Documentation
Start typing to search…

Security providers | RS Cloud

LDAP

LDAP fields

  • Connection settings (Not visible for clusters)

    • Hostname: Enter the hostname of the server that houses your external directory store.

      ℹ️

      If you will be using LDAPS or LDAP with TLS, the hostname must match the hostname used in your LDAP server's public SSL certificate's subject name or the DNS component of its alternate subject name.

    • Port: Specify the port for your LDAP server. This is typically port 389 for LDAP or port 636 for LDAPS. BeyondTrust also supports global catalog over port 3268 for LDAP or 3269 for LDAPS.

    • Encryption: Select the type of encryption to use when communicating with the LDAP server. For security purposes, LDAPS or LDAP with TLS is recommended.

      ℹ️

      Regular LDAP sends and receives data in clear text from the LDAP server, potentially exposing sensitive user account information to packet sniffing. Both LDAPS and LDAP with TLS encrypt user data as it is transferred, making these methods recommended over regular LDAP. LDAP with TLS uses the StartTLS function to initiate a connection over clear text LDAP but then elevates this to an encrypted connection. LDAPS initiates the connection over an encrypted connection without sending any data in clear text whatsoever.

      If you select LDAPS or LDAP with TLS, you must upload the Root SSL Certificate used by your LDAP server. This is necessary to ensure the validity of the server and the security of the data. The Root Certificate must be in PEM format. A certificate chain cannot be used.

      If the LDAP server's public SSL certificate's subject name or the DNS component of its alternate subject name does not match the value in the Hostname field, the provider will be treated as unreachable. You can, however, use a wildcard certificate to certify multiple subdomains of the same site. For example, a certificate for *.example.com would certify both support.example.com and remote.example.com.

    • Bind credentials: Specify a username and password with which your appliance can bind to and search the LDAP directory store.

      Binding credentials require a specific notation. Enter the username in the following format:

      • DOMAIN\Username
      • If your version of Active Directory does not support this notation use, USERNAME@DOMAIN

      If your server supports anonymous binds, you may choose to bind without specifying a username and password. Anonymous binding is considered insecure and is turned off by default on most LDAP servers.

    • Connection method: The Win32 connection agent enables your directory server and your appliance to communicate via an SSL-encrypted, outbound connection, with no firewall configuration. The connection agent can be downloaded to either the directory server or a separate server on the same network as your directory server (recommended).

      Create a Connection Agent Password for use in the connection agent installation process. Then click Download Connection Agent, run the installer, and follow the installation wizard. During installation, you will be prompted to enter the security provider name and the connection agent password you created above.

RADIUS

RADIUS fields

  • Connection settings

    • Hostname: Enter the hostname of the server that houses your external directory store.

    • Port: Specify the authentication port for your RADIUS server. This is typically port 1812.

    • Timeout (seconds): Set the length of time to wait for a response from the server. Note that if the response is Response-Accept or Response-Challenge, then RADIUS will wait the entire time specified here before authenticating the account. Therefore, it is encouraged to keep this value as low as reasonably possible given your network settings. An ideal value is 3-5 seconds, with the maximum value at three minutes.

    • Connection method: The Win32 connection agent enables your directory server and your appliance to communicate via an SSL-encrypted, outbound connection, with no firewall configuration. The connection agent can be downloaded to either the directory server or a separate server on the same network as your directory server (recommended).

      Create a Connection Agent Password for use in the connection agent installation process. Then click Download Connection Agent, run the installer, and follow the installation wizard. During installation, you will be prompted to enter the security provider name and the connection agent password you created above.

    • Shared secret: Provide a new shared secret so your appliance and your RADIUS server can communicate.

Kerberos

Kerberos fields

OpenID Connect

OpenID Connect fields

SAML for representatives

SAML fields

SAML for public portals

SAML fields

Additional setup and tips

Updated 2 months ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.