LDAP Authentication Setup

LDAP Authentication integrates RAMP with enterprise directories like Active Directory or OpenLDAP. Users authenticate using their directory credentials, and RAMP can search the directory for users and groups.

Features

Authenticate against LDAP/Active Directory
Auto-provision users on first login
Directory search for users and groups
Support for SSL/TLS (LDAPS)
Works on Windows, Linux, and Docker

Use Cases

Enterprise directory integration
Centralized user management
Active Directory without Windows Auth/IIS
OpenLDAP environments

Prerequisites

LDAP server (Active Directory or OpenLDAP)
LDAP server hostname/IP and port (389 for LDAP, 636 for LDAPS)
Service account for LDAP bind operations
Network access from RAMP to LDAP server

Step 1: Gather LDAP Information

You’ll need the following information from your LDAP administrator:

Setting	Example (Active Directory)	Example (OpenLDAP)
LDAP Server	`ldap://dc.contoso.com:389`	`ldap://ldap.company.com:389`
Search Base	`DC=contoso,DC=com`	`dc=company,dc=com`
Service Account DN	`CN=ramp-service,OU=Service Accounts,DC=contoso,DC=com`	`cn=ramp-bind,ou=services,dc=company,dc=com`
Service Account Password	(from AD admin)	(from LDAP admin)
User Filter	`(&(objectClass=user)(objectCategory=person))`	`(objectClass=inetOrgPerson)`
Group Filter	`(objectClass=group)`	`(objectClass=groupOfNames)`

Step 2: Configure RAMP Backend

Edit appsettings.json:

{
  "Authentication": {
    "Providers": {
      "LDAP": {
        "Enabled": true,
        "Server": "ldap://dc.contoso.com:389",
        "SearchBase": "DC=contoso,DC=com",
        "BindDn": "CN=ramp-service,OU=Service Accounts,DC=contoso,DC=com",
        "BindPassword": "ServiceAccountPassword123!",
        "UseSsl": false,
        "UserSearchFilter": "(&(objectClass=user)(objectCategory=person)(sAMAccountName={0}))",
        "GroupSearchFilter": "(objectClass=group)",
        "AttributeMappings": {
          "Username": "sAMAccountName",
          "Email": "mail",
          "FirstName": "givenName",
          "LastName": "sn",
          "DisplayName": "displayName"
        },
        "EnableDirectorySearch": true,
        "AutoProvisionUsers": true
      }
    }
  },
  "Bootstrap": {
    "Administrators": [
      {
        "IdentityProvider": "LDAP",
        "Username": "admin",
        "Email": "admin@contoso.com"
      }
    ]
  }
}

Configuration Reference

Setting	Required	Description
`Enabled`	Yes	Set to `true` to enable LDAP authentication
`Server`	Yes	LDAP server URL (format: `ldap://host:port` or `ldaps://host:port`)
`SearchBase`	Yes	Base DN for all LDAP searches
`BindDn`	Yes	Distinguished Name of service account for bind operations
`BindPassword`	Yes	Password for service account
`UseSsl`	No	Use LDAPS (port 636). Default: `false`
`UserSearchFilter`	Yes	LDAP filter to find users. `{0}` is replaced with username
`GroupSearchFilter`	No	LDAP filter to find groups
`AttributeMappings`	Yes	Map LDAP attributes to RAMP user fields
`EnableDirectorySearch`	No	Allow searching directory for users/groups. Default: `false`
`AutoProvisionUsers`	No	Create RAMP user on first login. Default: `true`

{
  "Authentication": {
    "Providers": {
      "LDAP": {
        "Enabled": true,
        "Server": "ldap://dc.contoso.com:389",
        "SearchBase": "DC=contoso,DC=com",
        "BindDn": "CN=ramp-service,OU=Service Accounts,DC=contoso,DC=com",
        "BindPassword": "ServiceAccountPassword123!",
        "UseSsl": false,
        "UserSearchFilter": "(&(objectClass=user)(objectCategory=person)(sAMAccountName={0}))",
        "GroupSearchFilter": "(objectClass=group)",
        "AttributeMappings": {
          "Username": "sAMAccountName",
          "Email": "mail",
          "FirstName": "givenName",
          "LastName": "sn",
          "DisplayName": "displayName"
        },
        "EnableDirectorySearch": true,
        "AutoProvisionUsers": true
      }
    }
  }
}

