Enable LDAP and sync teams and users¶
Once you enable LDAP you can sync your LDAP directory to the teams and users that are present in MKE.
To enable LDAP:
Log in to the MKE web UI as an MKE administrator.
In the left-side navigation panel, navigate to <user name> > Admin Settings > Authentication & Authorization.
Scroll down to the Identity Provider Integration section.
Toggle LDAP to Enabled. A list of LDAP settings displays.
Enter the values that correspond with your LDAP server installation.
Use the built-in MKE LDAP Test login tool to confirm that your LDAP settings are correctly configured.
To synchronize LDAP users into MKE teams:
In the left-side navigation panel, navigate to Access Control > Orgs & Teams and select an organization.
Click + to create a team.
Enter a team name and description.
Toggle ENABLE SYNC TEAM MEMBERS to Yes.
Choose between the following two methods for matching group members from an LDAP directory. Refer to the table below for more information.
Keep the default Match Search Results method and fill out Search Base DN, Search filter, and Search subtree instead of just one level as required.
Toggle LDAP MATCH METHOD to change the method for matching group members in the LDAP directory to Match Group Members.
Optional. Select Immediately Sync Team Members to run an LDAP sync operation after saving the configuration for the team.
Optional. To allow non-LDAP team members to sync the LDAP directory, select Allow non-LDAP members.
Note
If you do not select Allow non-LDAP members, manually-added and SAML users are removed during the LDAP sync.
Click Create.
Repeat the preceding steps to synchronize LDAP users into additional teams.
To perform LDAP sync for specified teams and organizations
You can perform targeted LDAP sync operations either for entire organizations or for individual teams in a specified organization, without affecting all accounts. MKE supports two methods for mapping teams to LDAP groups:
Match Search Results (search bind)
Match Group Members (direct bind)
The POST /accounts/{orgNameOrID}/sync
API endpoint triggers an LDAP sync
operation that targets either:
All teams within an organization, identified by the organization name or ID in the path parameter
{orgNameOrID}
.A specific team, identified by the team name or ID.
Example
POST /accounts/{orgNameOrID}/sync
{
"teamNameOrID": "<team-name-or-ID>"
}
Passing a valid <team-name-or-ID>
results in the sync being applied only to
the specified team in the organization, whereas passing an empty field ""
will trigger the sync operation for all teams in the organization.
Note
To ensure that targeted sync is not interrupted by a scheduled
full sync, edit the LDAP configuration to "syncSchedule": ""
. You can do
this by way of the PUT /api/ucp/config/auth/ldap
API endpoint or through
the MKE web UI by leaving the sync interval field empty.
There are two methods for matching group members from an LDAP directory:
Bind method |
Description |
---|---|
Match Search Results (search bind) |
Specifies that team members are synced using a search query against the LDAP directory of your organization. The team membership is synced to match the users in the search results.
|
Match Group Members (direct bind) |
Specifies that team members are synced directly with members of a group in your LDAP directory. The team membership syncs to match the membership of the group.
|