Configure LDAP Connections in a Security Token Service (STS)
- Last Updated: July 6, 2026
- 3 minute read
- OpenEdge
- Version 12.2
- Documentation
Configuring an LDAP (Active Directory) service as an OpenEdge domain’s point of user account authentication requires obtaining information about the directory service and then translating that information into a set of STS configuration properties.
It helps if you have some familiarity with directory services, particularly regarding with their organization, the stored object’s attribute names, and how to search for user accounts and other objects. The following provides some of that information and may shorten the time needed to successfully authenticate users to an LDAP service.
There is always a core set of information that you will need to obtain to configure and test
user authentication via an LDAP service. Because each LDAP directory service’s
hierarchical tree of objects (including user account objects) is customized for each
deployment site, you must obtain information from the LDAP service administrator. All of
the core information will be applied to properties
(sts.ldap.xxxx) used by the STS’s LDAP
authentication process. For example:
- The LDAP directory service’s URL, including the hostname, port and base-dn information:
sts.ldap.context.providerUrl=ldap://host[:port][/base-dn] - The DN (Distinguished Name) of an existing LDAP user account that may be used to
search for an locate the user account being authenticated:
sts.ldap.context.userDn=ldap-user-dn sts.ldap.context.password=ldap-user-password - The information needed to build the LDAP search query used to locate the LDAP account of the
user being authenticated. The search query requires the location (DN) of where to
begin the search and the LDAP user account attribute name that contains the user-id
of the user being authenticated:
sts.ldap.user.searchBase=search-base-dn sts.ldap.user.searchFilter=(attr-name={0})Note: Common attr-name values may be uid for UNIX LDAP servers or sAMAccountName for Windows Active Directory. Your LDAP administrator can access the attribute names for user accounts. - The STS LDAP user authentication requires that the LDAP user account (DN) be a member of at
least one LDAP group object. So you must supply the staring location of where to
begin an LDAP search, the group object’s attribute name holding the authenticated
user’s DN, and the group object’s DN field name holding the group (Role)
name:
sts.ldap.group.searchBase=search-base-dn sts.ldap.group.searchFilter=(group-attr-name={0}) sts.ldap.group.roleAttribute=cn
An example configuration may look like:
|
Debugging an STS LDAP authentication involves enabling logging in the STS’s logging configuration file logging.xml and adding the entry:
|
Use LDAP searchFilter to locate a user entry in the directory
LDAP authentication uses a search filter to locate a user entry in the directory.
Syntax
|
Where
{0}is a Spring Security placeholder. At runtime, PAS for OpenEdge replaces{0}with the user ID provided during authentication.- ( ) follow LDAP filter syntax that defines the search condition to apply to directory entries.
Examples by directory type
| Directory type | Search filter | Behavior |
|---|---|---|
| Generic LDAP | (uid={0}) |
Matches user where uid equals login ID. |
| Active Directory | (sAMAccountName={0}) |
Matches Windows login name |
| Alternative AD | (userPrincipalName={0}) |
Matches full login (user@domain) |
Runtime examples
If a user logs in as:
|
And the filter is:
|
The executed LDAP query becomes:
|
Result:The directory returns the matching user DN for authentication.
Configure group-to-role mapping
LDAP can assign application roles based on group membership
How it works:
- PAS for OpenEdge retrieves the authenticated user's Distinguished Name (DN).
- A group search runs to find groups containing that DN.
- Roles are extracted from group attributes.
- Roles are added to the CLIENT-PRINCIPAL object.
Example configuration
|
Where:
| Setting | Purpose |
|---|---|
groupSearchFilter |
Finds groups containing the user DN |
{0} |
Substituted with user DN (not username) |
roleAttribute |
Extracts role name from group entry |
If user DN is:
|
Search filter becomes:
|
Multiple group membership
If user belongs to multiple groups, each group contributes a role. The roles appear in the CLIENT-PRINCIPAL.
|
Authorization logic in ABL can evaluate roles directly.
Configure LDAP using Active Directory
This example uses realistic Active Directory values.
Directory configuration
|
User search
|
Alternative
|
Group-to-role mapping
|
Example
| Object | Example |
|---|---|
| User DN | cn=user1,cn=Users,dc=example,dc=com |
| Group DN | cn=Admins,cn=Users,dc=example,dc=com |
Active Directory considerations
- Default login attribute
sAMAccountName
- Alternative
UserPrincipalName(user@domain)
- For large environments
- Use Global Catalog port
3268
- Use Global Catalog port
- Ensure referral handling is configured if multi-domain
Result:
Configuration matches real enterprise AD deployments.