Importing Users
If your organisation uses an LDAP directory (like Active Directory or OpenLDAP), you can connect Permiso to it so that users and groups are synced automatically. This means you don't have to manage two separate lists of people; Permiso stays in sync with your directory.
Note: LDAP sync is one option for bulk user management. For smaller teams or when you don't have an LDAP directory, inviting users via sign-up links is usually simpler.
How it works
When LDAP is enabled, Permiso reads users and groups from your directory at login time. Users log in through Permiso as normal (with a passkey), but their account details (name, email, group memberships) are kept in sync with the directory.
You can also configure Permiso to soft-delete users who are removed from the directory, which automatically disables their accounts.
Enable and configure LDAP
Go to Settings → Administration → Application Configuration and open the LDAP section.
| Field | Description |
|---|---|
| LDAP URL | The address of your LDAP server, e.g. ldap://ldap.example.com:389 or ldaps://ldap.example.com:636 |
| Bind DN | The distinguished name Permiso uses to connect to the directory, e.g. cn=permiso,ou=service-accounts,dc=example,dc=com |
| Bind Password | The password for the bind account |
| Base DN | The search base for users and groups, e.g. dc=example,dc=com |
| Skip certificate verification | Only enable this for internal LDAP servers with self-signed certificates |
Attribute mapping
Permiso needs to know which LDAP attributes map to which user fields. The defaults work for most Active Directory setups, but you may need to adjust them for OpenLDAP or a custom schema.
| Permiso field | Default LDAP attribute |
|---|---|
| Unique identifier | objectGUID |
| Username | sAMAccountName |
mail | |
| First name | givenName |
| Last name | sn |
| Display name | displayName |
| Profile picture | jpegPhoto |
| Group member | member |
| Group identifier | objectGUID |
| Group name | cn |
Admin group
If you want users in a specific LDAP group to automatically become Permiso admins, set the Admin Group Name field to the name of that group.
Soft-deleting users
When Soft delete users is enabled, Permiso disables accounts for users who no longer appear in the directory. Their account records and audit history are preserved; they just can't log in.
Testing the connection
After saving your LDAP configuration, try logging in as a user who exists in the directory. If the login fails, check:
- The LDAP URL is reachable from the Permiso server
- The bind DN and password are correct
- The base DN covers the part of the directory where your users live
- The user filter is returning the right results (your LDAP server's admin tools can help you test this)