ConductorOne docs

Set up an LDAP connector

ConductorOne provides identity governance and just-in-time provisioning for LDAP. Integrate your LDAP server with ConductorOne to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.

Capabilities

Resource	Sync	Provision
Accounts	✅
Roles (`organizationalRole` in LDAP)	✅	✅
Groups (`groupOfUniqueNames` in LDAP)	✅	✅

Available hosting methods

Choose the hosting method that best suits your needs:

Method	Availability	Notes
Cloud hosted		A built-in, no-code connector hosted by ConductorOne.
Self-hosted	✅	The LDAP connector, hosted and run in your own environment.

Gather LDAP credentials

Each setup method requires you to pass in credentials for LDAP. Gather these credentials before you move on.

Here’s the set of credentials you’ll need when setting up the connector:

The username and password of an LDAP account
URL of the LDAP server, which can use either ldap: or ldaps: schemes, and optionally includes a port number

That’s it! Next, move on to the instructions for your chosen setup method.

Set up an LDAP self-hosted connector

To complete this task, you’ll need:
The Connector Administrator or Super Administrator role in ConductorOne
Access to the set of LDAP credentials generated by following the instructions above

When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with ConductorOne, automatically syncing and uploading data at regular intervals. This data is immediately available in the ConductorOne UI for access reviews and access requests.

Why use Kubernetes? Kubernetes provides automated deployment, scaling, and management of your connectors. It ensures high availability and reliable operation of your connector services.

Step 1: Configure the LDAP connector

In ConductorOne, navigate to Connectors > Add connector.
Search for Baton and click Add.
Choose how to set up the new LDAP connector:
- Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
- Add the connector to a managed app (select from the list of existing managed apps)
- Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.
If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
Click Next.
In the Settings area of the page, click Edit.
Click Rotate to generate a new Client ID and Secret.
Carefully copy and save these credentials. We’ll use them in Step 2.

Step 2: Create Kubernetes configuration files

Create two Kubernetes manifest files for your LDAP connector deployment:

Secrets configuration

# baton-ldap-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: baton-ldap-secrets
type: Opaque
stringData:
  # ConductorOne credentials
  BATON_CLIENT_ID: <ConductorOne client ID>
  BATON_CLIENT_SECRET: <ConductorOne client secret>
  
  # LDAP credentials
  BATON_BIND_DN: <Username to bind to the LDAP server with>
  BATON_PASSWORD: <Password to bind to the LDAP server with>
  BATON_URL: <URL to the LDAP server, optionally including port number>

  # Optional: include if you want ConductorOne to provision access using this connector
  BATON_PROVISIONING: true

See the connector’s README or run --help to see all available configuration flags and environment variables.

Deployment configuration

# baton-ldap.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: baton-ldap
  labels:
    app: baton-ldap
spec:
  selector:
    matchLabels:
      app: baton-ldap
  template:
    metadata:
      labels:
        app: baton-ldap
        baton: true
        baton-app: ldap
    spec:
      containers:
      - name: baton-ldap
        image: ghcr.io/conductorone/baton-ldap:latest
        args: ["service"]
        imagePullPolicy: IfNotPresent
        envFrom:
        - secretRef:
            name: baton-ldap-secrets

Step 3: Deploy the connector

Create a namespace in which to run ConductorOne connectors (if desired):
```
kubectl create namespace baton-ldap
```

Apply the secret configuration:

kubectl -n baton-ldap apply -f baton-ldap-secrets.yaml

Apply the deployment:

kubectl -n baton-ldap apply -f baton-ldap.yaml

Step 4: Verify the deployment

Check that the deployment is running:
```
kubectl -n c1 get pods
```

View the connector logs:

kubectl -n c1 logs -l app=baton-${baton-ldap}

Check that the connector data uploaded correctly. In ConductorOne, click Applications. On the Managed apps tab, locate and click the name of the application you added the LDAP connector to. LDAP data should be found on the Entitlements and Accounts tabs.

That’s it! Your LDAP connector is now pulling access data into ConductorOne.