Using the latest version?
JFrog Container Registry Guide
Working With Active Directory
We will describe how to configure JFrog Container Registry to work with Active Directory using an example.
Consider an Active Directory server that must support the following conditions:
- Users are located in two geographically separated sites. Some are in the US (designated as "us"), while others are in Israel (designated as "il").
- Each site defines users and groups in different places in the Active Directory tree as displayed below.
To configure Active Directory authentication, in the Admin module, go to Security | LDAP and click New.
The configuration parameters are as follows:
|The unique ID of the Active Directory setting.|
When set, these settings are enabled.
Active Directory URL
Location of the Active Directory server LDAP access point in the following format:
The URL may include the base DN used to search for and/or authenticate users. If not specified, the Search Base field is required.
User DN Pattern
A DN pattern used to log users directly in to the LDAP database.
For Active Directory, we recommend leaving this field blank since this only works if anonymous binding is allowed and a direct user DN can be used, which is not the default case in Active Directory.
Auto Create JFrog Container Registry Users
|When set, JFrog Container Registry will automatically create new users for those who have logged in using Active Directory. Any newly created users will be associated to the default groups.|
An attribute that can be used to map a user's email to a user created automatically by JFrog Container Registry.
This corresponds to the mail field in Active Directory.
A filter expression used to search for the user DN that is used in Active Directory authentication.
For Active Directory the corresponding field should be
The Context name in which to search relative to the base DN in the Active Directory URL. This parameter is optional, but if possible, we highly recommend that you set it to prevent long searches on the Active Directory tree. Leaving this field blank will significantly slow down the Active Directory integration.
The configuration in the example below indicates that search should only be performed under "frogs/il" or "frogs/us". This improves search performance since JFrog Container Registry will not search outside the scope of the "frogs" entry.
The full DN of a user with permissions that allow querying the Active Directory server. When working with LDAP Groups, the user should have permissions for any extra group attributes such as memberOf.
The password of the user binding to the Active Directory server when using "search" authentication.
Search Sub Tree
|When set, enables deep search through the sub-tree of the Active Directory URL + Search Base. True by default.|