Service Account Permissions (Active Directory)

The service account needs:

Read permissions on all user objects
Read permissions on all group objects
No special elevated permissions required

Create service account:

# Create service account in Active Directory
New-ADUser -Name "ramp-service" `
  -SamAccountName "ramp-service" `
  -UserPrincipalName "ramp-service@contoso.com" `
  -Path "OU=Service Accounts,DC=contoso,DC=com" `
  -AccountPassword (ConvertTo-SecureString "ServicePassword123!" -AsPlainText -Force) `
  -Enabled $true `
  -PasswordNeverExpires $true `
  -CannotChangePassword $true

{
  "Authentication": {
    "Providers": {
      "LDAP": {
        "Enabled": true,
        "Server": "ldap://ldap.company.com:389",
        "SearchBase": "dc=company,dc=com",
        "BindDn": "cn=ramp-bind,ou=services,dc=company,dc=com",
        "BindPassword": "BindPassword123!",
        "UseSsl": false,
        "UserSearchFilter": "(&(objectClass=inetOrgPerson)(uid={0}))",
        "GroupSearchFilter": "(objectClass=groupOfNames)",
        "AttributeMappings": {
          "Username": "uid",
          "Email": "mail",
          "FirstName": "givenName",
          "LastName": "sn",
          "DisplayName": "cn"
        },
        "EnableDirectorySearch": true,
        "AutoProvisionUsers": true
      }
    }
  }
}

Create Service Account (OpenLDAP)

dn: cn=ramp-bind,ou=services,dc=company,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: ramp-bind
description: RAMP LDAP Bind Account
userPassword: {SSHA}HashedPasswordHere

Add to OpenLDAP:

ldapadd -x -D "cn=admin,dc=company,dc=com" -W -f ramp-bind.ldif

Step 4: Enable SSL/TLS (LDAPS) — Recommended

For production, use LDAPS (LDAP over SSL/TLS) on port 636.

Update Configuration

{
  "Authentication": {
    "Providers": {
      "LDAP": {
        "Server": "ldaps://dc.contoso.com:636",
        "UseSsl": true,
        "SearchBase": "DC=contoso,DC=com",
        "BindDn": "CN=ramp-service,OU=Service Accounts,DC=contoso,DC=com",
        "BindPassword": "ServiceAccountPassword123!"
      }
    }
  }
}

Certificate Requirements

LDAP server must have valid SSL certificate
Certificate must be trusted by RAMP server
For self-signed certificates, add to trusted root certificate store

Linux
Windows

# Copy certificate to trusted certificates
sudo cp ldap-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

# Import certificate to Trusted Root
Import-Certificate -FilePath ldap-ca.crt -CertStoreLocation Cert:\LocalMachine\Root

Step 5: Configure Bootstrap Administrator

Add LDAP admin to bootstrap configuration:

{
  "Bootstrap": {
    "Administrators": [
      {
        "IdentityProvider": "LDAP",
        "Username": "john.doe",
        "Email": "john.doe@contoso.com"
      }
    ]
  }
}

Step 6: Test LDAP Configuration

Start RAMP

cd src/RAMP.API
dotnet run

Check Logs

Look for LDAP initialization messages:

[INFO] LDAP provider initialized: ldap://dc.contoso.com:389
[INFO] LDAP bind successful

Navigate to RAMP login page
Enter LDAP username (e.g., john.doe for AD, jdoe for OpenLDAP)
Enter LDAP password
If auto-provision is enabled, user account is created automatically

Directory Search Feature

When EnableDirectorySearch is true, administrators can search the LDAP directory when assigning roles.

