LDAP / Active Directory
This guide configures authentication against LDAP (typically Microsoft Active Directory on-premise) so that Mawidabp users authenticate with their corporate credentials. Appropriate for on-premise installations or when the customer does not use cloud identity.
If you are using Microsoft Entra ID (the cloud version), see Microsoft Entra ID instead of this guide.
When to use LDAP
- On-premise infrastructure with classic AD.
- Organizations without Microsoft cloud presence.
- A requirement that authentication does not leave the corporate network.
Prerequisites
- Administrator access to Active Directory (or generic LDAP).
- Credentials of a user with read permission on the directory (bind user).
- Root certificate (CA) of the LDAP server if the connection uses TLS.
- Administrator in Mawidabp.
Part 1 — Configuration in Active Directory
Create the groups that will correspond to Mawidabp profiles. Common convention:
| Group | Mawidabp profile |
|---|---|
MawidabpAIGerente | Audit manager |
MawidabpAISupervisor | Supervisor |
MawidabpAISenior | Senior auditor |
MawidabpAIAuditor | Auditor |
MawidabpPAI | User administration |
Company | Auditee (all auditable employees) |
Assign users to the groups as appropriate. Group membership is what determines which profile they will have in Mawidabp.
Part 2 — Configuration in Mawidabp
1. Create profiles
- Administration → Security → Profiles and privileges → New.
- Fill in:
- Profile: descriptive name; preferably matching the AD group name.
- Profile type: whatever applies.
- Identifier: the exact name of the AD group.
- Tick the privileges per module.
Repeat for each AD group.
2. Edit the organization
- Administration → Organization → Management → Edit the organization.
- In the LDAP configuration section, fill in:
| Field | Description |
|---|---|
| Server address | LDAP server FQDN or IP (for example, ldap.company.local). |
| Port | 389 for LDAP, 636 for LDAPS. |
| TLS version | Minimum TLS version supported (for example, TLSv1.2). |
| CA path | Path on the Mawidabp server where the LDAP root certificate lives. |
| Base distinguished name | Base DN to search users from, for example dc=company,dc=local. |
| Filter | LDAP filter to restrict the search (for example, (objectClass=user)). |
| Authentication mask | Pattern used to build the DN at authentication time. For example cn={0},ou=users,dc=company,dc=local. |
| Organizational unit (OU) | OU where users live. |
| Username attribute | Typically sAMAccountName in AD. |
| First name attribute | Typically givenName. |
| Last name attribute | Typically sn. |
| Email attribute | Typically mail. |
| Profiles attribute | Typically memberOf. |
| Default organizational unit | OU to assign if a user does not have one defined. |
| User | Bind user for authenticating to LDAP. |
| Password | Bind user's password. |
- Update organization. If the screen returns to the initial listing, the configuration was saved successfully.
Test sign-in
- Sign out of Mawidabp.
- Authenticate with the credentials of an AD user that belongs to one of the configured groups.
- The sign-in should pass without asking you to create the user in Mawidabp; the profile is applied automatically based on the group.
Common problems
Sign-in does not progress: check the Mawidabp log; LDAP connection errors (closed port, invalid CA, wrong bind credentials) show up there.
The user signs in but has no permissions: verify the user is in one of the configured groups and that the profiles attribute is returning the correct group name.
TLS fails with untrusted certificate: the root certificate at CA path must be the full chain in a format OpenSSL understands (PEM).
Bulk import
When you want to pre-load users into Mawidabp from LDAP without waiting for each one to sign in:
- Enable the "Show 'Import from LDAP' only to users with approval permission" parameter in Parameters if you want to restrict who can do it.
- Administration → Security → Users → Import from LDAP.
The import reads the LDAP group and creates/updates users in Mawidabp with their assigned profiles.
Support
If the configuration does not start, write to soporte@mawidabp.com with the error detail and the log.