Connecting an Active Directory Identity Source


Active Directory (AD) is one of the many Identity Source types that you can connect to Clearlogin for user authentication.

One of the benefits of being able to use AD is that if you already have an AD environment set up within your organization, you can effortlessly and seamlessly migrate your current user base to Clearlogin without having to establish a separate Identity Provider and manually create user accounts and issue new credentials to every individual user again.

  1. To get started, first navigate and log into the Administrator dashboard (

  2. Once you have logged in select "Identity Sources" from the left-hand navigation bar.

  3. On the "Manage Identity Sources" page, click on "New Identity Source".

  4. On the subsequent page, select "Active Directory".

  5. You will be brought to the AD configuration page.


    From here you can configure all of the settings required to properly integrate your AD environment with Clearlogin.

    Here is an explanation of each field:

    Display name:  This is just the name of the Identity Source and can be anything that you want in order to identify which Identity Source this configuration is.  It has no technical bearing on the actual configuration.

    User domain:  This is the domain that your AD instance is a part of and that users will use to log into Clearlogin.  IE:

    Access tag:  Please see this article for an explanation on how Access Tags effect security within Clearlogin.

    Priority:  Please see this article for an explanation on how Identity Source Priority effects authentication with multiple Identity Sources.

    Timeout:  This is mostly personal preference and will depend upon the speed of your Identity Source's ability to authenticate, but we typically recommend 10 seconds.

    Hostname:  This is the DNS URL or public IP address of your Identity Source.

    Port:  This is the port that you choose to authenticate through for AD.  Typical AD ports include 389 (for LDAP) and 636 (for LDAPS).  You can also use 3268 or 3269, however these are reserved for the Global Catalog and we highly discourage administrators from using them since problems can arise such as users being unable to manually reset their own passwords.

    Encryption Type:  You would typically use "None" or Start TLS over port 389.  If you are using port 636, then we recommend Simple TLS, however this is something that you should consult with your security team on before setting.

    Search filter:  This is the criteria that you will be using to identify who a user is when looking them up during authentication.  Typically the default of (samAccountName={username}) is all that you will ever need.  For more information on different user attribute identifiers, it's best to read our article on LDAP Filters, and check with Microsoft.

    Search base:  Also known as the "base DN", the search base defines the location in the directory from which the LDAP search begins.  More information can be found here.

    Bind DN:  This is the full DN (Distinguished Name) of the user account (service account or "bind" account) that will be used to maintain the connection between AD and Clearlogin.  This is typically in the format of "CN=UserName,OU=OU-name,DC=DomainName,DC=DomainExtension" without the quotes.  IE:  CN=TestServiceAccount,OU=ServiceAccounts,DC=TestDomain,DC=net

    Microsoft has more information on this here.

    Please note:  For full functionality (LDAP user lookups, password resets, and password changes) make sure that your bind account has the following permissions within AD:

    Change Password
    Reset Password
    Read userAccountControl
    Write userAccountControl
    Read pwdLastSet
    Write pwdLastSet

    For steps on how to configure your bind account to unlock users after a forgotten password reset, please click here.

    Microsoft does not currently allow for changes to be made over the Global Catalog ports.

    Bind password: This is the password to the service account that is defined in the Bind DN.

    Once you are done filling out all of the above information, you can click on the green "Update Active Directory Identity Source" button near the bottom of the page to save your changes.  

  6. Congratulations, you've created your first AD connection with Clearlogin!

    You can test your new configuration with the test box at the bottom of the AD edit page.


    The bind password will have to be the same bind password that you set above, but the username and password should be a standard user account.
Have more questions? Submit a request


Powered by Zendesk