All Products
Search

This Product

    Bastionhost:Configure AD authentication or LDAP authentication

    Document Center

    Bastionhost:Configure AD authentication or LDAP authentication

    Last Updated:Mar 31, 2026

    Bastionhost integrates with Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) authentication servers, letting you sync your existing directory users directly into Bastionhost. This eliminates the need to maintain a separate user management system for the bastion host.

    Prerequisites

    Before you begin, make sure that:

    • An AD or LDAP environment is deployed

    • Bastionhost can reach the AD or LDAP authentication server

    Configure AD authentication

    You can configure multiple AD authentication servers for a bastion host — useful when users are spread across multiple domains or organized under multiple Base DNs. Each server must be added and tested separately, then users are imported from each.

    The Enterprise edition supports up to 10 AD authentication servers per bastion host. The Basic edition supports only 1.

    1. Log on to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.

    2. In the bastion host list, find the target bastion host and click Manage.

    3. In the left-side navigation pane, click System Settings.

    4. On the AD Authentication tab, click Add Authenticated Server.

    5. In the Add Authenticated Server panel, configure the parameters described in the following table, then click Test Connection.

      ParameterRequiredDescriptionExample
      Server nameRequiredA unique name to identify this AD server.AD server
      Set as default serverOptionalSets this server as the default. Only the default server can be modified via API operations.
      Server addressRequiredThe endpoint of the authentication server.139.129.X.X
      Standby server addressOptionalThe endpoint of the secondary server. Leave blank if no secondary server is used.
      PortRequiredThe port of the server.389
      SSLOptionalSelect this option if an SSL certificate is installed on the AD authentication server.
      Base DNRequiredThe user directory node on the server. If the node contains more than 100,000 users, imports will take a long time. Keep the user count under 100,000 before importing.cn=Users,dc=alitest,dc=com
      DomainRequiredThe domain where the target users reside.alitest.com
      AccountRequiredThe username used to log on to the authentication server.administrator
      PasswordRequiredThe password used to log on to the authentication server.
      FilterOptionalFilter conditions for querying users on the server.(&(objectClass=person))
      Interval for automatic creation of user snapshotsOptionalHow often user snapshots are automatically synchronized. Valid values: 0 and 4 to 168 (hours). Set to 0 to disable automatic sync.12
      Display name to be synchronizedOptionalThe remote server attribute to use as the user's display name. Default: cn. Clear this option to skip syncing the display name. Logon name is always sourced from sAMAccountName.
      Email address to be synchronizedOptionalThe remote server attribute to use as the user's email address. Default: mail. Clear this option to skip syncing email.
      Mobile phone number to be synchronizedOptionalThe remote server attribute to use as the user's mobile phone number. Default: mobile. Clear this option to skip syncing the phone number.
      Synchronize the organization to which the user belongs as a user groupOptionalWhen selected, the user's AD organization is automatically created as a user group in Bastionhost when the user is imported. A bastion host supports up to 500 user groups. Subsequent add, delete, and modify operations on AD organizations are not synced to Bastionhost.

    6. After the connectivity test passes, click Save.

    Sync user snapshots

    To reduce resource consumption during user imports, Bastionhost reads from local user snapshots rather than querying the AD server directly each time. Click Create User Snapshots to trigger an immediate sync, or configure Interval for automatic creation of user snapshots to keep snapshots up to date automatically.

    Configure LDAP authentication

    Key concepts

    If you are new to LDAP, the following concepts help when filling in the configuration parameters:

    • Distinguished name (DN): A unique identifier for an entry in the LDAP directory, similar to a full file path. Example: cn=admin,dc=alitest,dc=com.

    • Base DN: The starting point in the directory tree from which Bastionhost searches for users. Example: ou=saasdun,ou=testgroup,dc=alitest,dc=com.

    • Organizational unit (ou): A container used to group objects in the LDAP directory, similar to a folder. An organization might use ou=HR and ou=IT to separate users by department.

    Steps

    1. Log on to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.

    2. In the bastion host list, find the target bastion host and click Manage.

    3. In the left-side navigation pane, click System Settings.

    4. On the LDAP Authentication tab, configure the parameters described in the following table, then click Test Connection.

      ParameterRequiredDescriptionExample
      Server addressRequiredThe endpoint of the authentication server.139.129.X.X
      Standby server addressOptionalThe endpoint of the secondary server. Leave blank if no secondary server is used.
      PortRequiredThe port of the server.389
      SSLOptionalSelect this option if an SSL certificate is installed on the LDAP authentication server.
      Base DNRequiredThe user directory node on the server. If the node contains more than 100,000 users, imports will take a long time. Keep the user count under 100,000 before importing.ou=saasdun,ou=testgroup,dc=alitest,dc=com
      AccountRequiredThe username used to log on to the authentication server.cn=admin,dc=alitest,dc=com
      PasswordRequiredThe password used to log on to the authentication server.
      FilterOptionalFilter conditions for querying users on the server.(&(objectClass=person))
      Logon name attributeOptionalThe LDAP attribute used as the user's logon name when logging on to the bastion host. Default: uid.
      Interval for automatic creation of user snapshotsOptionalHow often user snapshots are automatically synchronized. Valid values: 0 and 4 to 168 (hours). Set to 0 to disable automatic sync.12
      Display name to be synchronizedOptionalThe remote server attribute to use as the user's display name. Default: cn. Clear this option to skip syncing the display name. Logon name is always sourced from uid.
      Email address to be synchronizedOptionalThe remote server attribute to use as the user's email address. Default: mail. Clear this option to skip syncing email.
      Mobile phone number to be synchronizedOptionalThe remote server attribute to use as the user's mobile phone number. Default: mobile. Clear this option to skip syncing the phone number.

    5. After the connectivity test passes, click Save.

    Sync user snapshots

    To reduce resource consumption during user imports, Bastionhost reads from local user snapshots rather than querying the LDAP server directly each time. Click Create User Snapshots to trigger an immediate sync, or configure Interval for automatic creation of user snapshots to keep snapshots up to date automatically.

    Clear the LDAP configuration

    To remove the LDAP integration, click Clear Settings on the LDAP Authentication tab.

    Warning

    Clearing the LDAP configuration removes all LDAP-authenticated users from the bastion host. Proceed with caution.