The ‘LDAP’ module allows you to provision end-users of your app. It is a client-side implementation of the Lightweight Directory Access Protocol (LDAP) which allows your app to communicate with an LDAP server such as an on-premises Microsoft Active Directory (AD). This makes the module interesting for customers who are using ‘Mendix for Private Cloud’ or ‘Mendix for Server-Based deployment’ deployment models. It can be used to synchronize your Mendix app’s end-users, their group memberships, and their status from an LDAP server. Although you can provision end-users in a ‘just-in-time’ (JIT) fashion during user sign in, pre-provisioning (available through the LDAP module) allows end-users to be set up before their first login. When used to deactivate app end-users stored within the app (which is not possible with JIT user provisioning) this has benefits for access governance and Mendix user licensing. The LDAP module can be used in combination with other IAM modules such as the Administration, OIDC SSO, or SAML module.
You can also use the LDAP module to authenticate your app’s end-users (‘login’) by validating usernames and passwords at your LDAP server. However, the recommended option for end-user authentication is to use an SSO solution to avoid the duplication of user credentials beyond IdP and end-user and to allow for Multi-Factor-Authentication (MFA). You can implement SSO for your end-users by using the OIDC SSO or SAML module.
Your app could, for example, combine LDAP for user synchronization together with the SAML module to authenticate your app’s end-users.
Please see LDAP in the Mendix documentation for details.