6.3.1. LDAP Connector

An LDAP connector allows you to:

  • Obtain information on users and groups from Active Directory or other LDAP servers. FreeIPA is supported with an LDAP server. The users and groups can be used in filtering rules.

  • Authorize users via Active Directory/FreeIPA domains using the captive portal, Kerberos, and NTLM authentication methods.

To create an LDAP connector, click Add, select Add LDAP connector, and provide the following settings:




Enables or disables the use of this authentication server.


The name of the authentication server.


This specifies whether SSL is required to connect to the LDAP server.

LDAP domain name or IP address

The IP address of the domain controller, the domain controller FQDN or the domain FQDN (e.g., test.local). If the domain controller FQDN is specified, UserGate will obtain the domain controller's address using a DNS request. If the domain FQDN is specified, UserGate will use a backup domain controller if the primary one fails.

Bind DN ("login")

The username for connecting to the LDAP server. Must be in the DOMAIN\username or username@domain format. This user must be already created in the domain.


The user's password for connecting to the domain.

LDAP domains

The list of domains served by the specified domain controller, e.g., in case of a domain tree or an Active Directory domain forest. Here you can also specify the short NetBIOS domain name. The domains listed here will be available for selection on the captive portal's auth page if the corresponding option is enabled. For more details on configuring the captive portal, see the section Captive Portal Configuration.

Search roots

The list of LDAP server paths relative to which the system will search for users and groups. Specify the full name, e.g. ou=Office,dc=example,dc=com.

Kerberos keytab

Here you can upload a keytab file for Kerberos authentication. For more details on Kerberos authentication and creating a keytab file, see the section Kerberos Authentication Method.

Important! Uploading a keytab file is recommended even if you do not plan to use Kerberos authentication. With an uploaded keytab file, UserGate uses the Kerberos mechanism to obtain the list of users and their groups from LDAP servers, which dramatically reduces the load on the LDAP servers. If the LDAP servers in your organization store a large number of objects (more than 1000 groups and users), using a keytab file is strongly encouraged.

After creating a server, you should validate the settings by clicking Check connection. If your settings are correct, the system will report that; otherwise, it will tell you why it cannot connect.


To gain authorization using an LDAP connector, the users must be members of the "Domain users" domain group.

The LDAP connector configuration is now complete. For LDAP user authorization using a name and password, you need to create captive portal rules. The captive portal is described in more detail in the following chapters.

To add an LDAP user or user group to the filtering rules, click Add LDAP user/Add LDAP group, type at least one character present in the names of the desired objects in the search field, and then click Search and select the users or groups of interest.