LDAP Authentication¶

LDAP/Active Directory authentication configuration reference.

Edition note: LDAP authentication is a commercial feature. The community edition supports only local user authentication.

Overview¶

Faraday supports LDAP (Lightweight Directory Access Protocol) authentication, allowing users to sign in with their existing Active Directory or LDAP directory credentials. When enabled, Faraday authenticates users against the configured LDAP server and can automatically assign roles based on group membership.

Key Characteristics¶

Feature	Detail
Protocol	LDAP / LDAPS (SSL) / STARTTLS
Default port	389 (LDAP) / 636 (LDAPS)
Local user coexistence	No — enabling LDAP disables local users
SAML coexistence	No — LDAP and SAML are mutually exclusive
Role mapping	Via AD/LDAP group membership or local role assignment
Configuration methods	CLI (`faraday-manage`) or Web UI (Preferences)
Server restart	Required after configuration changes
User type in database	`ldap` (via `user_type` enum)

Important Constraints¶

No Hybrid Authentication

Faraday does not support a hybrid installation using both LDAP and local users simultaneously. Enabling LDAP disables local users and vice versa.

LDAP vs. SAML

LDAP and SAML cannot be active at the same time. Choose one authentication method for your deployment.

use_local_roles Warning

If use_local_roles is set to true, any user in the AD/LDAP directory will be allowed to use Faraday with the role specified in default_local_role. Use group-based role assignment for access control.

Configuration via Web UI¶

Click the user icon (top-right corner of Faraday web interface).
Select Preferences.
Navigate to the LDAP section under Authentication.
Click the Activate LDAP slider.
Fill in the connection and role mapping fields.
Click Save (upper corner).
Restart the Faraday Server (see Restart below).

Configuration via CLI¶

Run the following command to configure LDAP interactively:

faraday-manage settings -a update ldap

The command prompts for each setting, showing the current value in brackets:

$ faraday-manage settings -a update ldap
Update settings for: ldap
enabled [False]:
use_local_roles [True]:
default_local_role [admin]:
admin_group []:
asset_owner_group []:
client_group []:
pentester_group []:
disconnect_timeout [2.0]:
server []:
port [389]:
use_ldaps [False]:
use_start_tls [False]:
domain []:
domain_dn []:
bind_format [CN]:
bind_dn []:
user_class [user]:
user_attribute [sAMAccountName]:
group_class [group]:
paginated_fetch [False]:
Do you confirm your changes on ldap?

Press Enter to keep the current value for any setting.

Settings Reference¶

Connection Settings¶

Setting	Default	Description
`enabled`	`False`	Activate LDAP authentication
`server`	(blank)	LDAP server hostname or IP address
`port`	`389`	LDAP server port (`389` for LDAP, `636` for LDAPS)
`use_ldaps`	`False`	Enable LDAPS (LDAP over SSL) on port 636
`use_start_tls`	`False`	Enable STARTTLS encryption on standard port
`disconnect_timeout`	`2.0`	Connection timeout in seconds

Directory Settings¶

Setting	Default	Description
`domain`	(blank)	Domain name (e.g., `example.com`)
`domain_dn`	(blank)	Base Distinguished Name for user search (e.g., `DC=example,DC=com`)
`bind_format`	`CN`	Bind format: `CN` (Common Name) or `DN` (Distinguished Name)
`bind_dn`	(blank)	Bind DN for LDAP lookups (e.g., `CN=svc-faraday,OU=Service Accounts,DC=example,DC=com`)
`user_class`	`user`	LDAP object class for user entries
`user_attribute`	`sAMAccountName`	Attribute used as the username identifier
`group_class`	`group`	LDAP object class for group entries
`paginated_fetch`	`False`	Enable paginated results for large directories

Role Mapping Settings¶

Setting	Default	Description
`use_local_roles`	`True`	When `true`, assign roles locally instead of via group mapping
`default_local_role`	`admin`	Default role for new LDAP users (when `use_local_roles=true`)
`admin_group`	(blank)	AD/LDAP group name whose members get the admin role
`pentester_group`	(blank)	AD/LDAP group name whose members get the pentester role
`asset_owner_group`	(blank)	AD/LDAP group name whose members get the asset_owner role
`client_group`	(blank)	AD/LDAP group name whose members get the client role

Role Mapping¶

Faraday supports four roles, listed from most to least privileged:

Role	Description
`admin`	Full system access including settings and user management
`pentester`	Create/modify workspaces, manage vulnerabilities
`asset_owner`	View and manage assets, limited vulnerability access
`client`	Read-only access to assigned workspaces

Option A: Group-Based Role Assignment¶

Set use_local_roles to False and configure the group settings:

use_local_roles = false
admin_group = Faraday-Admins
pentester_group = Faraday-Pentesters
asset_owner_group = Faraday-AssetOwners
client_group = Faraday-Clients

Users are assigned the role matching their AD/LDAP group membership. Users not in any mapped group are denied access.

Option B: Local Role Assignment¶

Set use_local_roles to True (default):

use_local_roles = true
default_local_role = admin

All authenticated LDAP users receive the role specified in default_local_role. An administrator can later change individual user roles in the Faraday UI.

