AD/LDAP Connector Configuration File Schema
The AD/LDAP Connector’s main configuration file is
See Active Directory: LDAP Syntax Filters for information about LDAP queries.
config.json. You can modify this file to make changes that are not available via the AD/LDAP Connector Admin Console. You can also view this file to determine which tenant is using a particular Connector. The file is located in the install directory for the AD/LDAP Connector, which (for Windows) is usually found at C:\Program Files (x86)\Auth0\AD LDAP Connector. The following settings are supported in this file:
| Setting | Description | Default | |
|---|---|---|---|
AD_HUB | The Auth0 endpoint to which the connector will connect. This value is maintained by the connector. | ||
CA_CERT | An authority certificate or array of authority certificates to check the remote host against. | ||
CLIENT_CERT_AUTH | Specifies if Client Certificate Authentication is enabled or not. This value is configured in Auth0 and maintained by the connector. | ||
CONNECTION | The name of the connection in Auth0 which is linked to this instance of the connector. This value is maintained by the connector. | ||
CONNECTIONS_API_V2_KEY | A Management API token used to call the Get a connection endpoint. Set this when you need to troubleshoot the connector. This compares the local certificate to the one configured in Auth0 and detects a possible mismatch. | ||
FIREWALL_RULE_CREATED | Set to true once the Firewall rule has been created for the Kerberos Server (only when Kerberos is enabled). | ||
GROUPS | Include the user’s groups when enriching the profile. | true | |
GROUP_PROPERTY | The attribute of the group object used when adding the groups to a user. | cn | |
GROUPS_CACHE_SECONDS | Total time in seconds to cache a user’s groups. | 600 seconds. | |
GROUPS_TIMEOUT_SECONDS | The timeout in seconds for searching all groups a user belongs to. | 20 seconds | |
HTTP_PROXY | The proxy server URL if one is required to connect from the AD/LDAP Connector to Auth0. | ||
KERBEROS_AUTH | Set if Kerberos Authentication is enabled or not. This value is configured in Auth0 and maintained by the connector. | ||
LAST_SENT_THUMBPRINT | Thumbprint of the last certificate which was sent to Auth0. | ||
LDAP_BASE | Defines the location in the directory where the LDAP search begins. For example: DC=fabrikam,DC=local. | ||
LDAP_BASE_GROUPS | Defines the location in the directory where the LDAP groups search begins. | ||
LDAP_BIND_PASSWORD | The password of the LDAP user. This setting is automatically removed after the connector initializes. | ||
LDAP_BIND_CREDENTIALS | The encrypted password of the LDAP user. This setting is automatically added after the connector initializes. | ||
LDAP_BIND_USER | The user for binding a connection to LDAP. | ||
LDAP_HEARTBEAT_SEARCH_QUERY | The LDAP search query used for heartbeat checks. | `(&(objectclass=user)( | (sAMAccountName=foo)(UserPrincipalName=foo)))` |
LDAP_HEARTBEAT_SECONDS | Time in seconds to keep the LDAP connection open. | ||
LDAP_SEARCH_ALL_QUERY | The LDAP query used to list all users in the LDAP store. | (objectCategory=person) | |
LDAP_SEARCH_GROUPS | The LDAP query used to find groups in the LDAP store. For example: (&(objectCategory=group)(member={0})) | (member:1.2.840.113556.1.4.1941:={0}) | |
LDAP_SEARCH_QUERY | The LDAP query used to find users in the LDAP store. | (&(objectCategory=person)(anr={0})) | |
LDAP_USER_BY_NAME | The LDAP query used to find the user during authentication. This setting lets you specify which attribute is considered the user’s username. For example, like the common name: the sAMAccountName, UPN, et cetera. This setting also supports multiple values for an OR search, for example: `( | (sAMAccountName=)(userPrincipalName=))` | (sAMAccountName={0}) |
LDAP_URL | The LDAP connection string. For example: ldap://fabrikam-dc.fabrikam.local. | ||
PORT | The port the server runs on when Kerberos or Client Certificate Authentication is enabled. | ||
PROVISIONING_TICKET | The Auth0 provisioning ticket used to communicate with Auth0. | ||
REALM | The Auth0 realm, for example: urn:auth0:fabrikam. This value is maintained by the connector. | ||
SERVER_URL | The default connector URL will be server-name:port, but this setting allows you to overwrite this. For example: connector.mycompany.com. | ||
SESSION_SECRET | The session secret used to encrypt the session cookie. | ||
SITE_NAME | When Client Certificate Authentication is enabled, but not possible the AD Connector will show a fallback login page. This setting allows you to specify the title that will show on top of the page. | Name of the AD connection. | |
SSL_CA_PATH | Absolute path to the base directory where the CA certificate file(s) are located. | ||
SSL_KEY_PASSWORD | The password for the SSL certificate. | ||
SSL_PFX | Base64 encoded certificate to use for SSL. | ||
TENANT_SIGNING_KEY | Your Auth0 tenant used to verify JWTs. | ||
WSFED_ISSUER | The issuer being set in the WS-Federation responses. If a connection is configured with email domains, the first email domain configured in Auth0 will be used as issuer. | urn:auth0 |