LDAP configuration for Microsoft Active Directory

Last Updated : Jun 10, 2026 |

The following sections describe how to configure the LDAP server for Microsoft Active Directory (AD).

The following sections use the example below to provide a comprehensive view of how to perform the LDAP configuration.

LDAP secure configuration

By default, Avaya Aura® Device Services uses an unsecured LDAP connection. For secured connectivity, you must import an LDAP certificate to the Tomcat trust store.

Important:

The FQDN that is configured as the address of the LDAP source must be defined in the LDAP certificate in one of the following places:

  • The Common Name in the Subject field.

  • Subject Alternative Name.

For more information about enabling a secure connection, see https://support.microsoft.com/en-us/help/931351/how-to-add-a-subject-alternative-name-to-a-secure-ldap-certificate.

For more information about installing LDAP certificates on Avaya Aura® Device Services, see LDAP certificates.

LDAP configuration example

Figure : 1. LDAP configuration example




  • Company DNS domain: example.com

  • Domain: GLOBAL

  • Active Directory FQDN: gdc.global.example.com. This FQDN could be mapped to more than one replicated AD servers with different IPs.

  • The Active Directory provides both LDAP and LDAPS (LDAP over TLS) accesses to the Active Directory Global Catalog (see http://technet.microsoft.com/en-us/library/cc728188(v=ws.10).aspx for details on what is Global Catalog) through ports 3268 and 3269, respectively.

  • The user that has privileges to read and search the Active Directory (User: AADSAssistant, Password: admin123).

  • Domain users.

    Note:

    The LDAP attribute mail must be set because its value is used as the unique identifier for an AADS User.

    • AADS User 1, which has the following attributes:

      • sAMAccountName=aadsuser1

      • userPrincipalName=aadsuser1@global.example.com

      • mail=aadsuser1@example.com

      • givenName=User1

      • sn=AADS

    • AADS User 2, which has the following attributes:

      • sAMAccountName=aadsuser2

      • userPrincipalName=aadsuser2@global.example.com

      • mail=aadsuser2@example.com

      • givenName=User2

      • sn=AADS

    • AADS Admin, which has the following attributes:

      • sAMAccountName=aadsadmin

      • userPrincipalName=aadsadmin@global.example.com

      • mail=aadsadmin@example.com

      • givenName=Admin

      • sn=AADS

  • Groups:

    • AADSAdmin contains the users that can access the AADS OAMP GUI. In this example, this group contains the DN (Distinguished Name) of the user AADS Admin as the value of its member attributes.

    • AADSUsers contains the users that can access the AADS REST interface. In this example, this group contains the DN of the user AADS User1 and the group AADSDelegates as the value of its member attributes.

    • AADSAuditor contains the users that have read-only access to the OAMP GUI. In this example, this group contains the DN of the users AADS User1 and AADS User2 as the values of its member attribute.

    • AADSDelegates is a subgroup of AADSUsers. So the users in this group should also have access to AADS REST interface. In this example, this group contains the DN of the user AADS User 2 as the value of its member attributes.