AD/LDAP Connector Configuration File Schema

The AD/LDAP Connector's main configuration file is config.json. You can modify this file to make changes that are not available via the AD/LDAP Connector Admin Console. You can also view this file to determine which tenant is using a particular Connector. The file is located in the install directory for the AD/LDAP Connector, which (for Windows) is usually found at C:\Program Files (x86)\Auth0\AD LDAP Connector. The following settings are supported in this file:

Setting Description Default
AD_HUB The Auth0 endpoint to which the connector will connect. This value is maintained by the connector.
CA_CERT An authority certificate or array of authority certificates to check the remote host against.
CLIENT_CERT_AUTH Specifies if Client Certificate Authentication is enabled or not. This value is configured in Auth0 and maintained by the connector.
CONNECTION The name of the connection in Auth0 which is linked to this instance of the connector. This value is maintained by the connector.
CONNECTIONS_API_V2_KEY A Management API token used to call the Get a connection endpoint. Set this when you need to troubleshoot the connector. This compares the local certificate to the one configured in Auth0 and detects a possible mismatch.
FIREWALL_RULE_CREATED Set to true once the Firewall rule has been created for the Kerberos Server (only when Kerberos is enabled).
GROUPS Include the user's groups when enriching the profile. true
GROUP_PROPERTY The attribute of the group object used when adding the groups to a user. cn
GROUPS_CACHE_SECONDS Total time in seconds to cache a user's groups. 600 seconds.
GROUPS_TIMEOUT_SECONDS The timeout in seconds for searching all groups a user belongs to. 20 seconds
HTTP_PROXY The proxy server URL if one is required to connect from the AD/LDAP Connector to Auth0.
KERBEROS_AUTH Set if Kerberos Authentication is enabled or not. This value is configured in Auth0 and maintained by the connector.
LAST_SENT_THUMBPRINT Thumbprint of the last certificate which was sent to Auth0.
LDAP_BASE Defines the location in the directory where the LDAP search begins. For example: DC=fabrikam,DC=local.
LDAP_BASE_GROUPS Defines the location in the directory where the LDAP groups search begins.
LDAP_BIND_PASSWORD The password of the LDAP user. This setting is automatically removed after the connector initializes.
LDAP_BIND_CREDENTIALS The encrypted password of the LDAP user. This setting is automatically added after the connector initializes.
LDAP_BIND_USER The user for binding a connection to LDAP.
LDAP_HEARTBEAT_SEARCH_QUERY The LDAP search query used for heartbeat checks. (&(objectclass=user)(|(sAMAccountName=foo)(UserPrincipalName=foo)))
LDAP_HEARTBEAT_SECONDS Time in seconds to keep the LDAP connection open.
LDAP_SEARCH_ALL_QUERY The LDAP query used to list all users in the LDAP store. (objectCategory=person)
LDAP_SEARCH_GROUPS The LDAP query used to find groups in the LDAP store. For example: (&(objectCategory=group)(member={0})) (member:1.2.840.113556.1.4.1941:={0})
LDAP_SEARCH_QUERY The LDAP query used to find users in the LDAP store. (&(objectCategory=person)(anr={0}))
LDAP_USER_BY_NAME The LDAP query used to find the user during authentication. This setting lets you specify which attribute is considered the user's username. For example, like the common name: the sAMAccountName, UPN, et cetera. This setting also supports multiple values for an OR search, for example: (|(sAMAccountName={0})(userPrincipalName={0})) (sAMAccountName={0})
LDAP_URL The LDAP connection string. For example: ldap://fabrikam-dc.fabrikam.local.
PORT The port the server runs on when Kerberos or Client Certificate Authentication is enabled.
PROVISIONING_TICKET The Auth0 provisioning ticket used to communicate with Auth0.
REALM The Auth0 realm, for example: urn:auth0:fabrikam. This value is maintained by the connector.
SERVER_URL The default connector URL will be server-name:port, but this setting allows you to overwrite this. For example: connector.mycompany.com.
SESSION_SECRET The session secret used to encrypt the session cookie.
SITE_NAME When Client Certificate Authentication is enabled, but not possible the AD Connector will show a fallback login page. This setting allows you to specify the title that will show on top of the page. Name of the AD connection.
SSL_CA_PATH Absolute path to the base directory where the CA certificate file(s) are located.
SSL_KEY_PASSWORD The password for the SSL certificate.
SSL_PFX Base64 encoded certificate to use for SSL.
TENANT_SIGNING_KEY Your Auth0 tenant used to verify JWTs.
WSFED_ISSUER The issuer being set in the WS-Federation responses. If a connection is configured with email domains, the first email domain configured in Auth0 will be used as issuer. urn:auth0

See Active Directory: LDAP Syntax Filters for information about LDAP queries.