <module-option name="searchScope"
                           value="SUBTREE_SCOPE"/>
            <module-option name="allowEmptyPasswords"
                           value="false"/>
            <module-option name="throwValidateError"
                           value="true"/>
        </login-module>
    </authentication>
</security-domain>
``
```

***

#### LDAP Server Differences (Important Note)

LDAP schema and attribute names may vary depending on the directory server used.

> **Note:**
>
> * For **Apache Directory / OpenLDAP**, common alternatives include:
>   * `baseFilter = "(uid={0})"`
>   * `roleAttributeID = "cn"`
> * Always verify attribute names against your directory schema

***

### Bind ONEWEB to LDAP Security Domain

Once the LDAP security domain is defined, ONEWEB must reference it.

This is done in the `jboss-web.xml` file.

#### Example: Specify Security Domain

```
<jboss-web>
    <security-domain>java:/jaas/LDAPAuthLocal</security-domain>
</jboss-web>
```

This configuration instructs ONEWEB to use **LDAPAuthLocal** as its authentication mechanism.

***

### Security & Compliance Considerations

When using LDAP authentication:

* Protect LDAP credentials (bindDN password) securely
* Use secure LDAP (LDAPS) in production environments
* Restrict directory permissions for the bind user
* Align role mappings with organizational access policies
* Log authentication and authorization events for audit

LDAP integration strengthens compliance by centralizing identity control and improving traceability.

***

### Summary

**LDAP Integration** enables ONEWEB to authenticate users against a centralized enterprise directory, supporting secure and compliant identity management.

With LDAP integration, organizations can:

* Centralize authentication and role management
* Leverage existing directory infrastructure
* Reduce credential duplication
* Enforce consistent access control policies
* Meet enterprise security and compliance requirements

LDAP integration is a recommended approach for **enterprise‑grade authentication** in ONEWEB deployments.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onewebstack.com/oneweb-platform-th/building-apps/security-and-compliance/authentication/ldap-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.