Authentication Flow¶

User Login Request
       │
       ▼
┌─────────────────┐
│  Faraday Login   │
│  (Web UI / API)  │
└────────┬────────┘
         │ username + password
         ▼
┌─────────────────┐
│  LDAP Bind       │──── bind_format=CN → CN=user,domain_dn
│  (authenticate)  │──── bind_format=DN → user@domain
└────────┬────────┘
         │ success
         ▼
┌─────────────────┐
│  Group Lookup    │──── Resolve group membership
│  (if group-based)│
└────────┬────────┘
         │
         ▼
┌─────────────────┐
│  User Provision  │──── Create/update user record
│  + Role Assign   │──── user_type = 'ldap'
└────────┬────────┘
         │
         ▼
┌─────────────────┐
│  Session Created │──── JWT token or session cookie
└─────────────────┘

Example Configurations¶

Active Directory (On-Premises)¶

enabled = true
server = dc01.example.com
port = 389
use_ldaps = false
use_start_tls = true
domain = example.com
domain_dn = DC=example,DC=com
bind_format = CN
bind_dn =
user_class = user
user_attribute = sAMAccountName
group_class = group
use_local_roles = false
admin_group = Faraday-Admins
pentester_group = Faraday-Pentesters
asset_owner_group = Faraday-AssetOwners
client_group = Faraday-Clients
disconnect_timeout = 2.0
paginated_fetch = false

Active Directory with LDAPS¶

enabled = true
server = dc01.example.com
port = 636
use_ldaps = true
use_start_tls = false
domain = example.com
domain_dn = DC=example,DC=com
bind_format = CN
bind_dn =
user_class = user
user_attribute = sAMAccountName
group_class = group
use_local_roles = true
default_local_role = pentester
disconnect_timeout = 2.0
paginated_fetch = false

OpenLDAP¶

enabled = true
server = ldap.example.com
port = 389
use_ldaps = false
use_start_tls = true
domain = example.com
domain_dn = OU=People,DC=example,DC=com
bind_format = DN
bind_dn = cn=readonly,dc=example,dc=com
user_class = inetOrgPerson
user_attribute = uid
group_class = groupOfNames
use_local_roles = true
default_local_role = pentester
disconnect_timeout = 2.0
paginated_fetch = false

Restarting the Server¶

After modifying LDAP settings, restart the Faraday Server for changes to take effect:

# Systemd (bare-metal / VM)
systemctl restart faraday-server

# Docker
docker restart faraday-server

Troubleshooting¶

Cannot connect to LDAP server¶

Symptom	Possible Cause	Solution
Connection timeout	Firewall blocking port	Verify port 389/636 is open between Faraday and LDAP server
Connection refused	Wrong server/port	Verify `server` and `port` settings; test with `ldapsearch`
SSL handshake failure	Certificate issue	For LDAPS, ensure the CA certificate is trusted on the Faraday host
STARTTLS failed	Server doesn't support it	Try LDAPS (`use_ldaps=true`, `port=636`) instead

Users cannot log in¶

Symptom	Possible Cause	Solution
"Invalid credentials"	Wrong bind format	Try switching `bind_format` between `CN` and `DN`
"User not found"	Wrong search base	Verify `domain_dn` covers the OU where users reside
"User not found"	Wrong user attribute	Check `user_attribute` matches your directory schema (`sAMAccountName` for AD, `uid` for OpenLDAP)
"User not found"	Wrong user class	Verify `user_class` (`user` for AD, `inetOrgPerson` for OpenLDAP)
All users get same role	`use_local_roles=true`	Set to `false` and configure group mappings

Testing LDAP Connectivity¶

Use ldapsearch from the Faraday server to verify connectivity:

# Test LDAP connection (plaintext)
ldapsearch -H ldap://dc01.example.com:389 \
  -D "CN=svc-faraday,DC=example,DC=com" \
  -W -b "DC=example,DC=com" "(sAMAccountName=testuser)"

# Test LDAPS connection
ldapsearch -H ldaps://dc01.example.com:636 \
  -D "CN=svc-faraday,DC=example,DC=com" \
  -W -b "DC=example,DC=com" "(sAMAccountName=testuser)"

Recovering from LDAP Lockout¶

If you enable LDAP and can no longer log in with local accounts:

Stop the Faraday Server.

Disable LDAP via the CLI:

faraday-manage settings -a update ldap
# Set enabled = False

Restart the server.
Local users will be available again.

Security Recommendations¶

Use LDAPS or STARTTLS — Never send LDAP credentials in plaintext over untrusted networks. Prefer LDAPS (port 636) or STARTTLS.
Use a dedicated service account — Configure bind_dn with a least-privilege service account for directory lookups.
Use group-based access control — Set use_local_roles=false and map specific AD groups to Faraday roles to limit who can access the platform.
Set appropriate default_local_role — If using local roles, prefer client or pentester over admin to follow least-privilege principles.
Enable paginated fetch for large directories — Set paginated_fetch=true if your directory has thousands of users to avoid timeouts.

LDAP-OKTA — LDAP integration using Okta as the LDAP provider
2fa — Two-Factor Authentication setup
SSO — SAML 2.0 Single Sign-On configuration
Server configuration Server settings reference