Overview
Fess supports integration with LDAP (Lightweight Directory Access Protocol) servers, enabling authentication and user management in enterprise environments.
LDAP integration enables:
User authentication (login) with Active Directory or OpenLDAP
Group- and role-based access control
Management of LDAP users, roles, and groups from the administration screen (optional)
Supported LDAP Servers
Fess supports integration with the following LDAP servers:
Microsoft Active Directory
OpenLDAP
389 Directory Server
Apache Directory Server
Other LDAP v3 compatible servers
Prerequisites
Network access to the LDAP server
Service account for LDAP searches (bind DN)
Understanding of LDAP structure (base DN, attribute names, etc.)
Configuration Overview
LDAP configuration in Fess is managed in two separate locations depending on its purpose.
- Connection and Authentication Settings (administration screen /
system.properties) These settings control the connection to the LDAP server and login authentication. They can be configured from the “System > General” page in the administration screen, under the “LDAP” section, and are saved to
app/WEB-INF/conf/system.properties.- LDAP Administration and Behavior Settings (
fess_config.properties) These settings control features for managing LDAP users, roles, and groups from the administration screen, as well as behaviors such as role resolution. They are defined in
app/WEB-INF/classes/fess_config.propertiesand can be changed by editing that file.
Note
If you only need login authentication, the “Connection and Authentication Settings” alone are sufficient. The “LDAP Administration” feature (ldap.admin.enabled) is only required when you want to create, update, or delete LDAP users, roles, and groups from the administration screen.
Connection and Authentication Settings
These settings can be configured from the “System > General” LDAP section in the administration screen and are saved to app/WEB-INF/conf/system.properties. You may also edit the file directly.
Example configuration (when editing system.properties directly):
Note
The %s placeholder is processed by Java’s String.format(). ldap.security.principal, ldap.account.filter, ldap.group.filter, and the administration filters all use the %s format (not the {0} format). Note that usernames passed to filters are automatically escaped inside Fess as a protection against LDAP injection.
LDAP Administration and Behavior Settings
The following properties are defined in app/WEB-INF/classes/fess_config.properties. Edit this file to change their values.
Enabling the Administration Feature
Filters and Base DNs for User, Role, and Group Administration
Used to operate LDAP entries from the administration screen when ldap.admin.enabled=true.
Role Resolution and Behavior Control
Controls the behavior of role and group resolution after login.
Attribute Mapping
The mapping between LDAP attributes and Fess user attributes is defined via ldap.attr.* properties. These normally do not need to be changed, but can be adjusted when the schema differs. Representative examples:
Note
Some property names do not match their corresponding LDAP attribute names — for example, ldap.attr.state maps to st and ldap.attr.city maps to l. For the complete list, refer to lines beginning with ldap.attr. in fess_config.properties.
Active Directory Configuration
Configuration example for Microsoft Active Directory (system.properties or the administration screen).
To resolve nested groups, you can use the Active Directory-specific LDAP_MATCHING_RULE_IN_CHAIN.
OpenLDAP Configuration
Configuration example for OpenLDAP.
Note
Standard OpenLDAP does not have the memberOf attribute, so groups are resolved using ldap.group.filter. If the memberof overlay is enabled, ldap.memberof.attribute can also be used.
Security Settings
LDAPS (SSL/TLS)
Use an encrypted connection:
For self-signed certificates, import the certificate into the Java truststore.
Password Protection
ldap.admin.security.credentials is stored in system.properties. Credentials configured from the administration screen are stored encrypted internally. Restrict file permissions appropriately.
Failover
To fail over to multiple LDAP servers, specify multiple URLs separated by spaces in ldap.provider.url.
Troubleshooting
Connection Error
Symptom: LDAP connection fails
Check:
Is the LDAP server running?
Is the port open in the firewall (389 or 636)?
Is
ldap.provider.urlcorrect (ldap://orldaps://)?Are
ldap.admin.security.principaland the password correct?
Authentication Error
Symptom: User authentication fails
Check:
Is the
ldap.security.principaltemplate correct (does it contain%s)?Does the user exist within the specified base DN?
Is
ldap.account.filtercorrect?
Cannot Retrieve Groups or Roles
Symptom: Cannot retrieve user groups or roles
Check:
Is
ldap.group.filtercorrect?Is
ldap.memberof.attributecorrect (for Active Directory)?Do the groups exist within the search base DN?
Are the
ldap.role.search.*.enabledproperties enabled?
Cannot Manage Users from the Administration Screen
Symptom: Cannot create, edit, or delete LDAP users from the administration screen
Check:
Is
ldap.admin.enabledset totrue?Are the administration base DNs such as
ldap.admin.user.base.dncorrect?Does the
ldap.admin.security.principalservice account have write permissions?
Debug Settings
To output detailed logs, add a logger to app/WEB-INF/classes/log4j2.xml.
Reference Information
Role-Based Search Configuration - Role-Based Access Control
SSO Configuration with Windows Integrated Auth - SPNEGO (Kerberos) Authentication
User - User Management Guide