en
Guides
Use Cases
LDAP Integration
enGuidesUse CasesLdap Integration

LDAP Integration

This guide walks through integrating NQRust-Identity with an LDAP directory server (e.g., OpenLDAP or Active Directory). After completing this tutorial, users from the LDAP directory will be able to authenticate through NQRust-Identity.

Prerequisites

  • NQRust-Identity is installed and running. See Phase 1: Install Identity.
  • An LDAP server is reachable from the NQRust-Identity host.
  • You have the LDAP connection details: host, port, bind DN, and bind credentials.
  • Admin Console access at https://<your-host>:<port>/auth/admin.

Step 1: Open the User Federation settings

Navigate to User Federation

  1. Log in to the Admin Console.
  2. Select the target realm from the top-left dropdown.
  3. In the left sidebar, click User Federation.

Add LDAP provider

Click Add provider and select ldap from the dropdown.


Step 2: Configure the LDAP connection

Fill in the Required Settings section:

FieldDescriptionExample
UI display nameLabel shown in the Admin ConsoleCorporate LDAP
VendorSelect the closest match for your LDAP serverOther / Active Directory / Red Hat Directory Server
Connection URLLDAP server addressldap://ldap.example.com:389
Enable StartTLSUpgrade connection to TLS after initial handshakeOff (enable for production)
Use Truststore SPIWhether to use the server truststore for TLS verificationOnly for ldaps
Bind typeAuthentication method for the bind accountsimple
Bind DNDistinguished name of the service accountcn=admin,dc=example,dc=com
Bind credentialsPassword for the bind account••••••••

Click Test connection to verify that NQRust-Identity can reach the LDAP server before proceeding.

Then fill in the LDAP searching and updating section:

FieldDescriptionExample
Edit modeWhether users can update their profile via NQRust-IdentityREAD_ONLY
Users DNBase DN where user entries are locatedou=users,dc=example,dc=com
Username LDAP attributeLDAP attribute mapped to the NQRust-Identity usernameuid (OpenLDAP) or sAMAccountName (AD)
RDN LDAP attributeRelative distinguished name attributeuid
UUID LDAP attributeUnique identifier attributeentryUUID (OpenLDAP) or objectGUID (AD)
User object classesObject classes that define user entriesinetOrgPerson, organizationalPerson

Click Test authentication to verify that the bind credentials are accepted by the LDAP server.

Click Save to create the LDAP provider.


Step 3: Synchronize users

After saving the provider, you can import users from LDAP into the NQRust-Identity database.

Trigger a full sync

On the LDAP provider page, scroll down to the Sync Settings section and click Synchronize all users.

A status message confirms the number of users imported:

Added X users, Updated Y users, Removed Z users

Verify imported users

  1. In the left sidebar, click Users.
  2. Click View all users.
  3. Confirm that LDAP users appear in the list. Their Origin column shows the LDAP federation provider name (e.g., Corporate LDAP).
⚠️

NQRust-Identity stores a local copy of user data from LDAP. Password validation for LDAP users is always delegated back to the LDAP server — passwords are never stored in NQRust-Identity.


Step 4: Configure attribute mappers

Mappers define how LDAP attributes are translated into NQRust-Identity user profile fields.

Open the Mappers tab

On the LDAP provider page, click the Mappers tab. NQRust-Identity creates several default mappers automatically (e.g., username, email, first name, last name).

Review default mappers

Check that these mappers point to the correct LDAP attributes for your directory:

Mapper nameLDAP attributeNQRust-Identity field
usernameuid / sAMAccountNameusername
emailmailemail
first namegivenNamefirstName
last namesnlastName

Add a custom mapper (optional)

To map an additional LDAP attribute (e.g., department):

  1. Click Add mapper.
  2. Set Mapper type to user-attribute-ldap-mapper.
  3. Fill in:
    • Name: department
    • User Model Attribute: department
    • LDAP Attribute: departmentNumber
  4. Click Save.

Step 5: Verify login with an LDAP account

Open Account Console

Navigate to https://<your-host>:<port>/auth/realms/<realm>/account.

Log in

Enter the credentials of an LDAP user. NQRust-Identity delegates authentication to the LDAP server.

On success, the user is redirected to their account page and their profile data (name, email) is populated from the mapped LDAP attributes.

Confirm federation source in Admin Console

  1. Go to Users in the Admin Console.
  2. Open the user that just logged in.
  3. On the Details tab, confirm User federation link shows the LDAP provider name.

If login fails, check the NQRust-Identity server logs for LDAP-related errors. Common causes are an incorrect Users DN, a mismatched Username LDAP attribute, or a firewall blocking the connection.


Periodic sync (optional)

To keep the NQRust-Identity user list in sync with changes in LDAP automatically:

  1. On the LDAP provider page, scroll to Sync Settings.
  2. Enable Periodic full sync and set Full sync period (in seconds, e.g. 86400 for daily).
  3. Enable Periodic changed users sync and set Changed users sync period (e.g. 3600 for hourly).
  4. Click Save.

NQRust-Identity will then run sync jobs in the background on the configured schedule.