.png)
Setting Up LDAP Authentication
LDAP (Lightweight Directory Access Protocol) is a protocol used primarily by Microsoft services, like Active Directory (AD), to locate user accounts, organizations, and other resources. Trakstar can integrate with any LDAP or LDAPS server, allowing you to connect Trakstar to your organization’s existing directory. Upon login (on our standard login page), Trakstar will check usernames and passwords against your LDAP server, keeping these credentials in sync with Trakstar.
Authentication using LDAP is an advanced Trakstar feature. If you would like to add this feature to your organization’s account, please contact us at support@trakstar.com.
NOTE: Trakstar is a cloud-based application, and our servers must be able to communicate with your LDAP server. If your LDAP server is protected by firewalls or additional network security, your organization must allow Trakstar’s servers access. Our application does not support connecting to your organization’s VPN or local network. For more information, please contact integrations@trakstar.com.
These are the steps to setting up LDAP authentication in Trakstar:
- Configuring LDAP within Trakstar
- Testing the configuration
- Enabling LDAP authentication for all users
1) Configuring LDAP within Trakstar
Trakstar requires the following information to set up LDAP authentication, which you can enter by visiting Settings > Authentication & SSO:
Host
Endpoint or IP address of your LDAP server.
Examples:
- 54.176.31.140
- ldap.trakstar.com
Port
This is generally 389 for plain connections, and 636 for SSL/TLS.
Method
SSL/TLS or Plain. SSL/TLS is highly recommended, but Trakstar can communicate over an unencrypted (plain) connection.
Bind DN
Account username or fully-qualified DN Trakstar will use to perform LDAP lookups.
Examples:
- trakstar
- username@trakstar.com
- CN=Trakstar Read,CN=Users,DC=trakstar,DC=com
Password
Password for the bind username or DN above, securely stored and never displayed.
Base DN
Base DN to used to find users.
Examples:
- DC=trakstar,DC=net,OU=Salary Employees
- dc=trakstar, dc=com
UID
LDAP attribute corresponding to the username on the login form, usually or . This is not required when using the optional Search Filter below.
LDAP Search Filter
Used to identify users in place of UID above. The string will be interpolated by the value entered by the user.
- Examples:
- (sAMAccountName=%{username})
- (&(uid=%{username})(memberOf=cn=myapp-users,ou=groups,dc=example,dc=com))
- (&(objectCategory=person)(objectClass=user)(!(cn=andy)))
- (sn=sm*)
- (&(objectCategory=person)(objectClass=contact)(|(sn=Smith)(sn=Johnson)))
- (&(objectClass=user)(sAMAccountName=%{username})(|(memberof=CN=Employee A-L,OU=Salary Employees,DC=trakstar,DC=com)(memberof=CN=Employee M-Z,OU=Salary Employees,DC=trakstar,DC=com)))
Enter the above information into Trakstar, and proceed to the next step.
2) Testing the configuration
Follow the instructions to test the configuration in Trakstar, opening the provided URL in a separate browser or incognito window so that it’s not affected by your current session with our application.
If sign in is not successful, you can click “Show Failed Authentication Attempts” from the Authentication Settings page to see more detailed error messages.
Here are some tips to resolve common issues with LDAP:
Operation timed out
Trakstar tried to issue a request to your LDAP endpoint, but never received a response. You might consider:
- Double-checking your Host and Port are correct
- Making sure your LDAP endpoint is publicly accessible, or you’ve allowed Trakstar’s servers through the necessary network security (see NOTE at top of this article)
Bind failed
Trakstar “binds” to your LDAP server with the Bind DN and Password provided. If that fails, it can mean one of several things:
- The Bind DN is not correct
- The Password for the Bind DN is not correct
- The LDAP server refused the connection from Trakstar for some other reason
getaddrinfo: nodename nor servname provided, or not known
Trakstar had issues resolving the host name of your LDAP endpoint. Consider using an IP address instead, as this is usually caused by issues with DNS.
User has not been added to Trakstar
Automatically provisioning users can result in multiple accounts for the same user, or your users not having access to the right information – both which can be difficult to correct. For these reasons, Trakstar only authenticates users that have already been added to the application, and will not automatically create accounts for new users. Users can be added manually for smaller organizations, or using HRIS Sync, for easier management of users in bulk.
If a user successfully authenticates with your chosen login strategy, but an account with that username (a.k.a “login”) cannot be found, they will receive a “User has not been added to Trakstar” error.
3) Enabling LDAP authentication for all users
Once you have sufficiently tested the ability to log in via LDAP, you can enable it for all users in your organization by selecting LDAP as the enabled authentication type.
Once LDAP is enabled as the way your users authenticate, you’ll notice that passwords can no longer be set or recovered within Trakstar.