LDAP
Identity & SecurityConnect AI agents to LDAP directory servers, including OpenLDAP, Active Directory, and any RFC 4511-compliant server. Agents search and read entries, provision and de-provision accounts, update attributes, and validate user credentials.
What This Integration Enables
Agents validate user logins against a corporate directory, look up people, groups, or devices by username, email, or any attribute, provision and de-provision accounts by creating, renaming or moving, and deleting entries, update directory attributes such as email, group membership, and phone numbers, and check group membership or an attribute value server-side without transferring data. Search is the flagship read: it runs from a Base DN with a scope of Base, One Level, or Subtree and an RFC 4515 filter, returning matching entries with their DN and attributes. Single-valued attributes come back as strings, multi-valued as arrays, and binary attributes as Buffers. Active Directory has specific rules the connector respects: password writes require LDAPS, and AD password changes through Modify Entry are out of scope because they need special encoding. The connector covers the read, write, and authenticate surface of a directory; the surrounding flow decides which reads and updates run automatically and where an admin approves a consequential write.
Without FlowRunner
With FlowRunner
Use Case Scenarios
Directory-backed login check
An application login attempt starts the flow. The agent calls Search to find the user by username and obtain their DN, then Authenticate User with that DN and the entered password. Because Authenticate User binds as the user on its own connection, the check reflects the directory's real credential state without the service account standing in for the user. The app gets a directory-backed login without reimplementing LDAP authentication itself.
New-hire account provisioning
A new-hire event starts the flow. The agent assembles the entry's DN and attributes, calls Search to confirm no conflicting entry exists, then Add Entry to create the account. It reads the entry back with Get Entry to confirm, and notifies IT that the account is ready with [Slack](/integrations/slack). The provisioning becomes a repeatable flow step with a record instead of a manual edit in a directory tool.
Membership verification before access
Before a downstream step grants access, the agent calls Search with a group filter to list a group's members, then Compare to verify a specific user's membership on the server. The access decision rests on a server-side truth rather than a stale export, and the check runs without pulling the whole member list across the wire.
Human-in-Loop Highlight
Provisioning an account into a privileged group, or deleting a directory entry, are the writes that should pause for an admin, because the directory is what other systems trust. The agent handles the reads and the safe assembly on its own: it searches for conflicts, builds the entry, and validates the attribute set. When the account is destined for a privileged group, or when the flow would delete an entry, it stops and asks the admin through Slack: "Ready to add [entry DN] to [privileged group], granting [access]. Approve the write, place in [standard group] instead, or hold for review?" The admin decides. The agent does the lookups and the staging; the person owns the write that changes access.
Agent Capabilities
8 actionsDirectory Reads
3- Search Searches from a Base DN with a scope and an RFC 4515 filter, returning matching entries with their DN and attributes. The flagship read operation.
- Get Entry Fetches a single entry by its exact DN, returning the entry or null.
- Compare Tests server-side whether an entry's attribute contains a specific value, returning a boolean without transferring the entry.
Directory Writes
4- Add Entry Creates an entry at a DN from a JSON object of attribute and value pairs, including objectClass.
- Modify Entry Applies add, replace, or delete changes to an entry's attributes.
- Rename Entry Changes an entry's DN to rename it in place or move it.
- Delete Entry Deletes a leaf entry. The typical human-gated write.
Authentication
1- Authenticate User Validates a user's credentials by binding as that user on a separate connection, returning whether the credentials are valid. Never uses the service credentials for the check.
Start building with LDAP
$100 in credits. No card required. Connect in minutes.