---
hide:
- toc
---
# LDAP
The full name of LDAP in English is Lightweight Directory Access Protocol, that is, Lightweight Directory Access Protocol, which is an open and neutral industry-standard application protocol that provides access control and maintains directory information for distributed information through the IP protocol.
If your enterprise or organization has its own account system, and your enterprise user management system supports the LDAP protocol, you can use the identity provider feature based on the LDAP protocol provided by the global Organization members create usernames/passwords.
You can grant permissions to use DCE 5.0 resources to these external user identities.
In global management, the operation steps are as follows:
1. Log in to DCE 5.0 as a user with __admin__ role. Click __Global Management__ -> __Access Control__ in the lower left corner of the left navigation bar.
1. Click __Identity Provider__ on the left nav bar, click __Create an Identity Provider__ button.
1. In the __LDAP__ tab, fill in the following fields and click __Save__ to establish a trust relationship with the identity provider and a user mapping relationship.
| Field | Description | Example |
| ------------- | ------------------------------------------------------------ | ----------------------------------- |
| Type | Supports LDAP (Lightweight Directory Access Protocol) and AD (Active Directory) | LDAP |
| Server | The address and port number of the LDAP service | 10.6.165.2:30061 |
| User Name | The username used to log in | cn=admin,dn=daocloud,dc=com |
| Password | The password used to log in | password |
| Base DN | The DN of the admin used to access the LDAP server | dc=daocloud,dc=io |
| User Filter | LDAP objectClass for LDAP users.
New users will be written to LDAP with all of these object classes and will find existing LDAP user records as long as they contain all of these object classes.
Automatically filled by DCE 5.0, can be edited directly if needed. | inetOrgPerson, organizationalPerson |
| Enable TLS | Enabling it will encrypt the connection between DCE 5.0 and LDAP | No |
| Full Name Map | Surname-sn; First name-cn | Not editable |
| Email Mapping | Refers to associating a user's email address with their LDAP account. It allows only users with specific email domain names to access resources such as intranet websites or file shares. | Email address, not editable |
**Advanced Configuration**
| Field | Description | Example |
| --------------- | ------------------------------------------------------------ | ------- |
| Automatic Sync | Automatically synced once per hour by default, can be configured manually | Checked |
| Data Sync Mode | For read-only LDAP data, user information cannot be edited on the DCE 5.0 platform
For data written to LDAP, user information can be edited on DCE 5.0 and then synced back to LDAP | Read-only |
| Read Timeout | When the LDAP data is large, adjusting this value can effectively avoid interface timeouts | 600 ms |
| Username Attr | Refers to the attribute used to identify users during authentication and authorization. The username attribute is unique and cannot be changed. It can be the user's email address, login name, or other property defined by the system administrator. The username attribute is used as a unique identifier for the user so that the system can identify specific users and grant them appropriate permissions. | uid |
| RDN Attribute | Refers to the attribute used to create the Relative Distinguished Name (RDN). In X.500 and LDAP directory services, the RDN attribute is usually unique and is used to identify part of an object in the directory tree (Naming Context). For example, in "cn=John Doe,ou=People,dc=example,dc=com", "cn" is one of the RDN attributes. The RDN attribute defines the relative name of the object under its parent object, so it must be unique. When a new object is added to the directory, its RDN attribute must be different from other objects in the same level, otherwise it will cause naming conflicts. | uid |
| UUID Attribute | Refers to the Universally Unique Identifier (UUID) attribute. A UUID is a 36-character string consisting of numbers, letters, and hyphens, used to identify objects in a computer system. UUID ensures that objects on different computers have unique identifiers at any given time. | entryUUID |
1. On the __Synchronize groups__ tab, fill in the following fields to configure the mapping relationship of groups, and click __Save__ again.
| Field | Description | Example |
| ---------------- | -------------------------------- ---------------------------- | --------------------- ------ |
| base DN | location of the group in the LDAP tree | ou=groups,dc=example,dc=org |
| Usergroup Object Filter | Object classes for usergroups, separated by commas if more classes are required. In a typical LDAP deployment, usually "groupOfNames", the system has been filled in automatically, if you need to change it, just edit it. * means all. | * |
| group name | cn | Unchangeable |
!!! note
1. After you have established a trust relationship between the enterprise user management system and DCE 5.0 through the LDAP protocol, you can synchronize the users or groups in the enterprise user management system to DCE 5.0 at one time through auto/manual synchronization.
1. After synchronization, the administrator can authorize groups/groups in batches, and users can log in to DCE 5.0 through the account/password in the enterprise user management system.
1. See the [LDAP Operations Demo Video](../../../videos/ghippo.md#ldap) for a hands-on tutorial.