KB-1683 LDAP authentication FAQ

The purpose of this article is to provide answers to some of the common questions related to LDAP authentication in Appian.

Table of Contents:

Should I restrict LDAP authentication to a particular group?

Yes. This prevents getting locked out of the environment if the LDAP server is unreachable (network issue).

What is my DN pattern?

The DN, or Distinguished Name, is the unique list of domain components added together to define your LDAP user objects, similar to how a full file path defines a file location in an operating system. The DN pattern in conjunction with the LDAP URL will identify where your Appian users reside in your LDAP directory in order for Appian to find and authenticate users. Whatever is specified as the LDAP username attribute should be added to the DN pattern set to {username}. {username} will be replaced by the username entered by the user.

For example, in the Appian Admin console if your username attribute is set to cn and your user's Distinguished Names were made up of domain components ou=appianusers, dc=companyName, dc=com, provided a URL such as ldap://<LDAP_FQDN_OR_IP_ADDRESS>:389/dc=companyName,dc=com, your DN pattern would be cn={username}, ou=appianusers.

Can Appian implement multiple LDAP servers?

Yes, Appian can accept multiple LDAP URLs, however the base DN must be the same.The intention is for each additional URL to serve as a backup in case the first server goes down. They are not intended to be used as multiple base DN providers.

Can Appian users who are created upon first login be placed in a group automatically?

Yes, if LDAP authentication is restricted to a particular group then when users are created they will be automatically added to that group. Note: users created like this default to the Basic User type.

What is the difference between “Bind as user” vs. “Search for user then bind as user” options?

Bind — Use this method when Appian should connect to the LDAP server and bind using the username (CN) and password of the user who is attempting to log in to Appian. Use this method when the CN field on the LDAP account matches the username defined in Appian.
Search and Bind — Use this method to connect to the LDAP server using a pre-configured set of credentials. This method can be used when the value for the CN field on your users' LDAP account does not match the username defined in Appian, eg the Appian username may be another field such as UID or sAMAccountName in a standard Active Directory environment. Search and bind requires a service account that has full access to the base DN, since this account will search for the user who is attempting to log in.

For more information, refer to LDAP Authentication under Authentication Method.

Can I set up LDAP with my Appian Cloud environment?

Yes. To integrate with Appian Cloud, it is recommended that a VPN connection should be established between the Appian environment and your LDAP server. See the documentation on VPN integration. Note that if you wish to use LDAPS, DNS resolution must be configured and you must use publicly signed CA certificates.

My LDAP Sync process is not working correctly. What can I do?

Add the following loggers to the appian_log4j.properties file. For Appian 18.3 and later, this file can be found in <APPIAN_HOME>/deployment/web.war/WEB-INF/resources. For Appian 18.2 and earlier, this file can be found in <APPIAN_HOME>/ear/suite.ear/resources:

log4j.logger.com.appiancorp.security=DEBUG
log4j.logger.org.springframework.security=DEBUG
log4j.logger.com.appian.directory.syncwithusernames=DEBUG
log4j.logger.com.appiancorp.plugin.directory=DEBUG
log4j.logger.org.ldaptive=DEBUG

Then rerun the process and check the application server log for details on the error you may be facing. Most of the time the error stems from a connection issue from the Appian server to the LDAP server.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: May 2019

Related
Recommended