Enable LDAP and sync teams and users

Once you enable LDAP you can sync your LDAP directory to the teams and users that are present in MKE.


To enable LDAP:

  1. Log in to the MKE web UI as an MKE administrator.

  2. In the left-side navigation panel, navigate to <user name> > Admin Settings > Authentication & Authorization.

  3. Scroll down to the Identity Provider Integration section.

  4. Toggle LDAP to Enabled. A list of LDAP settings displays.

  5. Enter the values that correspond with your LDAP server installation.

  6. Use the built-in MKE LDAP Test login tool to confirm that your LDAP settings are correctly configured.


To synchronize LDAP users into MKE teams:

  1. In the left-side navigation panel, navigate to Access Control > Orgs & Teams and select an organization.

  2. Click + to create a team.

  3. Enter a team name and description.

  4. Toggle ENABLE SYNC TEAM MEMBERS to Yes.

  5. Choose between the following two methods for matching group members from an LDAP directory. Refer to the table below for more information.

    • Keep the default Match Search Results method and fill out Search Base DN, Search filter, and Search subtree instead of just one level as required.

    • Toggle LDAP MATCH METHOD to change the method for matching group members in the LDAP directory to Match Group Members.

  6. Optional. Select Immediately Sync Team Members to run an LDAP sync operation after saving the configuration for the team.

  7. Optional. To allow non-LDAP team members to sync the LDAP directory, select Allow non-LDAP members.

    Note

    If you do not select Allow non-LDAP members, manually-added and SAML users are removed during the LDAP sync.

  8. Click Create.

  9. Repeat the preceding steps to synchronize LDAP users into additional teams.


To perform LDAP sync for specified teams and organizations

You can perform targeted LDAP sync operations either for entire organizations or for individual teams in a specified organization, without affecting all accounts. MKE supports two methods for mapping teams to LDAP groups:

  • Match Search Results (search bind)

  • Match Group Members (direct bind)

The POST /accounts/{orgNameOrID}/sync API endpoint triggers an LDAP sync operation that targets either:

  • All teams within an organization, identified by the organization name or ID in the path parameter {orgNameOrID}.

  • A specific team, identified by the team name or ID.

Example

POST /accounts/{orgNameOrID}/sync

{
  "teamNameOrID": "<team-name-or-ID>"
}

Passing a valid <team-name-or-ID> results in the sync being applied only to the specified team in the organization, whereas passing an empty field "" will trigger the sync operation for all teams in the organization.

Note

To ensure that targeted sync is not interrupted by a scheduled full sync, edit the LDAP configuration to "syncSchedule": "". You can do this by way of the PUT /api/ucp/config/auth/ldap API endpoint or through the MKE web UI by leaving the sync interval field empty.

There are two methods for matching group members from an LDAP directory:

Bind method

Description

Match Search Results (search bind)

Specifies that team members are synced using a search query against the LDAP directory of your organization. The team membership is synced to match the users in the search results.

Search Base DN

The distinguished name of the node in the directory tree where the search starts looking for users.

Search filter

Filter to find users. If empty, existing users in the search scope are added as members of the team.

Search subtree instead of just one level

Defines search through the full LDAP tree, not just one level, starting at the base DN.

Match Group Members (direct bind)

Specifies that team members are synced directly with members of a group in your LDAP directory. The team membership syncs to match the membership of the group.

Group DN

The distinguished name of the group from which you select users.

Group Member Attribute

The value of this attribute corresponds to the distinguished names of the members of the group.