LDAP Integration
LDAP Connector Overview
StackFlow's LDAP integration enables organizations to authenticate users against an on-premises Active Directory or OpenLDAP server. The LDAP connector runs as part of the StackFlowAPI Lambda and connects to the directory service via the VPC NAT gateway, allowing secure access to on-premises systems through AWS Direct Connect or VPN.
- Network: AWS Direct Connect or Site-to-Site VPN to on-premises, LDAP port 636 reachable from
sg-0ada825cda6a75ed6 - Service Account: LDAP bind DN with
ReadonuserAccountControl,memberOf,mail,sAMAccountName - Secrets Manager:
stackflow/ldap/bind-credentialswithbind_dnandbind_passwordkeys - Cognito: Pool
us-east-1_WKK1AVJ2mpre-signup LambdaStackFlowCognitoPreSignupconfigured to allow LDAP-sourced users - DynamoDB:
StackFlow_LDAPConfigtable with at least one active LDAP configuration record
LDAP authentication in StackFlow is additive — it does not replace Cognito. Instead, user credentials are validated against LDAP, and upon success, a Cognito user account is created or updated with the LDAP attributes. The Cognito token is then issued as the session token for subsequent API calls.
vpc-0c4e3c18734dee8f7. Ensure the LDAP server's port 389 (LDAP) or 636 (LDAPS) is reachable from security group sg-0ada825cda6a75ed6.
Connection Configuration
Configure the LDAP connection in Admin → Authentication → LDAP Integration. All connection credentials are stored in AWS Secrets Manager and never written to the StackFlow database in plaintext.
| Field | Description | Example |
|---|---|---|
| Server URL | LDAP/LDAPS endpoint | ldaps://dc01.corp.example.com:636 |
| Base DN | Search base for users | DC=corp,DC=example,DC=com |
| Bind DN | Service account for directory queries | CN=stackflow-svc,OU=Service Accounts,DC=corp,DC=example,DC=com |
| Bind Password | Service account password (stored in Secrets Manager) | — |
| User Search Filter | LDAP filter to locate user accounts | (&(objectClass=person)(sAMAccountName={username})) |
| TLS | Use LDAPS or StartTLS | LDAPS (recommended) |
User Sync Settings
StackFlow can perform scheduled LDAP user synchronization to keep user accounts, group memberships, and profile attributes current. Sync runs every 30 minutes by default and can be triggered manually from the admin console.
{
"ldap_sync": {
"enabled": true,
"schedule_minutes": 30,
"sync_groups": true,
"deactivate_removed_users": true,
"attribute_map": {
"email": "mail",
"given_name": "givenName",
"family_name": "sn",
"department": "department",
"phone": "telephoneNumber"
}
}
}Group Mapping
Active Directory groups are mapped to StackFlow roles in the same way as Azure AD groups. Define mapping rules in Admin → Authentication → LDAP → Group Mapping. Groups not explicitly mapped receive the default role configured in System Properties (typically viewer).
| AD Group DN | StackFlow Role |
|---|---|
CN=StackFlow-Admins,OU=Groups,DC=corp,DC=example,DC=com | super_admin |
CN=IT-Support,OU=Groups,DC=corp,DC=example,DC=com | itsm_agent |
CN=IT-Management,OU=Groups,DC=corp,DC=example,DC=com | itsm_manager |
Troubleshooting LDAP
Use the LDAP test tool at Admin → Authentication → LDAP → Test Connection to diagnose connectivity issues. The test tool performs a bind with the service account and then a sample user search to validate the full authentication path.
# Test LDAP connectivity from within the VPC (requires EC2 bastion)
ldapsearch -H ldaps://dc01.corp.example.com:636 -D "CN=stackflow-svc,OU=Service Accounts,DC=corp,DC=example,DC=com" -w PASSWORD -b "DC=corp,DC=example,DC=com" "(&(objectClass=person)(sAMAccountName=testuser))" mail givenName sn memberOfRead permission on the memberOf attribute for user objects. This is often restricted by AD GPO settings in hardened environments.