You are currently reviewing an older revision of this page.

[DRAFT] KB-XXXX LDAP Authentication FAQ

The purpose of this article is to provide answers to some of the common questions related to LDAP authentication in Appian.

Q: Should I restrict LDAP authentication to a particular group?

A: Yes. This prevents getting locked out of the environment if the LDAP server is unreachable (network issue).

Q: What is my DN pattern?

A: The DN, or Distinguished Name, is the unique list of domain components added together to define your LDAP user objects, similar to how a full file path defines a file location in an operating system. The DN pattern in conjunction with the LDAP URL will identify where your Appian users reside in your LDAP directory in order for Appian to find and authenticate users. Whatever is specified as the LDAP username attribute should be added to the DN pattern set to {username}. {username} will be replaced by the username entered by the user.

For example, in the Appian Admin console if your username attribute is set to cn and your user's Distinguished Names were made up of domain components ou=appianusers, dc=companyName, dc=com, provided a URL such as ldap://<LDAP_FQDN_OR_IP_ADDRESS>:389/dc=companyName,dc=com, your DN pattern would be cn={username}, ou=appianusers.

Q: Can Appian implement multiple LDAP servers?

A: Yes, Appian can accept multiple LDAP URLs, however the base DN must be the same.The intention is for each additional URL to serve as a backup in case the first server goes down. They are not intended to be used as multiple base DN providers.

Q: Can Appian users who are created upon first login be placed in a group automatically?

A: Yes, if LDAP authentication is restricted to a particular group then when users are created they will be automatically added to that group. Note: users created like this default to the Basic User type.

Q: What is the difference between “Bind as user” vs. “Search for user then bind as user” options?

A: Bind — Use LDAP bind when Appian connects to the LDAP server and binds using the CN and password. (These values are the username and password of the user logging Appian). Use the bind method when your LDAP account's CN field matches that of the username defined in Appian.
Search and Bind — Use LDAP search and bind when your LDAP account's CN field is a user's full name or does not match the username defined in Appian. For search and bind, the username is usually in another field such as UID or sAMAccountName in a standard Active Directory environment. Search and bind requires the credentials for a service account that has full access to the base DN. This information allows Appian to log into the LDAP server and search for the specified field.

Q: Can I set up LDAP with my Appian Cloud environment?

A: To integrate with Cloud, a VPN connection should be established between the Appian environment and your LDAP server. See our documentation on VPN integration here: https://docs.appian.com/suite/help/latest/Cloud_VPN_Integration.html. Note that with a VPN set up, LDAPS (LDAP with SSL) is not required since the connection is already protected via the VPN tunnel. If you wish to use LDAPS, DNS resolution must be configured and you must use publicly signed CA certificates.

Q: My LDAP Sync process is not working correctly. What can I do?

A: Add the following loggers to the appian_log4j.properties file located in <APPIAN_HOME>/ear/suite.ear/resources:

log4j.logger.com.appiancorp.security=DEBUG
log4j.logger.org.springframework.security=DEBUG
log4j.logger.com.appian.directory.syncwithusernames=DEBUG
log4j.logger.com.appiancorp.plugin.directory=DEBUG
log4j.logger.org.ldaptive=DEBUG

Then rerun the process and check the application server log for details on the error you may be facing. Most of the time the error stems from a connection issue from the Appian server to the LDAP server.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: August 2018