# LDAP/AD (/docs/configuration/authentication/ldap)

You can use a Lightweight Directory Access Protocol (LDAP) authentication server to authenticate users.

## LDAP/AD Server Configuration

**Basic Configuration**

- `LDAP_URL` and `LDAP_USER_SEARCH_BASE` are required.
- `LDAP_SEARCH_FILTER` is optional; if not specified, the `mail` attribute is used by default. If specified, use the literal `{{username}}` to use the given username for the search.

<OptionTable
  options={[
    ['LDAP_URL', 'string', 'LDAP server URL.', 'LDAP_URL=ldap://localhost:389'],
    ['LDAP_BIND_DN', 'string', 'Bind DN', 'LDAP_BIND_DN=cn=root'],
    ['LDAP_BIND_CREDENTIALS', 'string', 'Password for bindDN', 'LDAP_BIND_CREDENTIALS=password'],
    [
      'LDAP_USER_SEARCH_BASE',
      'string',
      'LDAP user search base',
      'LDAP_USER_SEARCH_BASE=o=users,o=example.com',
    ],
    ['LDAP_SEARCH_FILTER', 'string', 'LDAP search filter', 'LDAP_SEARCH_FILTER=mail={{username}}'],
  ]}
/>

**Field Mappings**

You can specify a mapping between the attributes of LibreChat users and those of LDAP users. Use these settings if the default mappings do not work properly.

<OptionTable
  options={[
    [
      'LDAP_ID',
      'string',
      'Specify a unique user ID. By default, uid or sAMAccountName, mail is used.',
      'LDAP_ID=uid',
    ],
    [
      'LDAP_USERNAME',
      'string',
      'By default, it uses givenName or mail.',
      'LDAP_USERNAME=givenName',
    ],
    [
      'LDAP_EMAIL',
      'string',
      'By default, it uses mail.',
      'LDAP_EMAIL=userPrincipalName',
    ],
    [
      'LDAP_FULL_NAME',
      'string',
      'By default, it uses a combination of givenName and surname.',
      'LDAP_FULL_NAME=givenName,surname',
    ],
  ]}
/>

**Username or Email**

By default, LibreChat uses an email address and password for authentication.
This may sometimes cause problem with LDAP and you may want to use a username instead.
Set the `LDAP_SEARCH_FILTER` to filter for the username instead (e.g. `LDAP_SEARCH_FILTER=uid={{username}}`
and configure LibreChat to request login via username:

<OptionTable
  options={[
    [
      'LDAP_LOGIN_USES_USERNAME',
      'string',
      'Use username instead of email.',
      'LDAP_LOGIN_USES_USERNAME=true',
    ],
  ]}
/>

**Active Directory over SSL**

To connect via SSL (ldaps://), such as a company using Windows AD, specify the path to the internal CA certificate.
`LDAP_TLS_REJECT_UNAUTHORIZED` is optional;if not specified LibreChat will reject TLS/SSL connections if the LDAP server's certificate cannot be verified.
set `LDAP_TLS_REJECT_UNAUTHORIZED` to false (not recommended for production environments)
to allow Librechat to accept TLS/SSL connections even if the LDAP server's certificate cannot be verified,

<OptionTable
  options={[
    [
      'LDAP_CA_CERT_PATH',
      'string',
      'CA certificate path.',
      'LDAP_CA_CERT_PATH=/path/to/root_ca_cert.crt',
    ],
    [
      'LDAP_TLS_REJECT_UNAUTHORIZED',
      'string',
      'Disable TLS verification',
      'LDAP_TLS_REJECT_UNAUTHORIZED=true',
    ],
  ]}
/>

**LDAP StartTLS**

Enabling LDAP StartTLS allows LibreChat to upgrade an insecure connection to a secure TLS connection. This is useful if you want to secure the connection without switching to ldaps://.

<OptionTable
    options={[
        [
            'LDAP_STARTTLS',
            'string',
            'Enable LDAP StartTLS for upgrading the connection to TLS. Set to true to enable this feature.',
            'LDAP_STARTTLS=true',
        ],
    ]}
/>