Documentation
Start typing to search…

LDAP | RS

Benefits of LDAP integration

BeyondTrust Remote Support integrates with LDAP directories to authenticate users and manage permissions through your existing directory services. Administrators can map users and groups, apply permissions based on LDAP hierarchy, and keep access in sync with directory updates.

  • Use existing LDAP directory data to avoid manual account creation.
  • Users log in with their standard system credentials.
  • Permissions update automatically when users move between groups.
  • Accounts deactivate immediately when removed from LDAP.

How do I access the Security Providers page?

  1. Use a Chromium-based browser to sign in to your Remote Support URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click Users & Security.
    The Users page opens and displays by default.
  3. At the top of the page, click Security Providers.
    The Security Providers page displays.

Add a security provider

  1. On the Security providers page, click + Add, and then select LDAP from the list.
    The Add Security Provider page displays.
  2. Configure the security provider following the steps below.
LDAP fields

  • Connection settings (Not visible for clusters)

    • Hostname: Enter the hostname of the server that houses your external directory store.

      ℹ️

      If you will be using LDAPS or LDAP with TLS, the hostname must match the hostname used in your LDAP server's public SSL certificate's subject name or the DNS component of its alternate subject name.

    • Port: Specify the port for your LDAP server. This is typically port 389 for LDAP or port 636 for LDAPS. BeyondTrust also supports global catalog over port 3268 for LDAP or 3269 for LDAPS.

    • Encryption: Select the type of encryption to use when communicating with the LDAP server. For security purposes, LDAPS or LDAP with TLS is recommended.

      ℹ️

      Regular LDAP sends and receives data in clear text from the LDAP server, potentially exposing sensitive user account information to packet sniffing. Both LDAPS and LDAP with TLS encrypt user data as it is transferred, making these methods recommended over regular LDAP. LDAP with TLS uses the StartTLS function to initiate a connection over clear text LDAP but then elevates this to an encrypted connection. LDAPS initiates the connection over an encrypted connection without sending any data in clear text whatsoever.

      If you select LDAPS or LDAP with TLS, you must upload the Root SSL Certificate used by your LDAP server. This is necessary to ensure the validity of the server and the security of the data. The Root Certificate must be in PEM format. A certificate chain cannot be used.

      If the LDAP server's public SSL certificate's subject name or the DNS component of its alternate subject name does not match the value in the Hostname field, the provider will be treated as unreachable. You can, however, use a wildcard certificate to certify multiple subdomains of the same site. For example, a certificate for *.example.com would certify both support.example.com and remote.example.com.

    • Bind credentials: Specify a username and password with which your appliance can bind to and search the LDAP directory store.

      Binding credentials require a specific notation. Enter the username in the following format:

      • DOMAIN\Username
      • If your version of Active Directory does not support this notation use, USERNAME@DOMAIN

      If your server supports anonymous binds, you may choose to bind without specifying a username and password. Anonymous binding is considered insecure and is turned off by default on most LDAP servers.

    • Connection method: If you are using an external directory store in the same LAN as your appliance, the two systems may be able to communicate directly, in which case you can leave the option Proxy from appliance through the Connection Agent unchecked and move on.

      If the two systems are unable to communicate directly, such as if your external directory server is behind a firewall, you must use a connection agent. Downloading the Win32 connection agent enables your directory server and your appliance to communicate via an SSL-encrypted, outbound connection, with no firewall configuration. The connection agent can be downloaded to either the directory server or a separate server on the same network as your directory server (recommended).

      In the case above, check Proxy from appliance through the Connection Agent. Create a Connection Agent Password for use in the connection agent installation process. Then click Download Connection Agent, run the installer, and follow the installation wizard. During installation, you will be prompted to enter the security provider name and the connection agent password you created above.

      ℹ️

      The Proxy from appliance through the Connection Agent option is not available to Remote Support Cloud customers, as Cloud instances must run the connection agent in order to use an external directory store.

Additional setup and tips

Updated 2 months ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.