AD/LDAP Connector Configuration File Schema
The AD/LDAP Connector's main configuration file is config.json. You can modify this file to make changes that are not available via the AD/LDAP Connector Admin Console. You can also view this file to determine which tenant is using a particular Connector. The file is located in the install directory for the AD/LDAP Connector, which (for Windows) is usually found at C:\Program Files (x86)\Auth0\AD LDAP Connector. The following settings are supported in this file:
| Setting | Description | Default |
|---|---|---|
AD_HUB |
The Auth0 endpoint to which the connector will connect. This value is maintained by the connector. | |
CA_CERT |
An authority certificate or array of authority certificates to check the remote host against. | |
CLIENT_CERT_AUTH |
Specifies if Client Certificate Authentication is enabled or not. This value is configured in Auth0 and maintained by the connector. | |
CONNECTION |
The name of the connection in Auth0 which is linked to this instance of the connector. This value is maintained by the connector. | |
CONNECTIONS_API_V2_KEY |
A Management API token used to call the Get a connection endpoint. Set this when you need to troubleshoot the connector. This compares the local certificate to the one configured in Auth0 and detects a possible mismatch. | |
FIREWALL_RULE_CREATED |
Set to true once the Firewall rule has been created for the Kerberos Server (only when Kerberos is enabled). |
|
GROUPS |
Include the user's groups when enriching the profile. | true |
GROUP_PROPERTY |
The attribute of the group object used when adding the groups to a user. | cn |
GROUPS_CACHE_SECONDS |
Total time in seconds to cache a user's groups. | 600 seconds. |
GROUPS_TIMEOUT_SECONDS |
The timeout in seconds for searching all groups a user belongs to. | 20 seconds |
HTTP_PROXY |
The proxy server URL if one is required to connect from the AD/LDAP Connector to Auth0. | |
KERBEROS_AUTH |
Set if Kerberos Authentication is enabled or not. This value is configured in Auth0 and maintained by the connector. | |
LAST_SENT_THUMBPRINT |
Thumbprint of the last certificate which was sent to Auth0. | |
LDAP_BASE |
Defines the location in the directory where the LDAP search begins. For example: DC=fabrikam,DC=local. |
|
LDAP_BASE_GROUPS |
Defines the location in the directory where the LDAP groups search begins. | |
LDAP_BIND_PASSWORD |
The password of the LDAP user. This setting is automatically removed after the connector initializes. | |
LDAP_BIND_CREDENTIALS |
The encrypted password of the LDAP user. This setting is automatically added after the connector initializes. | |
LDAP_BIND_USER |
The user for binding a connection to LDAP. | |
LDAP_HEARTBEAT_SEARCH_QUERY |
The LDAP search query used for heartbeat checks. | (&(objectclass=user)(|(sAMAccountName=foo)(UserPrincipalName=foo))) |
LDAP_HEARTBEAT_SECONDS |
Time in seconds to keep the LDAP connection open. | |
LDAP_SEARCH_ALL_QUERY |
The LDAP query used to list all users in the LDAP store. | (objectCategory=person) |
LDAP_SEARCH_GROUPS |
The LDAP query used to find groups in the LDAP store. For example: (&(objectCategory=group)(member={0})) |
(member:1.2.840.113556.1.4.1941:={0}) |
LDAP_SEARCH_QUERY |
The LDAP query used to find users in the LDAP store. | (&(objectCategory=person)(anr={0})) |
LDAP_USER_BY_NAME |
The LDAP query used to find the user during authentication. This setting lets you specify which attribute is considered the user's username. For example, like the common name: the sAMAccountName, UPN, et cetera. This setting also supports multiple values for an OR search, for example: (|(sAMAccountName={0})(userPrincipalName={0})) |
(sAMAccountName={0}) |
LDAP_URL |
The LDAP connection string. For example: ldap://fabrikam-dc.fabrikam.local. |
|
PORT |
The port the server runs on when Kerberos or Client Certificate Authentication is enabled. | |
PROVISIONING_TICKET |
The Auth0 provisioning ticket used to communicate with Auth0. | |
REALM |
The Auth0 realm, for example: urn:auth0:fabrikam. This value is maintained by the connector. |
|
SERVER_URL |
The default connector URL will be server-name:port, but this setting allows you to overwrite this. For example: connector.mycompany.com. |
|
SESSION_SECRET |
The session secret used to encrypt the session cookie. | |
SITE_NAME |
When Client Certificate Authentication is enabled, but not possible the AD Connector will show a fallback login page. This setting allows you to specify the title that will show on top of the page. | Name of the AD connection. |
SSL_CA_PATH |
Absolute path to the base directory where the CA certificate file(s) are located. | |
SSL_KEY_PASSWORD |
The password for the SSL certificate. | |
SSL_PFX |
Base64 encoded certificate to use for SSL. | |
TENANT_SIGNING_KEY |
Your Auth0 tenant used to verify JWTs. | |
WSFED_ISSUER |
The issuer being set in the WS-Federation responses. If a connection is configured with email domains, the first email domain configured in Auth0 will be used as issuer. | urn:auth0 |
See Active Directory: LDAP Syntax Filters for information about LDAP queries.