Skip to main content
All CollectionsOnboard your team with Cheqroom
Integrating with your LDAP or Active Directory server
Integrating with your LDAP or Active Directory server
Mateus Savaris avatar
Written by Mateus Savaris
Updated over 9 months ago

Cheqroom supports Single Sign-On (SS0) by connecting to your organization's LDAP (Lightweight Directory Access Protocol) or Active Directory servers. 

Setting up sync with your AD server

  • Click Settings in the bottom left corner of your screen

  • Click Add-ons

  • Scroll down and activate 'sync remote users' if necessary

  • Next, click Settings or this link

  • Click New user sync

  • Fill in your Host settings, port and authentication credentials
    (you can use ldap://  or ldaps://  in hostnames)

  • Click Check connection*

  • Fill in the Sync settings (including the Role of those users)

  • Fill in the Field mappings

How does it work?

Account synchronization

Cheqroom can keep your user logins up to date by using nightly account synchronization. Our service will grab one or more sets of specified accounts using the configuration parameters and filters you've defined.

You can filter out users you don’t want in a variety of ways. One way is to use a specified attribute to record whether or not users should sync. You might find that you already have some attributes you can use to achieve the filter that you want.

Password verification

LDAP and Active Directory won’t allow the password to be synchronized, but you can “phone-home” for authentications, which achieves the same thing, and is arguably more secure since the password database remains only at the customer site. In this way, your users can use their active directory password at the Cheqroom login screen on the web application and on mobile apps.

Best practices

  1. Be careful opening up your firewall.
    Make sure you lock down access to your server to only the IP mentioned below. Since you’re allowing access to your LDAP / Active Directory Server on the LDAP protocol, you will want to restrict it to only those who need it.

  2. Use minimum privileges for remote LDAP access.
    Allow only the least privilege possible to the account that is doing the sync. Most of the time, it will only need read access as this is a one-way synchronization. Write access should be forbidden.

  3. Practice good password policies.
    Make sure you choose a very long and difficult randomly generated password and make a schedule to update it.

  4. Audit and review periodically.
    Include this interface in your security reviews. Validate the settings, accesses, and firewall rules well and periodically.

  5. Make sure your User Syncs do not overlap.
    Configure your LDAP queries so a single user is only part of a single User Sync. Users that match the queries of multiple User Syncs will produce unexpected behavior.

Whitelist access from our servers

*Your LDAP server should whitelist access from these IP addresses.

  • 52.36.95.37 

  • 52.89.211.110

  • 52.33.117.113  

Related articles:

Did this answer your question?