How It Works

Admin navigates to assign roles (Template Roles, Instance Roles, etc.)
Click “Add User”
Type username or email
RAMP queries LDAP and shows matching users
Select user from dropdown
User is auto-provisioned if they haven’t logged in yet

Search Performance

Searches are cached for 5 minutes
Maximum 50 results per search
Searches both username and email fields

Auto-Provisioning

When AutoProvisionUsers is true:

User enters LDAP credentials
RAMP validates credentials against LDAP
On successful bind, RAMP creates user record with:
- Username from LDAP attribute
- Email from LDAP attribute
- First/Last name from LDAP attributes
- IdentityProvider: LDAP
User can now log in to RAMP

Troubleshooting

Cannot connect to LDAP server

Check 1: Verify network connectivity

# Test LDAP port is accessible
telnet dc.contoso.com 389

# Or with nc
nc -zv dc.contoso.com 389

Check 2: Verify DNS resolution

nslookup dc.contoso.com

Check 3: Check firewall rules

Ensure RAMP server can reach LDAP port (389 or 636)
Check both host firewall and network firewalls

Bind operation failed

Check 1: Verify BindDn format

Active Directory: CN=username,OU=unit,DC=domain,DC=com
OpenLDAP: cn=username,ou=unit,dc=domain,dc=com

Check 2: Test bind manually

# Active Directory
ldapsearch -H ldap://dc.contoso.com -D "CN=ramp-service,OU=Service Accounts,DC=contoso,DC=com" -W -b "DC=contoso,DC=com" "(sAMAccountName=testuser)"

# OpenLDAP
ldapsearch -H ldap://ldap.company.com -D "cn=ramp-bind,ou=services,dc=company,dc=com" -W -b "dc=company,dc=com" "(uid=testuser)"

Check 3: Verify password

Ensure no special characters are improperly escaped
Test with simple password first

User authentication fails

Check 1: Verify user exists in LDAP

ldapsearch -H ldap://dc.contoso.com -D "..." -W -b "DC=contoso,DC=com" "(sAMAccountName=username)"

Check 2: Verify UserSearchFilter

Ensure filter syntax is correct
{0} placeholder is replaced with username
Test filter manually with ldapsearch

Check 3: Check account status

Ensure user account is not disabled in LDAP
Verify password hasn’t expired

SSL/TLS certificate errors

Check 1: Verify certificate chain

openssl s_client -connect dc.contoso.com:636 -showcerts

Check 2: Check certificate trust

Ensure CA certificate is in trusted store
For self-signed certs, import the certificate

Check 3: Disable SSL verification (testing only)

{
  "Authentication": {
    "Providers": {
      "LDAP": {
        "UseSsl": true,
        "IgnoreSslErrors": true
      }
    }
  }
}

Security Best Practices

1. Use LDAPS in Production

Always use SSL/TLS (port 636) for production deployments to encrypt credentials in transit.

2. Least Privilege Service Account

Service account should have read-only permissions
No admin or write permissions needed
Restrict to specific OUs if possible

3. Secure Password Storage

Store BindPassword in Azure Key Vault or User Secrets, not in appsettings.json:

# Development
dotnet user-secrets set "Authentication:Providers:LDAP:BindPassword" "password"

# Production - Azure Key Vault
# Store as: Authentication--Providers--LDAP--BindPassword

4. Monitor Failed Logins

Enable audit logging
Set up alerts for repeated bind failures
May indicate brute force or misconfiguration

5. Network Security

Restrict LDAP access to RAMP server IPs only
Use firewall rules to block unauthorized access
Consider using VPN for external access

Advanced Configuration

Custom Attribute Mappings

Map additional LDAP attributes:

{
  "AttributeMappings": {
    "Username": "sAMAccountName",
    "Email": "mail",
    "FirstName": "givenName",
    "LastName": "sn",
    "DisplayName": "displayName",
    "EmployeeId": "employeeNumber",
    "Department": "department",
    "Title": "title"
  }
}

Group-Based Access Control

To restrict RAMP access to specific AD groups, use a filter that includes memberOf:

{
  "UserSearchFilter": "(&(objectClass=user)(memberOf=CN=RAMP Users,OU=Groups,DC=contoso,DC=com)(sAMAccountName={0}))"
}

Next Steps

Bootstrap Administrators — Auto-assign admin roles for LDAP users
Email Configuration — Enable email notifications
Authentication Overview — Compare all authentication providers

Authentication Overview Compare all authentication methods and choose the right one

OIDC / OAuth2 Setup Configure RAMP with Azure AD, Okta, Keycloak, or any OIDC provider