Deploy AD/LDAP Connectors for High Availability Environments

The AD/LDAP Connector is a critical component, therefore we recommend a highly available deployment with redundancy (that is, installing multiple instances of it).

Installing multiple instances of the connector in a high-availability deployment involves :

  • A first-time installation: You provide the ticket URL that links the connector to a specific connection in your Auth0 tenant and other configuration parameters.

  • Making copies of the original installation and populating it to other servers: Ensures that the same configuration and certificates securing communications are used in each instance.

Authentication method considerations

If you enable Kerberos or client certificates based authentication in your AD/LDAP connections, users will contact the connector directly instead of going through the Auth0 server. In scenarios where multiple connector instances exist, we recommend fronting them with a network load balancer.

You can use the SERVER_URL parameter to publish the public location where the Connector will be listening to incoming requests. Map the SERVER_URL in the network load balancer to all internal instances of the deployed connectors. No special distribution policy is required (for example, uniform round-robin with no sticky sessions works).

To learn more, read Configure AD/LDAP Connector Authentication with Kerberos or Configure AD/LDAP Connector Authentication with Client Certificates.

Install and configure first server

  1. Install and configure the Connector on the first server.

  2. Open the troubleshooting screen (go to http://localhost:8357/#troubleshoot) and run the troubleshooting test. Make sure all tests pass.

    Test Description Troubleshoot
    Test 1 Attempts to establish a TCP connection to the LDAP server and port specified. Check basic network connectivity and firewall settings that might prevent such a connection.
    Test 2 Attempts to perform an LDAP bind on the LDAP server and port specified and with the username and password provided. Check the LDAP connection string, search path, username and password.
    Test 3 Attempts to perform an LDAP search against the directory to check the privileges of the specified username. Check the privileges of the username in the target directory.
    Test 4 Attempts to establish a connection to the Auth0 server. Check network connectivity and firewall settings that might prevent such a connection.

  3. Once the Connector is installed, configured, and working correctly on your first server, export the configuration files. You will use them to configure the additional instances of the Connector on additional servers.

Configure additional servers

  1. Install the Connector on the other server(s). Do not configure the connector on the additional server yet.

  2. Import the configuration files from the first server.

  3. Restart the Auth0 ADLDAP and Auth0 ADLDAP Admin Windows Services on the new server(s).

  4. Open the troubleshooting screen (go to http://localhost:8357/#troubleshoot) and run the troubleshooting test. Make sure all tests pass.

To learn more, read Install and Configure the AD/LDAP Connector and Import and Export AD/LDAP Connector Configurations.

Verify connections

Once you've completed the configurations, go to the Connections section of the Auth0 Dashboard. The AD/LDAP Connection will have a green dot next to its name to indicate that it can use the connection successfully.

Learn more