Integrate with LDAP

Estimated reading time: 4 minutes

These are the docs for UCP version 2.0

To select a different version, use the selector below.

Docker UCP integrates with LDAP services, so that you can manage users from a single place.

When you switch from built-in authentication to LDAP authentication, all manually created users whose usernames do not match any LDAP search results become inactive with the exception of the recovery admin user which can still login with the recovery admin password.

Configure the LDAP integration

To configure UCP to authenticate users using an LDAP service, go to the UCP web UI, navigate to the Settings page, and click the Auth tab.

Then configure your LDAP integration.


MethodThe method used to authenticate users. Managed authentication uses the UCP built-in authentication mechanism. LDAP uses an LDAP service to authenticate users.
Default permission for newly discovered accountsThe permission level assigned by default to a new user. Learn more about default permission levels.

LDAP server configuration

LDAP server URLThe URL where the LDAP server can be reached.
Recovery admin usernameThe username for a recovery user that can access UCP even when the integration with LDAP is misconfigured or the LDAP server is offline.
Recovery admin passwordThe password for the recovery user.
Reader DNThe distinguished name of the LDAP account used for searching entries in the LDAP server. As a best practice this should be an LDAP read-only user.
Reader passwordThe password of the account used for searching entries in the LDAP server.

LDAP security options

Skip verification of server certificateWhether to verify or not the LDAP server certificate when using TLS. The connection is still encrypted, but vulnerable to man-in-the-middle attacks.
Use StartTLSWhether to connect to the LDAP server using TLS or not. If you set the LDAP Server URL field with ldaps://, this field is ignored.

User search configurations

Base DNThe distinguished name on the LDAP tree where the search should start looking for users.
Username attributeThe LDAP attribute to use as username on UCP.
Full name attributeThe LDAP attribute to use as user name on UCP.
FilterThe LDAP search filter used to find LDAP users. If you leave this field empty, all LDAP entries on the Base DN, are imported as users.
Search scopeWhether to perform the LDAP search on a single level of the LDAP tree, or search through the full LDAP tree starting at the Base DN.

Advanced LDAP configuration

No simple paginationIf your LDAP server doesn’t support pagination.
Enable sync of admin usersWhether to import LDAP users as UCP administrators.

Sync configuration

Sync intervalThe interval in hours to synchronize users between UCP and the LDAP server. When the synchronization job runs, new users found in the LDAP server are created in UCP with the default permission level. UCP users that don’t exist in the LDAP server become inactive.

Test LDAP connection

LDAP test usernameAn LDAP user to test that the configuration is correctly configured.
LDAP test passwordThe password of the LDAP user.

Before you save the configuration changes, you should test that the integration is correctly configured. You can do this by providing the credentials of an LDAP user, and clicking the Test button.

Synchronize users

Once you’ve configure the LDAP integration, UCP synchronizes users based on the interval you’ve defined. When the synchronization runs, UCP stores logs that can help you troubleshoot when something goes wrong.

You can also manually synchronize users by clicking the Sync Now button.

Revoke user access

When a user is removed from LDAP, that user becomes inactive after the LDAP synchronization runs.

LDAP, authentication, user management