# Configuring LDAP authentication for Microsoft Active Directory

To configure LDAP for MetalSoft a series of configurations are required on both the MetalSoft side and also on the Identity Provider side to ensure that MetalSoft uses the correct attributes.

The following are the attributes that need to be configured and an example configuration using Microsoft Active Directory.  These are changed in the Admin UI under Global Configuration/Authentication and ticking Enable LDAP Authentication.

:::{important}
When testing the configuration, we strongly suggest keeping "Enable built-in Authentication enabled until LDAP authentication and login have been confirmed as working.
:::

1. LDAP URL: ldap://saml-test.ad.metalsoft.dev:389
2. LDAP User Search Base: `ou=adfsusers,dc=ad,dc=metalsoft,dc=dev`
3. LDAP User Search Filter: `(userPrincipalName={{username}})`
4. LDAP Group Search Base: `ou=adfsGroups,dc=ad,dc=metalsoft,dc=dev`
5. LDAP Group Search Filter: `(member={{dn}})`
6. LDAP Bind DN: `cn=adfsadmin,ou=adfsusers,dc=ad,dc=metalsoft,dc=dev``
7. LDAP Bind Credentials: `(As set for adfsadmin)`
8. LDAP Allowed Domains: `ad.metalsoft.dev`


After this is set up, the following groups must be set up (LDAP Group-MetalSoft role):

* `MS-Model_root` - `root`
* `MS-Model_FullAdmin` - `full_admin`
* `MS-Model_BasicAdmin` - `basic_admin`
* `MS-Model_User` - `user`

Within LDAP, the following fields are used by MetalSoft:
* userPrincipalName - Used to Log in
* mail - Used to identify user (if a user who is a built in user, then the mail address will be matched with the email address field in MetalSoft)
* sAMAccountName - Used to populate the user name in MetalSoft
* Group (as above) - Used to assign the role to the user

Adding a user in the group `MS-Model_FullAdmin` will be mapped to a `full_admin` role in MetalSoft.

Once the LDAP configuration and the groups have been set up, the users will be able to log in.

:::{important}
If a user is set up as a built in user, and then domain is then changed to LDAP, the built in user will be converted to an LDAP user and the role will be changed according to the group the user is assigned to.
:::

:::{important}
Currently, if a user is archived, they will not be able to be converted to an LDAP user.  The user will have to be un-archived before they can log in using LDAP.
:::