User Directory Settings

You can integrate your Konnect™ access server with an external user directory to automatically synchronise user accounts and to allow users to login to the Konnect™ user and admin portals with their directory credentials without replicating these credentials to the cloud.

browser window frame
Ci/Admin Portal Ldap Settings 02.Png

Konnect™ supports any LDAP protocol compatible external user directory, for example: Active Directory, OpenLDAP, ApacheDS, ForgeRock OpenDJ, RedHat 389 Server, or JumpCloud.


Note: Integration of Konnect™ with an external user directory requires an active Enterprise or Pro license for your Konnect™ server.

Before you integrate Konnect™ access server and your LDAP-compatible user directory, please make sure that:

  • you have network connectivity between your Konnect™ server and your directory server. In particular, on-premise hosted directory servers may require an additional proxy service to allow a cloud-deployed Konnect™ access server to connect.

  • you have provisioned a dedicated BIND user for Konnect™ with a minimal set of access rights for your directory and the directory tree that you will use to keep VPN user accounts in.

  • you know your BIND user's full DN path, as well as the base DN path of your directory.

  • each user that you wish to synchronize to Konnect™ VPN Access Server has a valid email address, and a name attribute set in their directory account.

Configuring your User Directory

To configure your LDAP-compatible user directory, please provide the following information:

  • Host or IP Address of your directory server. If you provided a hostname, it must be resolvable from your Konnect™ instance. In either case you need to make sure that you have network connectivity between your Konnect™ server and the directory server, and open any firewall ports / proxy ports as required.

  • Port at which your LDAP server listens for requests. This is often 389 for LDAP and 636 for LDAPS (LDAP over SSL/TLS).

  • Connection Security used to protect communication with your directory server. Possible options are None (no connection security), StartTLS (initiate a TLS-secured connection over an otherwise clear-text channel), and TLS (negotiate a connection via SSL/TLS before exchanging any data).

  • Authentication Type for your bind user. Can be Anonymous (no authentication required to query the directory tree or sub-tree), Username / Password (use bind user DN and password to authenticate before performing search queries), or SASL to use the Simple Authentication and Security Layer, as defined in RFC 4422.

  • LDAP Bind User, which is the distinguished name (DN) of a directory user account that has permission to authenticate to the directory and search the directory tree or sub-tree that you want to query for VPN user accounts.

  • LDAP Bind Password, the bind user will use to authenticate to the directory server before performing search queries.

  • the Search Base, which is the starting point for user authentication within your directory.

  • an RFC-2254 compliant Search Query for your directory that returns the directory objects describing the users that should be synced with your Konnect™ server.

  • the Name Attribute of the directory objects found by above search that should be used to capture the display name for synced users

  • the Email Attribute of the directory objects found by above search that should be used to capture the email address for synced users

Testing your Settings

When you are satisfied with your settings, click on Save & Test settings to save the configuration values and perform a test of your settings.

browser window frame
Ci/Admin Portal Ldap Settings 03.Png

The settings test page will show you success or fail status for each test, together with any error messages that can help you diagnose issues. If Konnect™ server can successfully communicate with your directory server, the test settings page will show a preview of the first 10 results of users that would be synced from your directory. When you are satisfied, click Done, otherwise click on Edit Settings to go back to edit your directory settings.

Activating LDAP Sync

Konnect™ can synchronize users with your directory server periodically (the default is every 300 seconds). To enable periodic sync, switch Activate LDAP Integration to ON in your directory settings page and save.

Triggering a Manual Sync

If you wish to synchronize the Konnect™ server user database with your user directory immediately, outside of a scheduled periodic sync, click on Synchronize Now to start a background sync job.