LDAP Authentication integration provides the ability to authenticate your users directly against an LDAP service such as OpenLDAP or Active Directory.
LDAP Users are not imported into Form.io as Resources and exist only externally in LDAP. They still get assigned Form.io roles and can have ownership over forms and submissions.
To start using LDAP for your authentication, you will need the following parameters from your LDAP provider.
If you wish to simply test the LDAP functionality, you can use the following parameters:
- Server URL:
- Bind DN:
- Bind Password:
- Search Base:
- Search Filter:
With these configurations, you should then be able to use the following login credentials.
Once you have these configurations, you can setup LDAP within your Project Settings like so.
By default Form.io uses email addresses to login in users so using the email attribute in the search filter is recommended unless you change the User Login form to match the search filter. For example
Click Save Project Settings once you have these values set.
Next, we will create a new form that will be used to Login to LDAP. We can do this by clicking on New Form, and then building it as follows.
Click Create Form button to create the new form.
You will now need to ensure that Anonymous users are able to "submit" this form, which will execute the actions assigned to the form. You can do this by clicking on the Access settings and adding the Anonymous role to the Create Own permission.
Next, we will navigate to the Actions section of our form and first Remove the Save Submission Action.
After we have done, that we will add the LDAP Login action as follows.
Within the LDAP Login Action, you will then configure the following parameters.
If you choose the Passthrough option, any failures except for a failure to Bind the user account, will be ignored and the login information will be passed to the next form action. This allows using both LDAP and the Form.io Login action on the same form.
Next map any LDAP properties to user roles. Select the property, the matching value and the role to assign it true. Leave LDAP Property and Value blank to assign the role to all LDAP accounts.
- LDAP Property: group
- Value: Admins
- Role: Admin
Would assign the Admin role to any members of the Admins group.
The user’s DN is also mapped to the list of properties so if the DN is
dn=myname,ou=admins,dc=example,dc=orgyou can do:
- LDAP Property: ou
- Value: admins
- Role: Admin
After you have the Login action set, you can save this action to add this to the form.
If you provided the Test Credentials at the top of the page, then you should be able to perform the following API request within Postman to perform and test out an LDAP login.
Here you will see that the Authenticated role has been assigned to the user object.