Retrieving LDAP connection details

this guide will help you to ldap en vironment {{ldap}} can be set up in different environments, depending on whether you are running a cloud directory service or managing your own domain controllers the table below lists the most common ldap environments to retrieve the connection details for your environment, follow the according section environment ldap notes azure entra id via microsoft {{entra ds}} enable microsoft {{entra ds}} google workspace via secure ldap service enable secure ldap in google admin console windows domain controller (local server) native integrates with windows server systems azure entra id azure entra id (formerly azure active directory) is microsoft’s cloud based identity and access management service it supports ldap via a microsoft entra domain services instance this allows cloud and/or on premises applications that depend on ldap to work with entra id identities managed in azure in the azure portal , search for domain services to open your microsoft entra domain services instance no microsoft entra domain services instance yet? follow implement ldap authentication with microsoft entra id retrieve the connection details for microsoft entra id go to microsoft entra domain services instance > secure ldap make sure secure ldap is enabled to use tls encryption (recommended) this will enable {{ldaps}} on port 636 (in favour of ldap on port 389 without secure ldap) is factry historian/grafana located within the same (or peer) azure vnet (virtual network) as the microsoft entra domain services instance? yes the ldap host is similar as mydomain onmicrosoft com (replace mydomain with your domain mentioned in the microsoft {{entra ds}} instance) no go to microsoft entra domain services instance > secure ldap enable allow secure ldap access over the internet and go to microsoft entra domain services instance > properties > secure ldap external ip addresses to get the ldap host use the table below to retrieve the remaining connection details host mydomain onmicrosoft com or mydomain com or an azure external ip address port 636 default for ldaps (recommended) 389 default for ldap tls/ssl for port 636 enable use ssl disable start tls disable skip verify ssl for port 389 disable use ssl enable start tls enable skip verify ssl binduser dn and password the bind {{dn}} is typically the {{upn}} of a user in the managed domain, e g binduser\@mydomain com mailto\ binduser\@yourdomain com the password is that user’s domain password service accounts are usually created specifically for this purpose root ca certificate none client certificate and key files none base dn your base dn in ldap format examples dc=mydomain,dc=com or dc=mydomain,dc=onmicrosoft,dc=com replace mydomain with your domain mentioned in the microsoft entra domain services instance mydomain onmicrosoft com the longer and more specific the base dn, the more you constrain the search to a smaller subtree of the directory search filter (userprincipalname=%s) if the factry historian/grafana username is the microsoft e mail addres e g john doe\@mycompany com (samaccountname=%s) if the factry historian/grafana username is a shorter username e g jdoe attributes (of each identity) uses the default attributes format email mail firstname givenname lastname sn username samaccountname (legacy system) or userprincipalname memberof memberof google workspace google workspace provides a secure ldap service , which allows applications to authenticate users against identities managed in google with secure ldap, you can use google workspace as your centralized identity store for ldap applications go to the google admin console to create a ldap client retrieve the connection details for google workspace host ldap google com port 636 default for ldaps (recommended) 389 default for ldap tls/ssl for port 636 enable use ssl disable start tls disable skip verify ssl for port 389 disable use ssl enable start tls enable skip verify ssl binduser dn and password generate a {{dn}} username and password in the google admin console via the secure ldap service for instructions, see generate access credentials root ca certificate none client certificate and key files use the certificate and key file downloaded from the google admin console and put the client certificate and key file on the historian server (requires command line access or ask factry support) the path to these files on the historian server has to be filled in when configuring ldap in factry historian or grafana more information on managing the client certificate and key troubleshooting ldap authentication docid\ wk5ckwzcilsvyy4xxz lh base dn your base dn in ldap format for example dc=mydomain,dc=com (search the entire domain) or ou=groups,dc=mydomain,dc=com (search only within the groups organizational unit) or cn=engineering,ou=groups,dc=mydomain,dc=com (search only within the engineering group entry) replace mydomain with your domain mentioned in the google workspace the longer and more specific the base dn, the more you constrain the search to a smaller subtree of the directory search filter (mail=%s) if the factry historian/grafana username is the google e mail addres e g john doe\@mycompany com (uid=%s) if the factry historian/grafana username is a shorter username e g john doe attributes (of each identity) uses the default attributes format email mail firstname givenname lastname givenname locale preferredlanguage memberof memberof username by default not available (can be added via custom attributes in the google admin console → directory → users → user information) uid is typically used as the username windows domain controller (local server) a domain controller (local windows server) supports {{ldap}} against identitities stored in active directory this setup is typically used for applications running in on premises networks go to enable ldap over ssl with a third party certification authority to enable {{ldaps}} (recommended) use the table below to retrieve the connection details host {{fqdn}} or ip address of the domain controller example dc01 mycompany local port 636 default for ldaps (recommended) 389 default for ldap tls/ssl for port 636 enable use ssl disable start tls disable skip verify ssl for port 389 disable use ssl enable start tls enable skip verify ssl binduser dn and password use the user {{dn}} or {{upn}} of a service account or user in ad example cn=ldap service,ou=service accounts,dc=mycompany,dc=local or ldap service\@mycompany local root ca certificate if the windows domain controller uses a (publicly signed) trusted certificate no {{ca}} certificate needed self signed certificate provide the root ca certificate with which the domain controller server certificate has been signed and put it on the historian server (requires command line access or ask factry support) the path to this file on the historian server has to be filled in when configuring ldap in factry historian or grafana more information on managing the client certificate and key troubleshooting ldap authentication docid\ wk5ckwzcilsvyy4xxz lh client certificate and key files ldap none ldaps provide the certificate and key file downloaded from the domain controller ldaps configuration and put them on the historian server (requires command line access or ask factry support) the path to these files on the historian server has to be filled in when configuring ldap in factry historian or grafana more information on managing the client certificate and key troubleshooting ldap authentication docid\ wk5ckwzcilsvyy4xxz lh base dn root of your ad domain in dn format examples dc=mydomain,dc=local or ou=groups,dc=mydomain,dc=local or ou=users,dc=mydomain,dc=local replace mydomain with your domain the longer and more specific the base dn, the more you constrain the search to a smaller subtree of the directory search filter (userprincipalname=%s) if the factry historian/grafana username is the microsoft e mail addres e g john doe\@mycompany com (samaccountname=%s) if the factry historian/grafana username is a shorter username e g jdoe attributes (of each identity) uses the default attributes format email mail firstname givenname lastname sn username samaccountname (legacy system) or userprincipalname memberof memberof locale by default not available (can be added via custom attributes)