baton-ldap is a connector for LDAP built using the Baton SDK. It communicates with the LDAP protocol to sync data about roles, users, and groups.
Check out Baton to learn more about the project in general.
To access the LDAP server, you must provide the username and password you use to login to the LDAP server.
Also see Set up an LDAP connector in the ConductorOne documentation for instructions including using LDAP from ConductorOne.
The latest release is available from the baton-ldap Github releases page.
Pre-built container images compatible with Docker and other container runtimes are published to GHCR:
docker pull ghcr.io/conductorone/baton-ldap:latest
Additionally for testing on workstations, baton-ldap can be installed from Homebrew:
brew install conductorone/baton/baton conductorone/baton/baton-ldap
| CLI Flag | Environment Variable | Explaination |
|---|---|---|
--bind-dn |
BATON_BIND_DN |
required Username to bind to the LDAP server with, for example: cn=baton-service-account,ou=users,dc=baton,dc=example,dc=com |
--password |
BATON_PASSWORD |
optional Password to bind to the LDAP server with. If unset, an unathenticated bind is attempted. |
--url |
BATON_URL |
required URL to the LDAP server. Can be either ldap: or ldaps: schemes, sets the hostname, and optionally a port number. For example: ldaps://ldap.example.com:636 |
--base-dn |
BATON_BASE_DN |
optional Base Distinguished name to search for LDAP objects in, for example DC=example,DC=com |
--user-search-dn |
BATON_USER_SEARCH_DN |
optional Distinguished name to search for User objects in. If unset the Base DN is used. |
--group-search-dn |
BATON_GROUP_SEARCH_DN |
optional Distinguished name to search for User objects in. If unset the Base DN is used. |
--provisioning |
BATON_PROVISIONING |
optional Enable Provisioning of Groups by baton-ldap. true or false. Defaults to false |
Use baton-ldap --help to see all configuration flags and environment variables.
To provision an account from the command line, you'll need to provide the login, email, and account profile. For example:
.\baton-ldap.exe --base-dn "DC=baton-dev,DC=d2,DC=ductone,DC=com" --password "password" -p --create-account-login 'example-user' --create-account-profile "{\"rdnKey\":\"uid\",\"path\":\"cn=staged users,cn=accounts,cn=provisioning\",\"suffix\":\"dc=example,dc=test\",\"objectClass\":[\"top\",\"person\",\"organizationalperson\",\"posixAccount\"],\"additionalAttributes\":{\"cn\":\"Example User\",\"sn\":\"User\",\"homeDirectory\":\"\",\"uidNumber\":\"-1\",\"gidNumber\":\"-1\"}}"'
You can use compose.yaml to launch an LDAP server and a PHP LDAP admin server to interact with the LDAP server.
Run docker-compose up to launch the containers.
You can then access the PHP LDAP admin server at http://localhost:8080 and login with the admin credentials you provided in the docker-compose file.
username: CN=admin,DC=example,DC=org
password: admin
After you login you can create new resources to be synced by baton.
After creating new resources on the LDAP server, use the baton-ldap cli to sync the data from the LDAP server with the example command below.
baton-ldap --base-dn dc=example,dc=org --bind-dn cn=admin,dc=example,dc=org --password admin --domain localhost
After successfully syncing data, use the baton CLI to list the resources and see the synced data.
baton resources
baton stats
baton-ldap will fetch information about the following LDAP resources:
- Users
- Roles as
organizationalRolein LDAP - Groups as
groupOfUniqueNamesin LDAP
baton-ldap will sync information only from under the base DN specified by the --base-dn flag in the configuration.
We started Baton because we were tired of taking screenshots and manually building spreadsheets. We welcome contributions, and ideas, no matter how small -- our goal is to make identity and permissions sprawl less painful for everyone. If you have questions, problems, or ideas: Please open a Github Issue!
See CONTRIBUTING.md for more details.