External Authentication

Setting up LDAP/AD Authentication

Initial Setup

Setup of external authentication is done through the Admin ‣ Security ‣ LDAP Authentication Settings interface. To begin, click New LDAP Utility.

Filling in the form:

IP Address (Required)
IP address or FQDN of AD/LDAP server
Port (Required)
Port used to connect to this AD/LDAP. The defaul LDAP ports are: ldap: 389, ldaps: 636
Protocol (Required)

ldap or ldaps. Follow open ldap instructions to enable encrypted searches between the CloudBolt server and the ad/ldap server if you’d like to use ‘ldaps’ protocol.

For more information with enabling ldaps, go to: http://www.server-world.info/en/note?os=CentOS_6&p=ldap&f=3

The service account in AD/LDAP that can search for users and join servers to the domain if applicable.
The password that authenticates the service account.
2 or 3. If not sure check with your Directory Administrator about what to enter here.
Base DN
The starting point when searching for users in the directory
Search Filter

This can be used to limit the users returned in the first phase of authentication. It uses the LDAP filter syntax.

For more information with LDAP search: http://www.centos.org/docs/5/html/CDS/ag/8.0/Finding_Directory_Entries-LDAP_Search_Filters.html

Disabled User Filter
Users that match this filter will be set to inactive in CloudBolt.
The domain for the AD/LDAP; e.g., exampledomain.com.
Username Field
The AD/LDAP attribute that should be used for username when creating the CloudBolt user. For AD it usually is sAMAccountName, most other directory servers it should be uid.
Firstname Field
The AD/LDAP attribute that should be used for username when creating the CloudBolt user. Defaults to givenName.
Lastname Field
The AD/LDAP attribute that should be used for username when creating the CloudBolt user. Defaults to sn.
Email Field
The AD/LDAP attribute that should be used for username when creating the CloudBolt user. Defaults to mail.
Email Format

All directories may not store email information or an admin may wish to overwrite the email settings for each user. Using CloudBolt, it is possible to define an email template based on other user attributes; e.g., @@first@@.@@last@@@@domain@@ or @@username@@@some_clodbolt_c2_specific_email_domain.

Possible references are first, last, username or domain

Auto-create users
Any valid user in LDAP can access CloudBolt even if a matching CloudBolt user didn’t exist prior to the first login attempt. See Auto-Creation of Users.


The CloudBolt server ships with OpenLDAP ldapsearch utility. In order to verify the AD/LDAP connection, one should log into the CloudBolt server console and run ldapsearch passing uri, binddn and search based on the way AD/LDAP is configured in CloudBolt.


ldapsearch -H "PROTOCOL://IP:PORT" -D "ACCOUNT" -b BASEDN -w PASSWORD -s sub -x -v  "FILTER"

Note on Joining Windows Servers to Domains

Windows Server 2008R2 does not support use of NETBIOS naming. If you selected the Auto-join servers option and want to have Windows Server 2008 R2 servers auto-join the domain, it is recommended that the service account and domain are defined in this form: adminaccount@domain.com and domain.com.

Auto-Creation of Users

For LDAP/AD, if you check the box for auto-creating users, any user that has a valid AD/LDAP credentials will be given an account in CloudBolt the first time they log in.

For Google authentication, auto-creation of users is always enabled (for the domains specified in the whitelist).

Auto-created users will not have any permissions or belong to any groups until a Group Admin explicitly grants permissions to a user.

RADIUS Two-Factor Authentication

When using external LDAP/AD authentication, CloudBolt optionally supports two-factor authentication with RADIUS providers such as RSA SecurID tokens.

  1. Go to Admin Home > Database Browser.
  2. Under Utilities, click Add next to RADIUS Utilities.
  3. Enter the Server (IP or resolvable hostname), Port, Auth policy (e.g. Token Only), and Secret for the RADIUS server you wish to use.
  4. Click SAVE.
  5. In your RADIUS system, add an agent/client for your CloudBolt server to match the secret you chose above.
  6. After setting up the RADIUS Utility and your LDAP settings, users on the login page will see a Token field on the login page after selecting an LDAP domain.
  • CloudBolt does not support challenge responses from a RADIUS server at this time. Any Auth policy that includes both token and password, does so by concatenating the two values before attempting to authenticate to the RADIUS server.
  • CloudBolt does not support changing RADIUS credentials such as password, so you must not use options such as “Require user to change password at next login” as exists on SecurID.