# Configure users for LDAP

As part of the LDAP configuration, you will need to configure users.

To fully integrate with an LDAP directory, Contrast needs information on how to connect to the LDAP server as well as how to find users and groups within the directory.

1. Enter the following information on how you want Contrast to search for users in the directory. The default settings are correct for most LDAP deployments.

Option

Description

Default

Base DN

Indicate the container (under the global base DN) where Contrast should start searching for users. In most organizations, this is a single container (for example, ou=Users), but your LDAP administrator should verify that you're searching the right container.

ou=users

Object Class

Indicate the LDAP object class for user objects in the directory.

inetOrgPerson

First Name Attribute

Indicate the LDAP field that contains a user's first name.

givenName

Last Name Attribute

Indicate the LDAP field that contains a user's last name.

sn

Email Attribute

Indicate the LDAP field that contains a user's email address.

mail

User subtree

If enabled, subtrees of the Base DN are included when searching for users.

Enabled

User ID attribute

Indicate the LDAP field that should be identified as the User ID. This is the username to enter when logging in to contrast.

uid

Authentication strategy

Choose how you want Contrast to authenticate users when they provide their credentials. Bind means the application sends the user's credentials to the server for authentication. Compare means the server hashes the user's credentials and compares them to the value of the password attribute.

Bind

The LDAP field that contains a user's password.

If you selected Compare for the authentication strategy, this attribute contains the hashed password for the user.

userPassword

2. To automatically create new user accounts when someone makes an LDAP request to log in, check the box next to Enable user provisioning.

Use the dropdowns to choose the Default organization, Default organization role and Default application access group for the new users.

3. Contrast can automatically provision or de-provision users at login time based upon the user’s LDAP groups. When this feature is enabled for LDAP-based authentication, users are added to a Contrast access group that maps to a corresponding LDAP group and removed from disallowed Contrast groups. Users can be added to multiple groups, as well as added to groups that give them access to multiple organizations.

### Important

For this to work, the Contrast groups must already exist, and the groups from LDAP (for provisioning purposes) must have the same name as the Contrast groups.

4. To add users to their groups when they log in to Contrast, check the box next to Add users to their Contrast groups upon login. To remove users from their groups when they log in to Contrast, check the box next to Remove users from their Contrast groups upon login.