# Configuring LDAP authentication for Microsoft Active Directory

To configure LDAP for MetalSoft a series of configurations are required on both the MetalSoft side and also on the Identity Provider side to ensure that MetalSoft uses the correct attributes.

The following are the attributes that need to be configured and an example configuration using Microsoft Active Directory.

1. LDAP URL: ldap://saml-test.ad.metalsoft.dev:389
2. LDAP User Search Base: `ou=adfsusers,dc=ad,dc=metalsoft,dc=dev`
3. LDAP User Search Filter: `(userPrincipalName={{username}})`
4. LDAP Group Search Base: `ou=adfsGroups,dc=ad,dc=metalsoft,dc=dev`
5. LDAP Group Search Filter: `(member={{dn}})`
6. LDAP Bind DN: `cn=adfsadmin,ou=adfsusers,dc=ad,dc=metalsoft,dc=dev``
7. LDAP Bind Credentials: `(As set for adfsadmin)`
8. LDAP Allowed Domains: `ad.metalsoft.dev`

Now users can log in but by default they will be assigned the `User` role. 

The default mappings (LDAP Group-MetalSoft role) are the following:

* `MS-Model_root` - `root`
* `MS-Model_FullAdmin` - `full_admin`
* `MS-Model_BasicAdmin` - `basic_admin`

Thus adding a user in the group `MS-Model_FullAdmin` will be mapped to a `full_admin` role in MetalSoft.