Directory Integration


To allow users to connect to resources with their directory logins, then you need create a authentication provider and grant permissions to the users.

Access and Permissions can be assigned to AD accounts directly in Mamori or via a Mamori role that is linked to an directory group (name or CN)

To configure cloud directories (Azure, Okta & Duo) simply select them instead of LDAP when following the guide to creating a new provider.
Directory logins can be optionally extended to be multi-factored by setting the 2FA method for either the directory provider or individual accounts.
When a directory user is deleted, disabled or expires, then the login will no longer authenticate via Mamori. However, the stale Mamori linked accounts will persist until the synchronize operation is executed. Synchronizing will logically remove the stale linked accounts.

General Steps

Step 1 - Create Authentication provider for directory

Step 2 - Set 2FA method (optional)

Step 3 - Set authentication chain (if more than 1 directory)

Step 4 - Grant access & permissions to directory users

method 1 - Map directory groups to Mamori roles


method 2 - Grant Mamori roles directly to directory users

Step 5 - Schedule Synchronize to clean up terminated accounts

Create Active Directory / LDAP


  • You’ll need an LDAP user with bind privileges to complete these tasks.
  • If you plan on managing permissions by mapping roles to directory groups or organizational units, then ensure your directory users are in the right directory groups and/or organizational units.

Add Provider

Click Server Settings > Authentication Providers


Name the provider

Choose Generic LDAP from the Authentication Provider list.

Fill in these fields on the Settings tab:

LDAP / Active Directory ServerYour server name, e.g.,
LDAP User (Bind DN) & PasswordYour LDAP user with bind credentials
Base DN (Optional)Click Browse Directory then select the folder(s) with the users
Users Container / Organizational Unit stringYou can manually enter a CN or OU or have it automatically set by selecting a folder from the AD Browser
Search FilterAccept the default or write your own filter
MFA Provider (Optional)The 2FA method to apply to all directory logins

Advanced Options

Synchronize UsersWill display your directory users with Mamori Users.

Set to false if you want to map AD groups to Mamori Roles.

Set to true if you want to directly grant Mamori roles and permissions to AD users

Granting Permissions - via directory group

Click Roles


Next, enter details in user dialog

Role IDthe Mamori role name
External Namethe directory group, CN or OU to link this role to
PriorityA ranking to resolve conflicts due to a user having the same permission type via multiple roles

Granting Permissions - directly to a user

Click Users

Click DIRECTORY SERVICE USERS and find the user

Click if the directory user is not in the list

Next, edit the user and set their permissions

For Administrators

Synchronizing Directory Users

To clean up Mamori directory accounts that are linked to invalid AD logins you can either manually execute the syncronize operation via the users screen or schedule the synchronize.

Once a directory login becomes invalid that login will no longer authenticate via Mamori even if the Mamori directory account exists. The clean up is purely to remove stale accounts.

Scheduling Synchronize

Click Console

In the console editor run the create job statement

  --  Example of synchronize running every 15th minute
  CREATE JOB 'directory_refresh' 
      CRONTRIGGER '0 */15 * * * ?' 


Querying an LDAP server

Click Console

to see all the available users in a directory

   --parameters (directory name, user name)
   call directory_search(null, '');   

For a custom LDAP query

   --parameters (directory name, user name)
              ,'LDAP BIND USER'
              ,'USER PASSWORD'
              ,'THE CN TO SEARCH FROM');

Edit this page on GitHub Updated at Wed, Mar 13, 2024