RapidIdentity Product Guides - 2019 Rolling Release

LDAP Servers

The LDAP Servers interface allows administrators to configure organization-specific LDAP servers to use within RapidIdentity.


Only Active Directory and the Identity Automation distribution of OpenLDAP are supported.


Many of the fields in the legacy UI are preserved in the new UI. There are several changes to note.

  1. The unique ID of the LDAP Server is not shown.

  2. The Bind Password field is visible after checking the red Update Password box.

  3. The icons to reload, add, remove, and duplicate are updated.

  4. The Show Advanced Options button in the legacy UI is now displayed as a toggle called Advanced Options.

  5. The Connect and Response timeouts in the Advanced Options were previously defined in seconds and are now defined in milliseconds.

  6. The checkbox to Trust All Certificates is moved to the Advanced Options and is not checked automatically when SSL or StartTLS encryption methods are selected.

  7. The Advanced Options contains a new field, Referral Hop Limit.

Table 252. LDAP Options

Field Name



The name of the LDAP server. Used only to allow identification of different server connections within the settings.

Server Address

The server address refers to the server that hosts the LDAP directory. The entry can be a fully qualified domain name (e.g. ldapserver.example.com) or an IP address. It is important to verify that the networking infrastructure (i.e. firewalls, etc) allow communication between the RapidIdentity Portal server and the LDAP server referenced in this field.

Encryption Method

RapidIdentity Portal supports SSL and Start-TLS encryption types. The default setting is no encryption. Note that no certificate verification is performed when an encryption type is verified. This allows the secure use of self-signed certificates. Active Directory environments require encryption to allow password changes to occur.


The port number that the LDAP server is listening on. The default unencrypted port is 389 and the default encrypted port is 636.

Trust All Certificates

This setting tells RapidIdentity to trust any SSL/TLS certificate presented by the LDAP server. Unsetting will require manually verifying that you trust the certificate presented by the LDAP server.


It is strongly recommended that this setting is disabled for production deployments.

Base DN

Base DN for the LDAP server.

Bind DN or User

The specified user account must have sufficient access to the LDAP tree. This includes authenticating, reading, and writing to any DN specified in the configuration. Almost all LDAP operations are performed as this user.


While write access may not be an absolute requirement some application functionality will be hindered without it.

The built-in object browser makes finding the value required for this field easier.

For Active Directory, this field should be either the userPrincipalName or <domain>/<username> (e.g. what the user would normally use to log in to Windows) rather than the DN.

Update Password / Bind Password

The corresponding password for the Bind User specified above is the Bind Password, and that field displays when users click the Update Password button.

Test Connection and Certificate Settings

This button performs a real-time connection test based on the parameters provided to see if an LDAP connection can be established. A successful test results in a green text box stating "Connect Test Passed".

If encryption is enabled and Trust All Certificates is not enabled, you will also be asked to verify that you trust the certificate (if trust has not already been established for the certificate presented by the LDAP server).


Save all settings before attempting to test the connection.


Commit changes or reset the values to default.

Table 253. LDAP Advanced Options

Field Name


Connection Timeout (milliseconds)

The maximum number of seconds that RapidIdentity Portal will wait for a valid connection to be established with the LDAP server. Default = 5000.

Response Timeout (milliseconds)

The maximum number of seconds that RapidIdentity Portal will wait for a valid response from the LDAP server when performing LDAP operations. Default = 10000.

Search Page Size

This setting is used to specify the maximum LDAP results per page when using the LDAP Simple Paged Results search request control. Default = 1000.

Referral Hop Limit

This setting determines the number of referrals (i.e. hops) the system will follow in a sequence of referrals from one LDAP server to a subsequent LDAP server. Default = 5.

For example, there are two hops from LDAP Server 1 to LDAP Server 2 to LDAP Server 3.

Follow Referrals

This setting is used to specify whether the system should attempt to follow any referrals generated by the LDAP server during a search.