Skip to main content

LDAP Configuration


Simflofy offers both LDAP Authentication and LDAP Sync for standard LDAP Servers as well as Microsoft Active Directory

Setting up LDAP Authentication and Sync

In order to update LDAP properties, look in simflofy-admin/WEB-INF/classes/

Active Directory

Active Directory authentication has different requirements, found here.

Admin User

When using LDAP or AD for authentication the default admin user will not be available. Be sure to have role mappings configured.


auth.ldap.urlThe full url of your LDAP instance, including domain informationldap://,dc=myorg,dc=com base search name for individuals usersou=users filter used to find users, based on their login(uid={0}) base search criteria for groupsou=groups filter used to search for users within a group(uniquemember={0})

Role Mappings

The values can be comma delimited to map multiple groups to a role. Spaces are allowed

Simflofy Admin Roles

auth.ldap.execGroupName EXECUTOR

TSearch Roles


These values will be converted to the format"ROLE_(AUTHORITY)", which is the standard format for an authority.

These values are checked when authenticating to assign a role to a new user.

Ex. auth.ldap.adminGroupName=exampleAdmins will become ROLE_EXAMPLEADMINS


If an authority passed to the user mapper by the LDAP server does not begin with ROLE_, Simflofy will prepend it. Additionally, all authorities are converted to uppercase.


Map LDAP group to Simflofy Administrators


Map LDAP group to Simflofy Read-Only Users


These two properties should reflect the name of the groups in your directory server.

User Attributes

Additionally, you can set what attribute fields are checked to map users from your LDAP. Here are the properties and their defaults.

auth.ldap.attr.uidRequired. The field that will become the user's loginuid
auth.ldap.attr.fnameThe user's first namedisplayName
auth.ldap.attr.lnameThe user's last namesn
auth.ldap.attr.mailThe user's email addressmail

Group and User Sync

If you have groups and users you wish to automatically sync to Simflofy you can use the following configurations. They are set to their default values here

LDAP Sync is executed at startup and can be manually triggered or individual users or groups.

LDIF Requirements

This feature will only work if your LDAP groups contain the keys to their users.

auth.ldap.userdnThe distinguished named of the authenticating user. Used if your LDAP requires authentication
auth.ldap.ldappassThe password for the authenticating user, if needed groups as startupfalse users with their groups. Only occurs if mapping groups.false name attribute of the ldap group. Will become the name of the user group, with "ldap:" prependedou attribute on the group used to denote a member. Will be used to gather user ids.uniqueMember class of object to search for when looking for a group.organizationalUnit class of object to search for when looking for a userorganizationalPerson id attribute for a user, which should represent their login nameuid attribute which represents the full distinguished named of the user, including domain and groups that have no users.false comma delimited list of group names to skip mapping Ex. (Group1,Group2,...)

Re-syncing a user

LDAP users are marked as such in the database. In the Admin)Users page you will see the sync icon available next to LDAP users.

Multiple Roles

Simflofy does not support mapping the same groups to different roles and vice versa

Re-syncing a Group

Groups can be re-synced by editing them in the Admin > User Groups page.

Active Directory (3.1.1+)

Simflofy can also use Active Directory for authentication. In order to do so the following fields are required:

PropertyDescriptionExample Value
auth.ldap.adLet's Simflofy know it's connecting to Active Directorytrue AD
auth.ldap.urlYour ldap url with port. Do not include any domain informationldap://somehost:389
auth.ldap.attr.uidWill become the user's login. The example value is the default field for Active Directory.sAMAccountName
auth.ldap.userdnActive Directory always requires authentication to connect. Be sure the authenticating user has the authority to searchuser@domain
auth.ldap.ldappassThe authenticating user's passwordmypassword

The user does not need to supply the @domain during authentication

Active Directory Sync(3.1.1+)

In order to use the sync feature with Active Directory, the following fields must be populated. Their values for the default Active Directory configuration are included.

LDAP Sync Order of operations

  1. Search objectClass =

  2. Return group list by mapping names using

Then, for each group name,

  1. Check if a user group by that name exists. We add the ldap: prefix for sync groups.

  2. Search for the group by name.

  3. Extract a list of a members from the group using

  4. Search the ldap for that user with

  5. Extract that user's uid using the

  6. Add id to list of users

  7. If mapping users, search for the user's authorities using their id.

  8. Map the user to the Simflofy database using the mapping attributes above.

  9. Set the new user list on the group, and save.