LDAP

Content Type: Module
Categories: Authentication

Overview

The ‘LDAP’ module allows you to provision end-users of your app. It is a client-side implementation of the Lightweight Directory Access Protocol (LDAP) which allows your app to communicate with an LDAP server such as an on-premises Microsoft Active Directory (AD). This makes the module interesting for customers who are using ‘Mendix for Private Cloud’ or ‘Mendix for Server-Based deployment’ deployment models. It can be used to synchronize your Mendix app’s end-users, their group memberships, and their status from an LDAP server. Although you can provision end-users in a ‘just-in-time’ (JIT) fashion during user sign in, pre-provisioning (available through the LDAP module) allows end-users to be set up before their first login. When used to deactivate app end-users stored within the app (which is not possible with JIT user provisioning) this has benefits for access governance and Mendix user licensing. The LDAP module can be used in combination with other IAM modules such as the Administration, OIDC SSO, or SAML module.

You can also use the LDAP module to authenticate your app’s end-users (‘login’) by validating usernames and passwords at your LDAP server. However, the recommended option for end-user authentication is to use an SSO solution to avoid the duplication of user credentials beyond IdP and end-user and to allow for Multi-Factor-Authentication (MFA). You can implement SSO for your end-users by using the OIDC SSO or SAML module.

Your app could, for example, combine LDAP for user synchronization together with the SAML module to authenticate your app’s end-users.

Documentation

Documentation

Please see LDAP in the Mendix documentation for details.

Releases

Version: 2.2.0
Framework Version: 10.21.1
Release Notes:

This version contains the following enhancements:

- Improved LDAP synchronization to prevent duplication when group or user names change.

 

Library Upgrades:

- org.springframework: spring-core to 6.2.18

- org.springframework: spring-tx to 6.2.18

- org.springframework: spring-beans to 6.2.18

 

Note:

Starting with version 2.2.0, the module uses objectGUID as the primary identifier for users and groups. During upgrades from earlier versions, existing records are matched by name and assigned an objectGUID. If no match is found, a new record is created, which may lead to duplicates if legacy data is inconsistent. Once objectGUID is assigned, the module reliably synchronizes Active Directory changes, including name updates, without creating duplicates.

If an LDAP group is deleted or renamed, existing role mappings may break, causing users to temporarily lose roles. Update the mappings in LDAP group mapping and resynchronize to restore them.

 

Recommended

It is recommended to configure the Ldap.LdapSync scheduled event for regular synchronization, while retaining the option to trigger manual sync when needed.

Version: 2.1.2
Framework Version: 10.21.1
Release Notes:

This version contains the following fixes:

- Fixed LDAP synchronization path handling for the “Import from path” action on the Test, gather data from AD (Ticket #262279)

 

Library Upgrades:

- org.springframework: spring-core to to 6.2.16

- org.springframework: spring-tx to 6.2.16

- org.springframework: spring-beans to 6.2.16

Version: 2.1.1
Framework Version: 10.21.1
Release Notes: This version contains the following enhancements: - Ensures compatibility with Mendix 11
Version: 2.1.0
Framework Version: 10.21.1
Release Notes: This version contains the following fixes/enhancements: - v.2.1.0 version for apps on Mx10.21.1 or higher - Improved username sanitization during LDAP authentication(Ticket #240120 Ticket #242924) - Fixed the issue where the attribute value exceeded the field length during user import(Ticket #235996) - Enhanced the CustomLoginLogic microflow to support username with prefix and suffix, during LDAP authentication(Ticket #239197,Ticket #244617,Ticket #245791) Library Upgrades: - org.springframework: spring-core to to 6.2.2 - org.springframework: spring-tx to 6.2.2 - org.springframework: spring-beans to 6.2.2
Version: 2.0.1
Framework Version: 10.12.10
Release Notes: This version contains the following fixes: - Improved username sanitization during LDAP authentication (Ticket #240120 Ticket #242924) - Fixed the issue where the attribute value exceeded the field length during user import (Ticket #235996)
Version: 2.0.0
Framework Version: 10.12.10
Release Notes: This version contains the following fixes: - v.2.0.0 version for apps on Mx10.12.10 or higher Library Upgrades: - org.springframework.ldap: spring-ldap-core to 2.4.4 Recommendation: After upgrading to the latest version, there could be a potential issue due to conflicting Java libraries of the old and the new version. Hence it is recommended that you delete all Java libraries used by the old LDAP module from the userlib folder of the project before upgrading to the latest version.
Version: 1.2.0
Framework Version: 9.24.35
Release Notes:

This version contains the following enhancement:

- Upgraded to Studio pro v9.24.35

 

Library Upgrades:

- org.springframework: spring-core to 6.2.17

- org.springframework: spring-tx to 6.2.17

- org.springframework: spring-beans to 6.2.17

 

Note:

It is recommended to set the runtime to Java 21 to ensure compatibility.

Version: 1.1.3
Framework Version: 9.24.8
Release Notes: This version contains the following fixes: - Improved username sanitization during LDAP authentication (Ticket #240120 Ticket #242924) - Fixed the issue where the attribute value exceeded the field length during user import (Ticket #235996)
Version: 1.1.2
Framework Version: 9.24.8
Release Notes: This version contains the following fixes:
- We fixed the LDAP injection vulnerability. CVSS v3.1 score: 7.4 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N (Ticket #235264)

Library Upgrades:
- org.springframework.ldap: spring-ldap-core to 2.4.4

Recommendation:
After upgrading to the latest version, there could be a potential issue due to conflicting Java libraries of the old and the new version.
Hence it is recommended that you delete all Java libraries used by the old LDAP module from the userlib folder of the project before upgrading to the latest version.
Version: 1.1.1
Framework Version: 9.24.8
Release Notes: This version contains the following: Library Upgrades: org.springframework: spring-core to 5.3.31(Ticket#202474) org.springframework: spring-tx to 5.3.31 org.springframework: spring-beans to 5.3.31 Recommendation: After upgrading to the latest version, there could be a potential issue due to conflicting Java libraries of the old and the new version. Hence it is recommended that you delete all Java libraries used by the old LDAP module from the userlib folder of the project before upgrading to the latest version.