# LDAP {% hint style="info" %} This is an older version of the document. To view the most recent version of the document, click [here](https://docs.opsmx.com/products/orchestration-module-opsmx-enterprise-for-spinnaker-oes/additional-feature-configuration/secure-spinnaker/authorization/user-role-providers/ldap). {% endhint %} ## Setup LDAP Authorization for Spinnaker ### LDAP Authorization Overview * Groups from an LDAP directory, one can use a manager’s username/password to bind and search a user’s group. ### User DNs Pattern * While searching for a user’s groups, can use 'userDnPattern' to construct the user’s full distinguished name (DN). In the case below, the user would have a full DN of 'uid=,ou=users,dc=,dc=<.com/.net>'. * The search would be rooted at 'ou=groups,dc=,dc=net', looking for directory entries that include the attribute 'uniqueMember=uid=,ou=users,dc=,dc=<.com/.net>', which is the structure for the 'groupOfUniqueNames' group standard. * Group/rolename can be extracted by using the 'groupRoleAttribute'. For example, all entries that pass the filter will then have the cn (common name) attribute returned. ### Configure LDAP Auth using Halyard * Use Halyard to Fiat, to setup the LDAP manager credentials and search patterns ``` hal config security authz ldap edit \ --url ldaps://:636/dc=mydomain,dc=net \ --manager-dn uid=admin,ou=system \ --manager-password \ --user-dn-pattern uid={0},ou=users \ --group-search-base ou=groups \ --group-search-filter "(uniqueMember={0})" \ --group-role-attributes cn ``` * Now edit the security authorization type, using the below command ``` hal config security authz edit --type ldap ``` * Enable, LDAP authorization using the below command ``` hal config security authz enable ```