LDAP authentication lets users log in to Nexterm with their existing directory credentials. Nexterm uses a service account to search the directory for the user, then verifies the password by binding as that user. On success, Nexterm creates or updates a local account with attributes from the directory entry and issues a session token.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/gnmyt/Nexterm/llms.txt
Use this file to discover all available pages before exploring further.
How it works
Each login attempt follows these steps:Service account bind
Nexterm connects to your LDAP server and binds using the configured Bind DN and Bind Password to gain search access.
User search
Nexterm searches the Base DN subtree using your User Search Filter, replacing the
{{username}} placeholder with the value the user typed at login.Credential verification
Nexterm attempts to bind to the directory as the matched user using the password they provided. A successful bind means the credentials are correct.
Account sync
Nexterm creates a local account for first-time users, or updates the first and last name for returning users, based on the directory attributes.
Enabling an LDAP provider automatically disables the internal (local password) provider. Make sure your LDAP server is reachable from Nexterm before enabling the provider.
Adding an LDAP provider
Fill in the connection fields
Enter the server details, bind credentials, and search configuration as described in the fields table below.
Test the connection
Click Test Connection to verify Nexterm can reach the server and bind successfully with the service account credentials.
Provider fields
| Field | Description |
|---|---|
| Name | A label to identify this provider in the admin interface. |
| Host | Hostname or IP address of your LDAP server. |
| Port | 389 for plain LDAP, 636 for LDAPS. |
| Bind DN | Distinguished name of the service account Nexterm uses for directory searches. |
| Bind Password | Password for the service account. Stored encrypted at rest using your ENCRYPTION_KEY. |
| Base DN | The directory subtree to search for users (for example, CN=Users,DC=corp,DC=example,DC=com). |
| User Search Filter | LDAP filter used to locate a user. Use {{username}} as a placeholder for the login input. |
| Use TLS | Enable when connecting to an LDAPS endpoint on port 636. |
Example configurations
- Active Directory
- OpenLDAP
sAMAccountName in Advanced Settings. The default uid attribute is not used in AD.Search filter reference
The{{username}} placeholder in the search filter is replaced with the exact string the user enters at login.
| Directory | Filter | Notes |
|---|---|---|
| Active Directory | (sAMAccountName={{username}}) | Use the Windows login name (pre-2000 format). |
| OpenLDAP | (uid={{username}}) | Standard POSIX uid attribute. |
| Email login | (mail={{username}}) | Lets users type their email address instead of a username. |
| Combined (person + uid) | (&(objectClass=person)(uid={{username}})) | Restricts results to user objects; useful when the base DN contains non-person entries. |
Attribute mapping
Nexterm reads three attributes from the matched directory entry. The defaults work for most OpenLDAP schemas. Override them in Advanced Settings if your directory uses different attribute names.| Nexterm field | Default attribute | Active Directory equivalent |
|---|---|---|
| Username | uid | sAMAccountName |
| First name | givenName | givenName |
| Last name | sn | sn |
Testing the connection
After saving the provider, click Test Connection. Nexterm binds to the directory using the configured service account and reports whether the bind succeeds. A successful test confirms the host, port, Bind DN, and Bind Password are correct.Troubleshooting
ECONNREFUSED — server not reachable
ECONNREFUSED — server not reachable
Nexterm cannot connect to the LDAP server. Check:
- The Host field matches your server’s hostname or IP.
- The Port is correct (
389for LDAP,636for LDAPS). - A firewall is not blocking the connection from the Nexterm host to the LDAP server on that port.
INVALID_CREDENTIALS — bind failed
INVALID_CREDENTIALS — bind failed
The service account bind failed. Check:
- The Bind DN is the full distinguished name, including all
CN=andDC=components. - The Bind Password is correct and has not expired.
- The service account is not locked or disabled in your directory.
Users can't log in — no results from search
Users can't log in — no results from search
The service account bind succeeds but the user search returns no results. Check:
- The Base DN covers the OU or container where the user accounts live.
- The User Search Filter uses the correct attribute for your directory (for example,
sAMAccountNamefor AD,uidfor OpenLDAP). - The
{{username}}placeholder is present in the filter and spelled correctly (double curly braces on each side).
Wrong name displayed after login
Wrong name displayed after login
If the first or last name is blank or incorrect, the directory attributes may differ from the defaults. Check the actual attribute names on a user entry in your directory and update the attribute mapping in Advanced Settings accordingly.