Skip to main content

Setting Up LDAPS in Dante Domain Manager (DDM)

Updated

Prerequisites

  • A working LDAP or Active Directory server accessible from the DDM server over the network.
  • An SSL/TLS certificate installed on your LDAP server. This can be a CA-signed certificate or, from DDM 1.8.3 onwards, a self-signed certificate.

The Root CA certificate — the CA that signed the LDAP server's TLS certificate

Two-tier PKI — if you have a Root CA → Subordinate CA → Server cert chain, provide the full CA chain (root + subordinate) excluding the server cert

  • The LDAP server hostname or IP address.
  • The LDAPS port number (typically 636).
  • The Bind DN and password for your LDAP server (e.g., cn=admin,dc=example,dc=com).
  • The Base DN for your directory (e.g., dc=example,dc=com).
  • Knowledge of the User Object Attributes used in your directory (e.g., uid, mail, cn).

Required Ports

  • LDAP / StartTLS: Port 389
  • LDAPS (LDAP over SSL): Port 636

Ensure the appropriate port is open and accessible between the DDM server and your LDAP server.

Configuration

How do I configure LDAPS in DDM?

  1. Log in to the DDM web interface as Administrator.
  2. Navigate to Settings → External Services.
  3. Toggle the LDAP service slider to On.
  4. Enter your LDAP server details:
    • Hostname: The hostname or IP address of your LDAP server.
    • Port: Enter 636 for LDAPS.
    • Encryption: Select LDAPS.
    • Bind DN: The distinguished name used to connect to your LDAP server (e.g., cn=admin,dc=example,dc=com).
    • Password: The password for the Bind DN account.
    • Base DN: The search base in your directory tree (e.g., dc=example,dc=com).
  5. Configure the User Object Attributes to match the attributes used in your LDAP directory. These must match exactly, or user queries will fail.
  6. Click Test Connection to verify the connection to your LDAP server.
  7. Once the test passes, click Save to apply the configuration.

The DDM dashboard will confirm the LDAP server is connected under the External Services status card.

What are User Object Attributes and why do they matter?
User Object Attributes tell DDM which fields in your LDAP directory correspond to the username, email address, and other user properties. These must match the attributes configured in your directory server exactly, for example, Active Directory typically uses sAMAccountName for usernames, while OpenLDAP may use uid or cn. Mismatched attributes are a common cause of connection or login failures.

LDAP Groups and Roles

How do I assign DDM roles to LDAP users?
DDM uses LDAP Groups to map directory users to DDM roles. After connecting your LDAP server:

  1. Navigate to the LDAP Groups tab on the Users page.
  2. Click Add Group and give the group a name (e.g., "Admins", "Operators").

  3. Enter an LDAP query that returns the desired set of users (e.g., (gidNumber=1000) or (memberOf=CN=DanteAdmins,OU=Groups,DC=example,DC=com)).

    A test query to use is (UID=*) OR (SamAccountName=*)

  1. Click Test to verify the query returns the expected users.
  2. Assign a default role and optional domain-specific roles to the group.
  3. Click Save.

Certificate Requirements

Does DDM support self-signed certificates for LDAPS?
Yes, from DDM 1.8.3 onwards, self-signed certificates are supported for LDAPS connections. If you are running a DDM version earlier than 1.8.3, you must use a certificate issued by a trusted Certificate Authority, such as GoDaddy as an example.

What certificate options are available?

DDM VersionCA-Signed CertificatesSelf-Signed Certificates
Prior to 1.8.3✅ Supported❌ Not supported
1.8.3 and later✅ Supported✅ Supported

If using a self-signed certificate, ensure it is correctly installed on your LDAP server and that the DDM server trusts it.

Troubleshooting

The "Test Connection" button fails. What should I check?

  • Verify the DDM server can reach the LDAP server: try pinging the LDAP server from the DDM network.
  • Confirm the correct port is being used (389 for LDAP/StartTLS, 636 for LDAPS).
  • For LDAPS, ensure your LDAP server has a valid SSL/TLS certificate. If using a self-signed certificate, confirm you are running DDM 1.8.3 or later.
  • Double-check the Bind DN, password, and Base DN for typos.
  • Verify the User Object Attributes match your directory's schema.

LDAP login works briefly after a DDM restart but then stops.
This is a known issue in some DDM versions. The recommended fix is to remove all LDAP attributes from the DDM configuration and re-enter them.

Users can't log in even though the LDAP connection test passes.

  • Verify that the user exists in the directory under the configured Base DN.
  • Check that the User Object Attributes in DDM match the actual attribute names in your directory.
  • Try running a test LDAP query under the LDAP Groups tab using a simple query such as (uid=*) to confirm DDM can see your directory users.
  • Ensure the user is a member of at least one LDAP Group configured in DDM.
  • For LDAPS, ensure the full certificate chain (including any intermediate certificates) is installed on the LDAP server, not just the leaf/server certificate.
  • Verify that the hostname or IP address configured in DDM for the LDAP server matches the Common Name (CN) or a Subject Alternative Name (SAN) present in the LDAP server's TLS certificate.

 

 

Related to

Related articles