Configuring LDAP authentication

You can configure LDAP authentication on your IBM® QRadar® system.

Before you begin

If you plan to use SSL encryption or use TLS authentication with your LDAP server, you must import the SSL or TLS certificate from the LDAP server to the /opt/qradar/conf/trusted_certificates directory on your QRadar Console. For more information about configuring the certificates, see Configuring SSL or TLS certificates.

If you are using group authorization, you must configure a QRadar user role or security profile on the QRadar console for each LDAP group that is used by QRadar. Every QRadar user role or security profile must have at least one Accept group. The mapping of group names to user roles and security profiles is case-sensitive.

About this task

Authentication establishes proof of identity for any user who attempts to log in to the QRadar server. When a user logs in, the username and password are sent to the LDAP directory to verify whether the credentials are correct. To send this information securely, configure the LDAP server connection to use Secure Socket Layer (SSL) or Transport Layer Security (TLS) encryption.

Authorization is the process of determining what access permissions a user has. Users are authorized to perform tasks based on their role assignments. You must have a valid bind connection to the LDAP server before you can select authorization settings.

The user base DN is where QRadar queries and finds users. Enable query permissions to allow your users to query against the user base DN.

User attribute values are case-sensitive. The mapping of group names to user roles and security profiles is also case-sensitive.


  1. On the Admin tab, click Authentication.
  2. Click Authentication Module Settings.
  3. From the Authentication Module list, select LDAP.
  4. Click Add and complete the basic configuration parameters.

    There are three configuration types and each has specific requirements for the Server URL, SSL Connection, and TLS Authentication parameters:

    Secure LDAP (LDAPS)
    The Server URL parameter must use ldaps:// as the protocol, and specify an LDAP over SSL encrypted port (typically 636). For example ldaps://
    If you are using Global Catalog because you're using multiple domains, use port 3269. For example ldaps://
    The SSL Connection parameter must be set to True and the TLS Authentication parameter must be set to False.
    LDAP with StartTLS
    The Server URL parameter must use ldap:// as the protocol, and specify an LDAP unencrypted port that supports the StartTLS option (typically 389). For example ldap://
    The SSL Connection parameter must be set to False and the TLS Authentication must be set to True.
    TLS 1.2 using StartTLS is not the same as the LDAP SSL port.
    TLS Authentication does not support referrals, so referrals must be set to ignore, and the LDAP server must include a complete structure to search.
    An unencrypted LDAP configuration is not recommended.
    The Server URL parameter must use the ldap:// protocol and specify an unencrypted port (typically 389). For example ldap://
    The SSL Connection parameter and the TLS Authentication parameter must both be set to False.
    Table 1. LDAP Basic Configuration parameters
    Parameter Description
    Repository ID

    The Repository ID is an alias for the User Base DN (distinguished name) that you use when you enter your login details to avoid having to type a long string. When you have more than one repository in your network, you can place the User Base DN before the user name or you can use the shorter Repository ID.

    For example, the User Base DN is: CN=Users,DC=IBM,DC=com. You create a repository ID such as UsersIBM that is an alias for the user base DN.

    You can type the short repository ID UsersIBM instead of typing the following example of a complete User Base DN CN=Users,DC=IBM,DC=com

    Here's an example where you configure the repository ID to use as an alias for the User Base DN.
    Figure 1. LDAP repository
    Ldap repository

    When you enter your user name on the login page, you can enter the Repository ID UsersIBM\<username>, instead of typing the full User Base DN.

    Note: The Repository ID and User Base DN must be unique.
    Search entire base

    Select True to search all subdirectories of the specified Directory Name (DN).

    Select False to search only the immediate contents of the Base DN. The subdirectories are not searched. This search is faster than one which searches all directories.

    LDAP User Field The user field identifier that you want to search on.

    You can specify multiple user fields in a comma-separated list to allow users to authenticate against multiple fields. For example, if you specify uid,mailid, a user can be authenticated by providing either their user ID or their mail ID.

