--- title: How to configure LDAP with AD on an Exacq VMS Server slug: exacq-vms-ldap-configuration canonical_url: "https://ztronyx.com/kb/exacq-vms-ldap-configuration" published_at: "2026-02-06T00:00:00+00:00" updated_at: "2026-02-06T00:00:00+00:00" description: Step-by-step guide to configure LDAP or LDAPS in exacqVision with Microsoft AD or Azure AD Domain Services, test the connection, and map users/groups. tags: - enterprise - exacq - active-directory --- # How to Configure LDAP in exacqVision (Microsoft AD + Azure AD, LDAP + LDAPS) This guide shows how to connect an exacqVision server to: - **Microsoft Active Directory (on-prem AD DS)**, or - **Azure AD via Microsoft Entra Domain Services (Azure AD Domain Services / “AAD DS”)** …and how to use either: - **LDAP (389)**, or - **LDAPS (636 / SSL)** --- ## 0. Know what “Azure AD LDAP” actually means **Microsoft Entra ID (formerly Azure AD) does not natively expose LDAP**. When people say “Azure AD LDAP”, they typically mean **Microsoft Entra Domain Services (Azure AD DS)**, which provides a managed domain compatible with LDAP/LDAPS for legacy apps. So your “directory type” choice is usually: - **On-prem AD DS** (your domain controllers) - **Microsoft Entra Domain Services (Azure AD DS)** (managed domain in Azure that integrates with your Entra ID tenant) --- ## 1. Prerequisites and compatibility ### Licensing - The **ActiveDirectory/LDAP** tab is only available with **exacqVision Enterprise**. ### Version notes (important for Azure AD DS integrations) - If you are integrating with **Azure AD DS / Entra Domain Services**, confirm your exacqVision Server/Client versions meet the minimums described by Exacq for “Azure AD LDAP authentication” support. ### Information you need from IT Regardless of AD vs Azure AD DS, collect: - Directory host (FQDN/IP) - Base DN - Bind account + password - Whether you will use **LDAP** or **LDAPS** - If using LDAPS: certificate trust requirements (and whether exacqVision server needs a CA cert imported) --- ## 2. Choose your connection mode (quick decision guide) ### Option A — Microsoft AD (on-prem) - **Hostname/IP**: a domain controller (or a load-balanced LDAP endpoint) - **LDAP**: port **389** - **LDAPS**: port **636**, enable **Use SSL** ### Option B — Azure AD via Entra Domain Services (Azure AD DS) - **Hostname/IP**: the **managed domain** endpoint for Azure AD DS - **LDAP**: typically **389** (within VNet / private connectivity scenarios) - **LDAPS**: **636**, requires enabling “Secure LDAP” in Azure AD DS and certificate setup > If your exacqVision Server is on-prem and Azure AD DS is in Azure, you’ll also need network connectivity (VPN/ExpressRoute) and firewall rules to allow the LDAP/LDAPS ports. --- ## 3. Configure LDAP/LDAPS in exacqVision 1. Open **exacqVision Client** 2. Go to **Config (Setup)** 3. In the navigation tree, select your server → **Configure System** 4. Open the **ActiveDirectory/LDAP** tab 5. Check **Enable Directory Service** 6. Set the following fields: ### Required fields - **Hostname/IP Address** - AD: `dc01.example.com` - Azure AD DS: `aaddscontoso.com` (your managed domain name / endpoint) - **Schema** - Select the appropriate LDAP schema option available (commonly “LDAP Schema” in many deployments) - **Password / Confirm** - The bind/service account password (or whatever the tab expects in your deployment) ### Port + encryption (LDAP vs LDAPS) - **LDAP (unencrypted)**: - Port: **389** - **Use SSL**: unchecked - **LDAPS (encrypted)**: - Port: **636** - **Use SSL**: checked - Click **Apply** - Click **Query AD/LDAP** to test connectivity --- ## 4. Azure AD DS / Entra Domain Services: enable LDAPS (if you choose LDAPS) If you chose **LDAPS** with Azure AD DS: 1. In **Microsoft Entra Domain Services**, enable **Secure LDAP** 2. Configure certificates per Microsoft guidance 3. Ensure the network security group/firewall rules allow **TCP 636** only from trusted source IPs (recommended) 4. Use that Azure AD DS endpoint + port **636** + **Use SSL** in exacqVision --- ## 5. Add LDAP users/groups to exacqVision (so they can log in) Once the directory connection succeeds, map directory identities into exacqVision. ### Enterprise Users (recommended for multi-system environments) 1. Open **Enterprise Users** 2. Click **Query AD/LDAP** 3. Choose a domain/Base DN (if prompted) 4. Search for the user/group and select it 5. Select which servers the user/group can access 6. Click **Apply to Selected Systems** 7. In the Add Systems window, select **Use Single Sign-On** (important) > If you don’t select **Use Single Sign-On**, LDAP users/groups can fail to log on. ### Single-system environments Use the server’s **Users** window and the **Query AD/LDAP** option there to search and add directory users/groups. --- ## 6. Common troubleshooting ### Connection test fails (Query AD/LDAP) - Confirm DNS + routing from the **exacqVision Server** to the directory endpoint - Confirm firewall ports: - LDAP: **389** - LDAPS: **636** - Confirm bind account credentials - Confirm Base DN is correct (wrong Base DN = “no results” or failed queries) ### LDAPS issues - The most common cause is **certificate trust** - Your exacqVision Server may need the issuing CA certificate imported/available so it trusts the directory’s LDAPS certificate. - If enabling LDAPS flips the port/connection behavior, re-test with **Query AD/LDAP** immediately after changes. ### Users can’t log in after being added - Re-check that **Use Single Sign-On** was selected when applying the LDAP user/group to the target server(s). --- ## 7. Security recommendations (practical defaults) - Prefer **LDAPS** over LDAP whenever possible. - For Azure AD DS, avoid exposing LDAPS broadly to the internet; restrict **TCP 636** to known source IPs. - Use a dedicated service account for binds, with least privilege needed to read users/groups. - Keep a local admin account enabled until LDAP auth is confirmed working end-to-end.