Configuring LDAP¶
Dependency-Track can authenticate users against an LDAP directory such as Microsoft Active Directory, ApacheDS, or any other LDAP-compatible server. Once enabled, users log in with their directory credentials rather than a locally managed password.
Authentication flow¶
Dependency-Track authenticates LDAP users by first performing a service-account bind to locate the user's directory entry, then attempting a bind with the user's own credentials to verify their password. On success, the system grants access. With user provisioning enabled, Dependency-Track creates the account automatically on first login.
On every successful login, Dependency-Track refreshes the user's distinguished name and email from the directory, and (when team synchronisation is enabled) re-evaluates team membership against the user's current LDAP groups. A user who never logs in keeps the attributes captured at provisioning time.
Prerequisites¶
- A service account in the LDAP directory with read access to users and groups.
- Network connectivity from the Dependency-Track API server to the LDAP server.
- For LDAPS (recommended in production), a valid TLS certificate on the LDAP server. If an internal CA issued the certificate, see Configuring internal CA trust.
Configuration¶
Configure all LDAP settings via app properties. The examples below use property names; see Application configuration for how property names map to environment variables.
Minimal configuration¶
Enable LDAP and configure the server connection:
1 2 3 4 5 6 7 8 9 | |
Tip
Dependency-Track substitutes the {0} placeholder in dt.ldap.username-format
with the username entered at login.
User provisioning¶
When enabled, Dependency-Track creates accounts automatically the first time an LDAP user logs in. Otherwise, an administrator must create each account before its user can log in.
dt.ldap.user-provisioning=true
Team synchronisation¶
When enabled, Dependency-Track keeps team membership in sync with LDAP group membership. Map teams to LDAP groups under Administration > Access Management > Teams.
dt.ldap.team-synchronization=true
dt.ldap.group-filter=(&(objectClass=groupOfUniqueNames))
dt.ldap.user-groups-filter=(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN}))
dt.ldap.group-search-filter=(&(objectClass=groupOfUniqueNames)(cn=*{SEARCH_TERM}*))
dt.ldap.user-search-filter=(&(objectClass=inetOrgPerson)(cn=*{SEARCH_TERM}*))
Tip
Dependency-Track substitutes {USER_DN} with the authenticated user's distinguished
name, and {SEARCH_TERM} with search input from the UI.
Tested configurations¶
The configurations below work with specific directory implementations. Adapt values such as base DNs, bind credentials, and attribute names to match your environment.
Microsoft Active Directory¶
Active Directory uses a global catalog port (3268/3269) for forest-wide searches.
Users typically authenticate with their User Principal Name (user@domain.com).
1 2 3 4 5 6 7 8 9 10 11 12 13 | |
Tip
The member:1.2.840.113556.1.4.1941:= OID in the user groups filter enables
recursive group membership lookup (LDAP_MATCHING_RULE_IN_CHAIN), so
Dependency-Track resolves nested group memberships correctly.
For LDAPS (recommended in production), change the port to 3269 and update the URL:
dt.ldap.server-url=ldaps://ldap.example.com:3269
ApacheDS¶
1 2 3 4 5 6 7 8 9 10 11 12 13 | |
Fedora 389 Directory Server¶
1 2 3 4 5 6 7 8 9 10 11 12 13 | |
NetIQ / Novell eDirectory¶
eDirectory typically uses LDAPS on port 636 and an organisation-based DN structure.
1 2 3 4 5 6 7 8 9 10 11 12 13 | |
All LDAP properties¶
For a full list of LDAP-related configuration properties and their types, defaults, and environment variable equivalents, see the configuration reference.
See also¶
- Permissions: mapping LDAP groups to Dependency-Track teams
- Configuring OpenID Connect: alternative to LDAP using OpenID Connect
- Configuring internal CA trust: trust internal TLS certificates for LDAPS
