Provider guide

Connect an LDAP or LDAPS staff directory

Configure a secure read-only bind, base DN, user filter, scope, and directory-managed fields.

Active Directory administrators11 min readUpdated July 17, 2026

Prepare the directory

  1. Create a dedicated, read-only bind identity. Do not use a domain administrator account.
  2. Use LDAPS on port 636 or LDAP with STARTTLS on port 389.
  3. Use a certificate whose hostname matches the LDAP server and whose chain is trusted.
  4. Choose the narrowest base DN that contains all intended staff accounts.

Configure the source

  1. Open Directory sources and select LDAP / LDAPS.
  2. Enter the hostname, port, encryption mode, base DN, bind username, and password.
  3. Choose a group, organizational unit, domain, or advanced scope.
  4. Enter a user filter that requires person user objects and excludes disabled accounts where appropriate.
  5. Add exclusions for student OUs, service accounts, shared mailboxes, and other non-staff identities.

Example Active Directory filter

The exact filter depends on your schema. A common starting point for enabled person user objects is shown below; add an organization-specific staff group or OU restriction before production use.

(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))