--- title: Active Directory Configuration description: See the default configuration values for the ActiveDirectoryIdentityProvider. cascade: layout: docs menu: docs: name: Active Directory Configuration weight: 10 parent: reference --- This describes the default values for the `ActiveDirectoryIdentityProvider` user and group search. For more about `ActiveDirectoryIdentityProvider` configuration, see [the API reference documentation](https://github.com/vmware-tanzu/pinniped/blob/main/generated/{{< latestcodegenversion >}}/README.adoc#activedirectoryidentityprovider). ### `spec.userSearch.base` *Default Behavior*: Queries the Active Directory host for the [defaultNamingContext](https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). *Implications*: Searches your entire domain for users. It may make sense to specify a subtree as a search base if you wish to exclude some users for security reasons or to make searches faster. ### `spec.userSearch.attributes.username` *Default Behavior*: The `userPrincipalName` attribute will become the user's Kubernetes username. ### `spec.userSearch.attributes.uid` *Default Behavior*: The `objectGUID` attribute will be used to uniquely identify users. ### `spec.userSearch.filter` *Default Behavior*: ``` "(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={})(mail={})(userPrincipalName={}))(sAMAccountType=805306368))" ``` Requires the following of the Active Directory entry of the user specified: * is a person. * is not a computer. * is not shown in advanced view only (which would likely mean its a system created service account with advanced permissions). * either the `sAMAccountName`, the `userPrincipalName`, or the `mail` attribute matches the input username. * the `sAMAccountType` is for a normal user account. ### `spec.groupSearch.base` *Default Behavior*: Queries the Active Directory host for the [defaultNamingContext](https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). *Implications*: Searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster. ### `spec.groupSearch.attributes.groupName` *Default Behavior*: The attribute that will become the user's groups in Kubernetes will look like `sAMAccountName@domain` (where domain is constructed from the domain components of the group). ### `spec.groupSearch.filter` *Default Behavior*: ``` (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})) ``` Requires the following of the Active Directory entrys that will represent the groups: * is a group. * has a member that matches the DN of the user we successfully logged in as, including indirectly through nested groups. *Implications*: Nested group search may be slow. If you are having performance issues during login, you can change the filter to the following: ``` (&(objectClass=group)(member={})) ```