How to Configure Microsoft ADDS LDAP with OpenObserve and Dex: Complete Integration Guide
Chaitanya Sistla
April 23, 2025
5 min read
Don’t forget to share!
Understanding Microsoft ADDS LDAP and Its Importance
Microsoft Active Directory Domain Services (ADDS) is a directory service that provides authentication and authorization functions within Windows domain networks. It serves as a centralized database that stores information about network objects, including users, computers, printers, and more. LDAP (Lightweight Directory Access Protocol) is the protocol used to communicate with Active Directory.
Organizations implement Microsoft ADDS LDAP for several compelling reasons:
Centralized Authentication: It provides a single point of authentication for all users across the organization, simplifying user management.
Enhanced Security: By implementing ADDS LDAP, especially with secure LDAP (LDAPS), organizations can encrypt authentication traffic, protecting sensitive credentials.
Streamlined User Management: ADDS makes it easier to manage user accounts, group memberships, and access permissions across the entire network.
Single Sign-On (SSO) Capabilities: When integrated with tools like Dex and observability platforms like OpenObserve, it enables users to access multiple systems with a single set of credentials.
Now, let's walk through how to set up Microsoft ADDS LDAP for integration with OpenObserve using Dex as the identity provider.
Step-by-Step Guide to Enable Microsoft ADDS LDAP
1. Access Microsoft Entra Admin Center
Begin by navigating to the Microsoft Entra Admin Center at https://entra.microsoft.com/#home. You'll need administrator credentials to access this portal.
2. Create Microsoft Entra Domain Services
- In the admin center, locate and click on "Microsoft Entra Domain Services" in the left navigation panel
- Click "Create" to begin the setup process
- Leave the default settings as they are (these are optimized for most standard deployments)
- Confirm your selection and click "Create"
Note: The provisioning process typically takes 20-30 minutes to complete. You can monitor the deployment progress in the notifications area.
3. Configure Secure LDAP (LDAPS)
Once your Microsoft Entra Domain Services is active, you'll need to enable secure LDAP:
- Navigate to your newly created Domain Services resource
- Select "Secure LDAP" from the left menu
- Click "Configure" to set up secure LDAP
4. Create and Upload SSL Certificates
To enable secure LDAP connections, you'll need to generate a proper SSL certificate:
# Generate certificates using certbot
certbot certonly --manual --preferred-challenges dns -d *.ldap.example.com -d *.example.com -d example.com
# Convert the certificates to PFX format (you'll be prompted to create a password)
openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in fullchain.pem -certfile chain.pem
After generating the certificate: - In the secure LDAP configuration screen, upload your newly created PFX certificate - Enter the password you created during the PFX conversion - Enable "LDAPS access over the internet" - Save your changes
5. Configure Network Security
To ensure secure access to your LDAP service:
- Navigate to the "Properties" section of your Domain Services
- Locate and copy the "Secure LDAP external IP address"
- Go to the "Network security" section
- Modify the Network Security Group (NSG) to allow traffic on port 636 (LDAPS) only from your specific IP addresses
6. Configure DNS Records
Create a DNS record to make your LDAP service easily accessible:
- Set up an A record for
ldap.example.compointing to the secure LDAP external IP address you copied earlier
7. Configure Dex for LDAP Authentication
Now that Microsoft ADDS LDAP is configured, you need to set up Dex (an identity service) to connect to it. Add the following configuration to your Dex config file:
- type: ldap
id: ldap
name: LDAP
config:
host: ldap.example.com:636
bindDN: ldap_test@example.com
bindPW: your_password_here
usernamePrompt: SSO Username
userSearch:
baseDN: DC=ldap,DC=example,DC=com
filter: "(objectClass=person)"
username: userPrincipalName
idAttr: objectGUID
emailAttr: userPrincipalName
nameAttr: displayName
preferredUsernameAttr: sAMAccountName
Important: Replace the placeholder values (
example.com,your_password_here, etc.) with your actual domain and credentials.
8. Assign Users to AD Groups
For proper access control:
- Navigate to your Active Directory Users and Computers
- Create appropriate security groups if they don't already exist
- Add users to these groups based on their required access levels
9. Test the Integration
Finally, test the integration by:
- Launching OpenObserve
- Selecting LDAP as the authentication method
- Entering your Active Directory credentials
- Verifying that you can successfully log in and access appropriate resources
Conclusion
Integrating Microsoft ADDS LDAP with OpenObserve through Dex represents a significant step forward in enterprise observability security. This configuration not only centralizes user authentication but also enhances security by enabling encrypted LDAPS connections and leveraging your existing Active Directory infrastructure.
By following this guide, you've successfully implemented a robust authentication mechanism that simplifies user management while maintaining strong security practices. Your observability platform is now seamlessly integrated with your organization's identity management system, allowing for streamlined access control and reduced administrative overhead.
Furthermore, this integration enables your team to maintain consistent access policies across your entire technology stack, ensuring that only authorized personnel can access sensitive monitoring and observability data. As your organization grows, this LDAP integration will scale with you, continuing to provide secure, centralized authentication for all your observability needs.
Remember to regularly rotate certificates, review access permissions, and keep your Directory Services updated to maintain the highest level of security for your observability platform.
Get Started with OpenObserve Today!
Sign up for a free trial of OpenObserve on our website. Check out our GitHub repository for self-hosting and contribution opportunities.
