Skip to content

Add LDAP/Active Directory authentication support#1869

Open
Hemsby wants to merge 1 commit intoTechnitiumSoftware:developfrom
Hemsby:feature/ldap-auth
Open

Add LDAP/Active Directory authentication support#1869
Hemsby wants to merge 1 commit intoTechnitiumSoftware:developfrom
Hemsby:feature/ldap-auth

Conversation

@Hemsby
Copy link
Copy Markdown

@Hemsby Hemsby commented Apr 28, 2026

Summary

Adds native LDAP authentication to the DNS Server web console, enabling users to sign in with their Active Directory or LDAP directory credentials.

Features

  • Three connection modes — plain LDAP, StartTLS (port 389 + SSL), and LDAPS (port 636 + SSL). Mode is selected automatically based on port: Use SSL + port 636 = LDAPS, Use SSL + any other port = StartTLS.
  • Service account search — a bind DN/password locates the user in the directory before validating their credentials. Supports UPN (user@domain) and full DN formats.
  • Configurable user filter — defaults to (sAMAccountName={0}) for Active Directory; any RFC 4515 filter is supported.
  • Group mapping — maps LDAP groups (by CN) to local Technitium groups, e.g. Domain AdminsAdministrators.
  • Auto-provisioning — optionally creates a local account on first LDAP login, with optional restriction to mapped groups only.
  • Ignore SSL errors — for self-signed or internal CA certificates.
  • Test connection button — verifies the service account bind without saving config.
  • Docker/environment variable support — full headless configuration via DNS_SERVER_LDAP_* variables.

Environment Variables

Variable Description
DNS_SERVER_LDAP_ENABLED true/false
DNS_SERVER_LDAP_SERVER Hostname or IP
DNS_SERVER_LDAP_PORT Default: 389
DNS_SERVER_LDAP_USE_SSL true enables StartTLS (port 389) or LDAPS (port 636)
DNS_SERVER_LDAP_IGNORE_SSL_ERRORS true/false
DNS_SERVER_LDAP_BIND_DN Service account DN or UPN
DNS_SERVER_LDAP_BIND_PASSWORD Service account password
DNS_SERVER_LDAP_SEARCH_BASE e.g. DC=example,DC=com
DNS_SERVER_LDAP_USER_FILTER Default: (sAMAccountName={0})
DNS_SERVER_LDAP_GROUP_ATTRIBUTE Default: memberOf
DNS_SERVER_LDAP_ALLOW_SIGNUP true/false
DNS_SERVER_LDAP_ALLOW_SIGNUP_ONLY_FOR_MAPPED_USERS true/false
DNS_SERVER_LDAP_GROUP_MAP JSON array, e.g. [{"remoteGroup":"Domain Admins","localGroup":"Administrators"}]

Implementation Notes

Uses Novell.Directory.Ldap.NETStandard (v3.6.0) rather than System.DirectoryServices.Protocols. The Novell library is pure managed .NET (TcpClient + SslStream) with no dependency on native OpenLDAP libraries, ensuring consistent behaviour on Linux, Windows, macOS, Docker, and ARM.

@Hemsby
Add LDAP/Active Directory authentication support
294ee56 
Adds native LDAP SSO authentication allowing users to sign in with
their Active Directory or LDAP directory credentials. Supports plain
LDAP, StartTLS (port 389), and LDAPS (port 636). Includes group-to-
role mapping, configurable auto-provisioning, and full environment
variable support for Docker deployments.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Hemsby