LDAP

The following is the detailed technical guide to configuring LDAP (Lightweight Directory Access Protocol) for user authentication in Tellius. By integrating LDAP, you can centralize user management, securely authenticate users, control access, and manage roles within Tellius.

Tellius follows a specific workflow when interacting with the LDAP server to authenticate users and create their accounts.

User creation on the first login

Users are created within Tellius at the time of their first login. The LDAP system validates the user credentials, and Tellius automatically creates an internal user record using the LDAP attributes defined during the configuration.

There is no risk of creating duplicate users. Tellius uses the mapped username (usually cn or uid) to check for existing users in the system before creating a new account. If a user already exists in Tellius with the same username attribute (e.g., cn or mail), Tellius will not create a duplicate.

Setting up LDAP on Tellius

Click on the user icon in the bottom left corner and navigate to Settings Security Authentication and choose LDAP from the "Authenticate via" dropdown. The following screen will be displayed

Setting up LDAP

Under General Settings, fill the following fields:

  1. Enable LDAP Toggle the switch to enable LDAP for authentication. When enabled, the system will attempt to authenticate users against the configured LDAP directory before considering internal Tellius authentication methods.

  2. URL (LDAP server address) Enter the full URL for the LDAP server. The format should be ldap://<hostname>:<port>. Example:ldap://ldap.example.com:389

  3. Port Enter the port number on which the LDAP service is running. The default port is 389 for non-SSL and 636 for SSL (LDAPS).

  4. Bind User Specify the distinguished name (DN) of the user that will bind to the LDAP directory to perform queries. This account should have read access to the LDAP directory. Example: cn=admin,dc=example,dc=com

  5. Bind Password Enter the password for the Bind User to authenticate with the LDAP server.

  6. Search Base Define the distinguished name (DN) of the entry in the LDAP directory from which searches for user accounts will begin. This base DN acts as the root context for any search operations. Example: ou=users,dc=example,dc=comThis DN specifies the Organizational Unit (OU) or domain under which the user entries exist. The search will be limited to this subtree.

  7. Query Provide a specific LDAP query to filter the users that should be imported or authenticated. This is useful when you only want to target specific user objects. Example: (objectClass=inetOrgPerson) This filter limits the search to users who are organizational persons.

LDAP provides standard attributes for user identification, which can be mapped (optionally) to fields in Tellius. Proper attribute mapping ensures that user information is synchronized correctly between the LDAP directory and Tellius.

Under Mappings (Optional), provide the following fields:

Mappings

  1. Username Mapping Enter the LDAP attribute that should be used as the Tellius username. This is typically cn (common name) or uid, depending on your directory schema.

  2. Email Mapping Enter the LDAP attribute that corresponds to the user's email address. This is typically mail.

  3. First Name Mapping Enter the LDAP attribute that contains the user's first name. In most directories, this is givenName.

  4. Last Name Mapping Enter the LDAP attribute for the user's last name. This is typically sn (surname).

  5. Use TLS Toggle this setting to enable TLS for secure LDAP communication. TLS ensures that all data exchanged between Tellius and the LDAP server is encrypted.

To configure LDAPS, upload the SSL certificate to the LDAP server and enable the Use TLS setting in Tellius. The server must support ldaps:// on port 636.

Default User Role Choose the default user role for LDAP-authenticated users. This role defines the permissions users will have in the system. Available roles are typically predefined within Tellius.

Click on Save to commit all the details provided. Or click on Delete to dismiss.

PreviousAuthenticationNextAzure AD

Last updated

Was this helpful?