Getting Started with LDAP

Let’s consider we will use LDAP authentication and maintain users in the application.

First, add the LDAP add-on to your project according to the installation section.

Configuring Main Properties

Now, add the main LDAP properties. We will use a test LDAP server - \ldap:// that have some test users.

jmix.ldap.urls = ldap://
jmix.ldap.baseDn = dc=example,dc=com
jmix.ldap.managerDn = cn=read-only-admin,dc=example,dc=com
jmix.ldap.managerPassword = password
jmix.ldap.userSearchFilter = (uid={0})
jmix.ldap.defaultRoles = system-full-access

jmix.ldap.defaultRoles contains a list of roles that will be assigned to every user authenticated in LDAP. It is needed since a user without any roles will not be able to log in to the application.

You can find out more about the meaning of each property in the Properties section.

Configuring Synchronization

Now we need to describe the way we want users to be synchronized.

We will implement the default scenario when the add-on authenticates users from the application against LDAP. If a user is successfully authenticated in LDAP, but it does not have a UserDetails in the application, it will be automatically synchronized, and UserDetails will be created in accordance with the corresponding LDAP entry.

Let’s declare a bean implementing the LdapUserDetailsSynchronizationStrategy interface. The add-on comes with a basic abstract implementation: AbstractLdapUserDetailsSynchronizationStrategy, so in a simple case the strategy can be declared by only specifying a concrete User class and implementing a simple mapping:

public class MyUserSynchronizationStrategy extends AbstractLdapUserDetailsSynchronizationStrategy<User> {

    protected Class<User> getUserClass() {
        return User.class;

    protected void mapUserDetailsAttributes(User userDetails, DirContextOperations ctx) {


Note that AbstractLdapUserDetailsSynchronizationStrategy also persists role assignments that were obtained during the role mapping flow. After each synchronization execution, role assignments are rewritten with the new ones. It is done in order not to preserve the obsolete role assignments.

So, let’s set the jmix.ldap.synchronizeRoleAssignments to false in order to manage user roles manually in the application.

After the synchronization strategy is declared, users will be synchronized on every login. If you want to disable user synchronization on login, set the jmix.ldap.synchronizeUserOnLogin to false.

If you want to manage users fully in LDAP and not maintain them in the application, see the In memory user management section.