    User Base DN The Distinguished Name (DN) of the node where the search for a user would start. The User Base DN becomes the start location for loading users. For performance reasons, ensure that the User Base DN is as specific as possible.

    For example, if all of your user accounts are on the directory server in the Users folder, and your domain name is, the User Base DN value would be cn=Users,dc=ibm,dc=com.

    Referral Select Ignore or Follow to specify how referrals are handled.
  5. Under Connection Settings, select the type of bind connection.
    Table 2. LDAP bind connections
    Bind connection type Description
    Anonymous bind Use anonymous bind to create a session with the LDAP directory server that doesn't require that you provide authentication information.
    Authenticated bind Use authenticated bind when you want the session to require a valid user name and password combination. A successful authenticated bind authorizes the authenticated user to read the list of users and roles from the LDAP directory during the session. For increased security, ensure that the user ID that is used for the bind connection does not have permissions to do anything other than reading the LDAP directory.

    Provide the Login DN and Password. For example, if the login name is admin and the domain is, the Login DN would be cn=admin,dc=ibm,dc=com.

  6. Click Test connection to test the connection information.
    You must provide user information to authenticate against the user attributes that you specified in the LDAP User Field. If you specified multiple values in the LDAP User Field, you must provide user information to authenticate against the first attribute that is specified.
    Note: The Test connection function tests the ability of QRadar to read the LDAP directory, not whether you can log in to the directory.
  7. Select the authorization method to use.
    Table 3. LDAP authorization methods
    Authorization method parameter Description
    Local The user name and password combination is verified for each user that logs in, but no authorization information is exchanged between the LDAP server and QRadar server. If you chose Local authorization, you must create each user on the QRadar console.
    User attributes Choose User Attributes when you want to specify which user role and security profile attributes can be used to determine authorization levels.

    You must specify both a user role attribute and a security profile attribute. The attributes that you can use are retrieved from the LDAP server, based on your connection settings. User attribute values are case-sensitive.

    Group based Choose Group Based when you want users to inherit role-based access permissions after they authenticate with the LDAP server. The mapping of group names to user roles and security profiles is case-sensitive.
    Important: If you map an Active Directory group to the Admin user role, you must map the same Active Directory group to the Admin security profile, or the user will not be able to log in.
    Group base DN
    Specifies the start node in the LDAP directory for loading groups.
    For example, if all of your groups are on the directory server in the Groups folder, and your domain name is, the Group Base DN value might be cn=Groups,dc=ibm,dc=com.
    Query limit enabled
    Sets a limit on the number of groups that are returned.
    Query result limit
    The maximum number of groups that are returned by the query. By default, the query results are limited to show only the first 1000 query results.
    By member
    Select By Member to search for groups based on the group members. In the Group Member Field box, specify the LDAP attribute that is used to define the users group membership.
    For example, if the group uses the memberUid attribute to determine group membership, type memberUid in the Group Member Field box.
    By query
    Select By Query to search for groups by running a query. You provide the query information in the Group Member Field and Group Query Field text boxes.
    For example, to search for all groups that have at least one memberUid attribute and that have a cn value that starts with the letter s, type memberUid in Group Member Field and type cn=s* in Group Query Field.
  8. If you specified Group Based authorization, click Load Groups and click the plus (+) or minus (-) icon to add or remove privilege groups.

    The user role privilege options control which QRadar components the user has access to. The security profile privilege options control the QRadar data that each user has access to.

    Note: Query limits can be set by selecting the Query Limit Enabled checkbox or the limits can be set on the LDAP server. If query limits are set on the LDAP server, you might receive a message that indicates that the query limit is enabled even if you did not select the Query Limit Enabled checkbox.
  9. Click Save.
  10. Click Manage synchronization to exchange authentication and authorization information between the LDAP server and the QRadar console.
    1. If you are configuring the LDAP connection for the first time, click Run Synchronization Now to synchronize the data.
    2. Specify the frequency for automatic synchronization.
    3. Click Close.
  11. Repeat the steps to add more LDAP servers, and click Save Authentication Module when complete.